Yahoo! kills! more! passwords! with! push! notification! app! Yahoo! has gone partially password-free with the stable release of a second-factor account sign-in tool that uses push messages to identify users. The mechanism first launched in October for Yahoo! Mail allows users to log into other Purple Palace apps including Messenger, Finance, Fantasy, and the Sports app on iOS and …
Actually, using the phone as a replacement for an RSA or similar is quite a nice idea.
Research shows that we all struggle with passwords. Of the various attempts to get rid of them while not reducing security this one seems quite reasonable. Sure: if you lose your phone you might struggle but I think struggling to access Yahoo mail is then probably the least of your worries.
Apparently I just signed in from an unknown device, which is odd because it's the same workstation at the same IP address running the same OS using the same browser that I have signed in from, just like all the other times it was an unknown device and they will keep nagging me until I sign over all my details which will never get lost, leaked, stolen and therefore never get used to spam me, steal stuff and generally annoy.
They are not alone, google won't let me delete a dead broken never used again device from the play app store "device manager" thing because they spotted it once a couple of years ago.
And hotmail keep changing their name so I don't know what my email address is meant to be any more.
But in the this is all my fault for being so stupid and wanting use a browser for reading my webmail. I know, get me, eh. I guess I got what I paid for!
'They are not alone, google won't let me delete a dead broken never used again device from the play app store "device manager" thing because they spotted it once a couple of years ago.'
The same is true of the Playstation Network. Had my account logged into and some purchases made by somebody, purportedly, in China. Got in contact with Sony to get everything sorted out but the fraudster's device is still listed on my account. Can only get rid of it from the device itself.
No f**king way! I don't forget my passwords but if I do then they're printed out neatly on a single sheet of A4 paper, which I very rarely have to look at and then only with the rarely used passwords.
If that fails, they can send reset links to another registered email address or use a security question, which is really another password with a hint.
If you feel that you have to use SMS push, for whatever reason, get a PAYG SIM card in a cheap second hand Android phone and use that for SMS push and no other purpose.
P.S. Google look at your IP address when you login and will make you jump through hoops if you use a VPN or login from a different physical location (same thing I suppose). This happened to me and the VPN went down halfway through my verifying my identity. As a result, they told me that my account had been hacked and I was forced to change my password. This hasn't affected my Android phone, as far as I can tell; it probably uses an authorisation key that was loaded when I first signed it up.
It's an extraordinary situation where moves by companies one has been a customer of for years have to be regarded with the utmost suspicion.
Yahoo are not alone in seeking my mobile phone number and I simply don't trust them or any of the others enough to give it to them.
Computer companies created this situation via a history of greed, lies, cockups and contempt for their users.
""Passwords can be... easy to... forget, or... vulnerable to hacking," Chhabra says.
...
"mobile phone.""
Because we all know that no-one has ever lost or hacked a mobile phone.
"Those who do not have their phones handy can answer security questions to gain access."
And once again, something touted as being secure is easily circumvented simply by knowing someone's mother's maiden name.
I didn't use Yahoo for much and a couple of years ago the assholes started asking me security questions I had never previously answered. I spent a few minutes literally going round in circles on their rubbish support site and gave up. I don't use them at all now.
One of my uses was email addresses I didn't care about - sure as hell will never be giving Yahoo a phone number.
I guess they are actually on a mission to lower the average IQ of their users - probably good for them as it is easier to take money from morons.
I didn't use Yahoo for much and a couple of years ago the assholes started asking me security questions I had never previously answered.
UPS does that. I'm thinking they accessed a credit company like Experian. I had my ID stolen some years ago and some of that info is apparently still on the UPS database... so guess what questions get asked? The ones I can't answer.
Odd thing is, they only do the for the webmail interface. I have a yahoo account for spammy stuff and access it via POP, no problems with changing geographic log-ins, etc, for years now.
Same password as the web interface. Same security problems of a password being stolen or brute-forced. Go figure...
Personally, I use Yahoo! solely as a throwaway email address for sites that insist I give them one (Hi El Reg!) and have zero information in the contacts file, and misinformation everywhere else.
I'll never give them a phone number, and the day I can't log in without one... Oh well, I'll just use one of the other online email sites I have an account with.
In a world where we live without remembered passwords, say, where our identity is established without our volitional participation, we would be able to have a safe sleep only when we are alone in a firmly locked room. It would be a Utopia for criminals but a Dystopia for most of us.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
