​Yahoo’s “password-free” feature in Mail app can mean lockout

Yahoo has revamped its Yahoo Mail app with a new take on sign-in that aims for a frictionless login process with an in-app delivered one-time password— but it’s pretty easy to get locked out.

Yahoo on Thursday took the wraps of its faster and sexier Mail app for iOS and Android. It won’t accept Gmail accounts, but Outlook, AOL Mail and Yahoo users can sign-in and there’s a new desktop experience rolling out to the US ahead of the rest of the world.

The most interesting new feature, security wise, is Yahoo’s Account Key, its effort to deliver a “password-free future”.

As Yahoo points out, passwords are usually simple to hack and easy to forget. Numerous data breaches have shown that people pick easily cracked passwords and often reuse them across multiple accounts. Some people save sensitive information in email accounts, such as passwords to other accounts.

Yahoo promises Account Key will protect users even when they’re passwords are compromised.

“Once you activate Account Key – even if someone gets access to your account info – they can’t sign in,” Dylan Casey, Yahoo VP of product management said.

New Yahoo Mail app users will still need a password to set up an account and should probably take note of them. The catch with activating Account Key is that it can lead to users being locked out.

For example, Medium, the long-form version of Twitter, created by Twitter co-founder Ev Stone, in June introduced a way to sign-in with an email address and no password. It sends a link to a user’s registered email address that, once clicked, will sign the user in. The link expires after a brief period and can only be used once.

One of Google’s authentication systems is its two-step verification code generator, Google Authenticator, which generates a one-time passcode (OTP) in the app that can be used as a second step in supported apps, such as its Gmail app.

Yahoo’s Account Key straddles both systems. It generates a key — a four digit code that is delivered in the Mail app, as opposed to a separate app like Google Authenticator — that expires after three minutes. The recipient can use this code to sign into their Yahoo Mail on another device, such as a laptop.

The new feature also relies on Yahoo’s recently launched SMS-delivered “on-demand” passwords.

CSO Australia tested the feature when signed out of a Yahoo Mail account on the desktop and found that it appears to live up to the claim.

Setting up Account Key on a mobile device is simple enough and is handled in a demonstration that involves confirming a mobile phone number (for an SMS-delivered one-time passcode that acts as backup authentication) and shows how to view and use the primary Account Key during sign-in.

If Account Key has been activated and the user is attempting to access their account on a desktop, the password field will vanish upon entering the user’s email address.

It is possible to enter the password first and the username second, however if an attacker knows both credentials, the access attempt is blocked and a notification is sent to the mobile app. The user is asked whether they have attempted to login or not. If not, the attempt on the desktop is aborted. If the user answers ‘yes’, log-in is approved for the desktop browser -- the assumption being that the account holder has control of the mobile device.

However, the user may run into troubles if they are not logged into the Mail app. An account holder who has logged out of the app will not receive an alert on their mobile device if a hacker tries to access an account on the desktop browser with legit credentials despite Yahoo having acquired the user's mobile phone number, which could be used to deliver an alert via SMS.

In this case, the user will be presented on the desktop with an option to use their phone or email to log-in after confirming their phone number by entering the third and fourth last numbers of that phone number. It appeared that a code should be sent via SMS but it wasn’t in our test.

Instead, we were told that for security reasons, we would need to contact Yahoo Customer Care to help reset the password.

Additionally, after attempting to log-in via the mobile app, we were be told that the “account is temporarily locked for security reasons” and that a further attempt can be made to recover the account after 12 hours.

It would seem after this experience that the password will not be that easy to kill.