Does Yahoo’s New
Authentication System Hold Up?

Last week, Yahoo announced a new method of authentication for its services that relies solely on an on-demand generated password that is sent to the user’s mobile phone number. This is not two-factor authentication (which Yahoo already had), but rather single-factor authentication where the single factor is the user’s mobile phone. It seems that if someone obtains temporary access to a user’s unlocked phone they could generate a Yahoo one-time password that allows them to log in. The temporary password is only 4-characters long, though since it’s temporary and Yahoo likely has anti-brute force protections, that might not be a problem.

Brendan Rizzo, Voltage Security:

Deploying an email encryption solution at a large scale will likely fail unless two challenges are overcome: ease of use to send and receive messages, and ease of use in managing the encryption keys used to protect the messages.  However, the available details suggest that the key management challenge is not being adequately addressed in this initiative.  If keys are stored on an end user’s device, it is unlikely that they will be able to be shared with a user’s other devices.  This would mean, for example, that an email encrypted with a key stored on a user’s laptop would not be able to be read from the same user’s mobile phone.  It would also mean that if the user loses the laptop storing the key,  all previously encrypted emails may then be irretrievably lost.

These challenges stem from the plugin being based on the antiquated “Pretty Good Privacy” (PGP) technology (RFC 4880). If an organization needs to scale to the size of a large webmail provider such as Yahoo, and encrypt email end-to-end without introducing the complexities and frustration that would ultimately stunt widespread user adoption, then newer public key methods like Identity-Based Encryption (IBE – IEEE 1363.3 standard) are required. IBE lays the foundation for ease of use and security without the pain of the older end-user certificate management approaches that have proven to be too complicated for end users. There are well in excess of 68 million users using IBE based solutions every day today, including thousands of enterprises that rely on it.

So, when thinking about easy to use encryption – think more modern IBE based systems. IBE solves the critical key management and complexity problems that plague traditional end-to-end solutions and already proven in large scale implementations.

Tim Erlin, Director of Security and Risk at Tripwire:

[ENCRYPTION]

The focus on ease of use for email encryption is a welcome change. Ease of use has long been a barrier for the adoption of email encryption.

The fact that Yahoo and others have to prefix ‘encryption’ with the phrase ‘end-to-end’ should remind consumers of the events that drove this change. Yahoo doesn’t mention the NSA specifically, but the revelation that the intelligence agency had been mass collecting data is what drive Google, and not Yahoo, to add this capability.

It’s a change to see security being advertised as a feature, here with Yahoo and elsewhere.

[ON DEMAND PASSWORDS]

Yahoo just made it easier for attackers to compromise an account. Ease of use is taking center stage for Yahoo, but it opens up some new attack vectors as well. Two-factor authentication is more secure because it requires an attacker to compromise more than a single piece of information to be successful. While Yahoo is lifting the burden of remembering a password, they are maintaining a single target for compromise: your SMS messages. Malware on your phone could be used to grab those SMS messages, and then have full access to your account. On-demand passwords are also mutually exclusive with Yahoo’s two-step verification, so enabling them forces users to effectively downgrade security on their account.

Kevin Epstein, VP of Advanced Security and Governance at Proofpoint:

Endpoint encryption can add a layer of security and control to communications.  At the same time, in isolation, it is not a comprehensive security solution — it will not prevent users from receiving phish, downloading Trojans, or being compromised by malicious URLs embedded in email. In fact, non-corporate end-to-end encryption may assist attackers in circumventing the protection offered by corporate secure email gateway filters. Enterprise security in such circumstances clearly demands additional layers of security around targeted attack protection and automated threat response.

The market tends to establish the validity of new features in any high-tech product.  If consumers feel a feature is valuable, clearly other providers will be compelled to provide it to remain competitive. Such encryption would assist in preventing email in-flight from being ‘tapped’, but by the same token may assist attackers in evading corporate attack-prevention screens and filters.

Two-factor authentication has gained credibility in the industry. In contrast, the model proposed seems at first inspection to be single-factor authentication — and tied to a device rather than the user’s memory. If so, it’s unclear what would prevent anyone with possession of the user’s email address and device from gaining immediate access to the user’s email account.

Mark James, Security Specialist at ESET:

End to End encryption will provide a level of security for user’s emails which is more robust than what they have now. However the problem we have is adopting a method that is useable without it becoming too complex. Once it is perceived as too complex people won’t use it and the technology becomes useless. Encryption will help out the average user send important sensitive documents much more securely than plain text with no encryption.

The changes will give the end user the opportunity to encrypt their emails when sending sensitive information. While not everyone will need or use it, there are times when we need that little extra layer of security.

I am not a firm believer in getting rid of passwords as I think they have a place alongside other forms of security to establish a layered approach. Security is always touted as being complex and using very long and difficult to remember passwords. This process will help some who struggle with long complex passwords and enable them to have a much better level of security rather than using an insecure Pa$$w0rd as their password.

TK Keanini, CTO at Lancope:

We need more innovation like this with authentication.  Passwords are just pieces of information and in all these strategies, we want to make it useful for the shortest amount of time, but not be an administrative burden.  Yahoo knows that the most personal device on a person these days is their mobile phone and let’s not stop here, let’s keep innovating even more techniques to raise the cost to our attackers.

While only leveraging a single factor (something you have – your phone), the security of the system will depend on how secure that device remains over time.  We will see a major shift by the attacker to target malware on these mobile platforms because of their larger role in the overall security of the individual.  It is also important these days to ensure that the mobile account is secure because you don’t want attackers changing features like call forwarding and other features that can put them in the middle of this communication stream.

Jared DeMott, Principal Security Researcher at Bromium:

Passwords have been the weak link in many security incidents.  Recall the celebrity pictures stolen a while back due to password resets.  Even so, users have not rushed to the more secure two-factor authentication, because it is an extra step that they must do (or even know about, and know how to enable).  Also, some users have expressed concern about providing a personal mobile number to ad companies like Yahoo!, Google, Facebook, etc.

Either way, it seems most users will do only what is required by default.  So if companies are serious about better login security, the default choice will need to be modified.  In light of that, it is good to see Yahoo! trying to address the password problem.  Potential drawbacks are of course: users without a txt/data mobile plan, lost phones, etc – could now cause new grief.  But in engineering, it’s about balancing the gains against the losses.  Time will tell if this is a better choice.

Certainly when Yahoo! first started offering email, many users would not have had a mobile to do two-factor authentication.  Now, many will.  Times change.  So must appropriate login measures.  But balancing privacy, ease-of-use and recovery, against security is always the trick.