Yahoo's On-Demand (In)Security

By Avi Deitcher

Passwords are insecure and annoying. I get that, I have written about it, and I experience it. So lots of companies and organizations are working on replacing passwords with something that is both more secure and more convenient. For example, Twitter's Digits service. Other approaches, like 1Password's password manager, make passwords easier to manage and auto-generate, so they simultaneously can be more secure and more convenient.

Then there are "other" approaches.

Yesterday at SXSW, Yahoo announced that they have eliminated the password with "on-demand" passwords. It works as follows.

  1. Go through the one-time registration
  2. Visit yahoo.com
  3. Ask to login.
  4. Yahoo will text a single-use (probably time-limited, but the announcement didn't say) 4-digit password to your registered mobile phone.
  5. Login with the code, no password (or jacket) required.

Is it more convenient? Most of the time. Is it more secure? Definitely not.

It is pretty well-accepted that the golden standard of authentication is two-factor authentication (TFA or 2FA). The basis of TFA is that it has, well, two factors. In most cases, these are:

  1. Something you know - a password or PIN or some other secret
  2. Something you have - an RSA keychain device with a small LCD screen ("keyfob") or Google Authenticator app or phone

You login to your account, and after you enter the secret (something you know), it asks you for the second factor (something you have).

The reason there are two factors is simple. There is a decent risk that you might lose or expose one of them; the risk of you losing or exposing both at the same time is significantly lower. For example, if your password is "password" (really bad idea, don't do it), then bad actors will be able to guess it. But they won't also have your phone with the app on it, and so they cannot get access to your bank account.

A slightly different but more cumbersome approach is one-time passwords (OTP). They have a long history and normally are quite secure - they have formed the basis of encrypting much of intelligence services' communications, in the form of "one-time pads". One-time pads have one big weakness: securely getting the pads into the hands of the other party and keeping them secret. That sort of exchange of secret information - the classic "key exchange" problem - exists in every form of encryption, and is solved at the statecraft level by physically delivering the one-time pads, once in paper, more recently in a digital format.

Yahoo appears to have taken the idea of OTP, rather than an actual implementation, combined them with the second-factor in use in some TFA systems, and said, "poof, we solved the password problem!"

This system has two very serious weaknesses, serious enough that I would recommend no one adopt the system.

Convenience

The convenience appears to be solved... until you are somewhere that you cannot get a text message. What if you are in an airport in Frankfurt, travelling from Tel Aviv to San Francisco. You don't have a German SIM card, but you do have Internet access in the lounge. Are you now unable to access your email?

Better yet, you are at 36,000 feet from Frankfurt to SFO - Westbound flights fly at even flight levels - and are using their brand-new WiFi service. Do you have Internet? Yes. Can you get to Yahoo login page? Yes. Can you get your password? As they say in New York, "fuhggedaboudit." Aren't you glad you paid for your WiFi?

While this may seem a minor issue, it is important. Any critical system should not rely on less-critical systems for access. Your email needs Internet access for your to get to it. That makes sense. Thus, it is reasonable for the email system in turn to depend upon it. However, you do not need mobile connectivity to get to the email system itself; therefore the email system should not rely exclusively upon it for you to access.

Security

Yahoo's new "on-demand" password system eliminates entirely the "something you have." This has two severe weaknesses:

  1. Before, if someone got access to your phone, it was useless; now they have complete access to your email. How many times have you left your phone on your office desk to charge and gone to the bathroom, or welcome someone at the front door? And if you lose your phone, will the finder (or thief) have access to all of your Yahoo email and groups in the hour until you realize you lost it and disable it? All it takes is 30 seconds for someone to get access.
  2. Governments now can intercept your email with ease. Let's say you are a democracy activist in Russia or China or Saudi Arabia. You normally connect to Yahoo over SSL, and send emails from Yahoo's servers in California to other activists in London, to help plan a rally. Better yet, you use an alias, "freecountry2015@yahoo.com." Beforehand, the best the government could do (unless your local NSA- or GCHQ-equivalent has cracked Yahoo) was to try and piece together who you were based on Yahoo access. Now, they have a much simpler route. They will just intercept the text message at the carrier. Better yet, they can just as easily instigate a logon as "freecountry2015@yahoo.com", and watch and see which real person gets the SMS. Wait to hear the 2am knock on the door by the secret police?

The security in Yahoo's new system is weak in the extreme, and exposes average users and freedom activists in a way the previous one did not.

Summary

Yahoo's new system appears to solve some password inconveniences, but creates significant others. More seriously, it breaks security in such a fundamental way, exposing individuals to wide-open reading and hijacking of accounts, that can, in some cases, be seriously threatening.

Do not use Yahoo's new (in)security plan.