Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

3/16/2015
04:08 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Yahoo's One-Time Passwords Have Security Experts Divided

Better protection from keyloggers, but you'd better not lose your phone, Yahoo users.

Yahoo yesterday announced that in lieu of a standard username-password combination, Yahoo users in the US could log into their accounts with one-time passwords sent to their mobile phones via SMS message. Yahoo! calls them "on-demand passwords," texted to your mobile phone when you need them.

To be clear, Yahoo is not proposing "on-demand passwords" as a second factor of authentication, but rather as an alternative to the traditional username-password combo. It's really just replacing a "something you know" with a "something you have." Yahoo already offers two-factor authentication, but for now, it cannot be combined with on-demand passwords: users will need to choose between the two options.

Yahoo director of product management Chris Stoner writes that the new technology makes logging in "less anxiety-inducing," by eliminating the stress of remembering passwords. Certainly an admirable goal, but security professionals have mixed responses to the news. 

"We need more innovation like this with authentication," says T.K. Keanini, CTO of Lancope. "Passwords are just pieces of information, and in all these strategies, we want to make it useful for the shortest amount of time but not be an administrative burden. Yahoo knows that the most personal device on a person these days is their mobile phone. And let's not stop here. Let’s keep innovating even more techniques to raise the cost to our attackers."

Yet, others aren't convinced. Instead of enhancing security like multi-factor authentication, some say, Yahoo's solution simply changes the single factor to something else -- something that can be infected, intercepted, broken, lost, stolen, or temporarily left unattended long enough for a nearby ne'er-do-well to do some mischief.   

“Yahoo just made it easier for attackers to compromise an account," says Tim Erlin, director of product management and security and IT risk strategist for Tripwire. "Ease of use is taking center stage for Yahoo, but it opens up some new attack vectors as well. Two-factor authentication is more secure, because it requires an attacker to compromise more than a single piece of information to be successful.

"While Yahoo is lifting the burden of remembering a password," he says, "they are maintaining a single target for compromise: your SMS messages. Malware on your phone could be used to grab those SMS messages and then have full access to your account."

Recent research by Alcatel-Lucent's Kindsight Security Labs estimated that 15 million mobile devices, Androids in particular, are infected by malware. One of the top threats was SMSTracker, which allows the attacker to remotely track and monitor all calls, SMS/MMS messages, GPS locations, and browser histories of an Android device.

[Having trouble getting your colleagues to take mobile threats seriously? Overwhelmed with mobile threats, and not sure where to start? Check out "Five Mobile Computing Vulnerabilities You Need To Know" at Interop Las Vegas.]

Keanini concedes that "the security of the system will depend on how secure that device remains over time. We will see a major shift by the attacker to target malware on these mobile platforms because of their larger role in the overall security of the individual," he says. "It is also important these days to ensure that the mobile account is secure because you don't want attackers changing features like call forwarding and other features that can put them in the middle of this communication stream."

Joe Siegrist, CEO and co-founder of LastPass, takes that thought a step further. He notes that not only might you need to worry about criminal attackers intercepting SMS communications; you need to wonder if the phone companies themselves will abuse their access to your device and what it transmits. "Moving to a model where any phone company can easily gain access to an account," he says, "is not progress, unfortunately." 

Security analyst Graham Cluley would have preferred that Yahoo try another solution entirely. He writes:

Personally, rather than making things "simple" for users who cannot remember their passwords, I would have preferred to have seen Yahoo promoting the usage of password management software like LastPass1Password, and KeePass which would similarly make it unnecessary to remember passwords... and perhaps encourage stronger, unique passwords at the same time.

However, Cluley did add that Yahoo's on-demand password solution could be a good option when logging in from an untrusted device -- for example when one's traveling or using a public console. One could request an on-demand password instead of running the risk of, perhaps, having one's regular password slurped up by a keylogger.  

 

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Ninja
3/16/2015 | 5:59:51 PM
you can have...
...security or ease of use.

Choose one.
Curt Franklin
50%
50%
Curt Franklin,
User Rank: Author
3/16/2015 | 6:30:05 PM
Re: you can have...
Tom, I absolutely agree that you've succinctly stated the way things have always been viewed in the security industry. If we're going to have better security with the much larger user base that computers and mobile devices now enjoy, though, we're going to have to be smart enough to have systems that are secure and easy for authorized users to use properly. If we can't do that, users will continue to choose ease over security and we're all well and truly in deep trouble.
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
3/17/2015 | 7:58:49 AM
Re: you can have...
That's a problem though, as lack of ease of use is going to cause people not to bother, or sacrifice security in the name of that ease. 

Something new does need to be tried with security and authentication, as although two-factor is effective, I feel like that's a slope that leads to three factor and so on. We need a new, disruptive tech to give us the best of both worlds.

What this is though, I have no idea. 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
3/17/2015 | 8:46:02 AM
Re: you can have...
and that disruptive technology would have to combine.... security & ease of use. And so it goes!

 
Technocrati
50%
50%
Technocrati,
User Rank: Ninja
3/17/2015 | 12:46:54 PM
Re: you can have...

And I might add, Yahoo doesn't care. They hold no liability in the end.   I supposed that was the first thing they did when they recieved the venture capital years ago. That and to make sure the Chief Idiots were paid as well.

 

In the end, " It a privilege not a right to use Yahoo", just ask them.   And deep in the fine print, is the clause " Use at your own risk".

xmarksthespot
50%
50%
xmarksthespot,
User Rank: Strategist
3/22/2015 | 3:54:42 AM
One thing is for sure: it's an experiment
I value my own data enough to use 2 factor authentication.   I would like token+one time password .  No one offers it :(

I am a little bit concerned after watching so many hacking tutorials and reading so many security-related articles.  I've seen hackers in conference presentations say 'game over' way too many times.
Technocrati
50%
50%
Technocrati,
User Rank: Ninja
3/17/2015 | 12:41:32 PM
Yahoo and Security 101

Everyone morning I wake up and hope Yahoo will finally get it and I am still waiting.

Security 101 Rule #1:  Never  have one point to have hackers focus on  - this is Security 101 Yahoooooo !   `

Maybe they should focus on all the hacker, scam infected emails that their servers allow rather than making it easier for them to attack anything that is Yahoo.

 

Sadly, I am going to wake up tomorrow with the same hope.  The streak continues.

NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Hunny, I looked every where for the dorritos. 
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8567
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azure Plugin prior to v0.0.10, and GCP Plugin prior to v0.2.0 allow an attacker who can create specially-crafted SecretProviderClass objects to write to arbitrary file paths on the host filesystem, including /var/lib/kubelet/pods.
CVE-2020-8568
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that conta...
CVE-2020-8569
PUBLISHED: 2021-01-21
Kubernetes CSI snapshot-controller prior to v2.1.3 and v3.0.2 could panic when processing a VolumeSnapshot custom resource when: - The VolumeSnapshot referenced a non-existing PersistentVolumeClaim and the VolumeSnapshot did not reference any VolumeSnapshotClass. - The snapshot-controller crashes, ...
CVE-2020-8570
PUBLISHED: 2021-01-21
Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process executi...
CVE-2020-8554
PUBLISHED: 2021-01-21
Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typicall...