
Yahoo wants to let you forget your Yahoo password - cpeterso
http://www.cnet.com/news/yahoo-wants-to-let-you-forget-your-yahoo-password/
======
addicted44
It is less secure than 2 factor auth (since it is 1 factor) but they picked
the more secure 1 factor than what is popular right now.

Hopefully they are smart enough to format the txt such that the password
doesn't show up in the preview, and if so, in practice, there is almost no
downside to this for the vast majority if people (since if the person who now
has your phone can log into the phone, the odds are they can already access
your email).

~~~
abricot
I'm not sure. Can you say for a fact that my texts aren't being intercepted or
even saved by the phone company?

~~~
seba_dos1
They can be easily intercepted by anyone near your phone with TI Calypso based
phone, like Openmoko Neo Freerunner or old Motorola phones. Of course there
are also dedicated pieces of hardware for that.

------
falcolas
Lots of negativity about this here, but let's take a step back and look at
something:

When you lose your password to an account, how do you reset it? With your
email (in the case of Yahoo, with your backup email). Which, if someone has
your unlocked phone, is likely already compromised as part of the unlocked
phone.

Sending an OTP via SMS doesn't really open up any new avenues of attack, if
they already have your unlocked phone.

Now then, if you're displaying all text messages via lock screen, why have a
lock screen at all? Sure, it protects the rest of your phone from intrusion,
but it's leaking what should be considered private information to anyone who
has it. You're probably also getting email summaries, chat summaries, and
upcoming meetings as well.

~~~
oscarhong
The problem here is that for Android and iPhone, I have the option to lock
down the device using Android Device Manager or Find My iPhone.

However, I can still pull out a SIM card and put it on a different phone.

That's the difference.

~~~
datalink
The SIM card is pin-locked. If not, you have as big or bigger problem at hand.

------
deitcher
I was about to post this, thank you for doing so.

Seriously? What could they be thinking? The entire premise of 2-factor - in
most cases, something you know and something you have - is that if someone
steals/guesses/social hacks my secret, they don't have my keyfob (or phone);
if someone steals my keyfob or phone, they don't have my secret knowledge. The
probability of losing both is much lower than either.

But using _just_ one factor, and one that goes across insecure networks, and
is visible on my phone _even on the lock screen_? And I cannot use it if I
have mobile issues? Really??

~~~
VLM
Perhaps the other factor of 2FA is rather optimistically your yahoo username.

Somebody online would know my yahoo id, but only a microscopic fraction of
online people would have physical access to steal my phone.

Someone who steals my phone would almost certainly have no idea what my yahoo
login name is. I would have to look it up myself just to make sure...

The intersection would be close friends and family members, and if I can't
trust them, then I'm totally screwed aside from mere yahoo groups login
issues.

~~~
deitcher
If Yahoo really thinks that, they have issues with security... oh wait, they
do! :-)

------
subliminalpanda
This would be a disaster for those living in repressive/dictatorial regimes.
Essentially handing them the keys to your e-mail.

~~~
venomsnake
If you live in repressive/dictatorial regime why use yahoo? or gmail?

~~~
relet
Most people are ignorant about the capabilities of their regime.

Police and secret service certainly have no qualms and little oversight when
it comes to intercept a text message to access your accounts even in
'civilized' countries.

------
lovamova
If they add a first factor (4 digits PIN code) and this as a second factor,
then I think we have a winner. The PIN code will protect you from insecure
networks, losing your phone, theft and it's easy to remember.

The PIN code is a weak link, but doesn’t do much without your phone. Your
phone is a weak link, but you won’t get the SMS without the PIN code. Chained
together they’re almost stupid and fail proof.

~~~
diminoten
I think folks overestimate a) how often physical theft actually takes place
and b) the level of sophistication that folks who steal your phone are going
to have.

In order for me to use the "thing I have" to get into your account, I'd need
to know your account. The number of targeted thefts that take place are
_really_ low, compared to the number of folks who run around with "password"
or "letmein" as their "thing they know".

The threat model for Joe User is just not that complex, is all I'm saying. For
Paranoia User, options should certainly exist, but for her brother Joe, it's
not very necessary.

------
vikstrouss
For my use case this is less secure because I keep my computers clean of
malware, and my hard drives encrypted. I don't reuse passwords and I don't log
into my account from devices I don't own. My phone, on the other hand is easy
to steal. Anyone who has my sim card can use it to log in. I've also heard
it's trivial to use social engineering to redirect a phone number with some
carriers. Also, I often don't have signal in buildings, so that makes this
option useless.

For other people the SMS option might be better. They let you choose which one
you want to use. I guess we'll hear about the results of this experiment later
on.

------
oscarhong
I can imagine the time when my phone receives an email to my Yahoo mail, with
my email address shown before my phone being unlocked, and the password to
login to my mail box is next to it, in the notification.

~~~
claudius
Configure your phone not to show sensitive information on the lock screen?

~~~
gambiting
This is so bad on Android 5 it's not even funny. When you enable that option
it shows the whole list of notifications on the lock screen, each one of them
has "sensitive information hidden" underneath, taking up lots of space. I know
that sensitive information is hidden, I chose that option, no need to tell me
for every single one of my notifications on the lockscreen!!!!

------
joe563323
Hello Yahoo, First of all please stop asking my phone number to register
email.

------
shillster
I forgot my yahoo password long ago, I had used my yahoo account to register a
domain name. At the time, I agreed to allow recurring billing (though I don't
consciously remember doing this). After a few years of seeing the recurring
charge on my bank statement, I called to get a debit card with a new number.
They sent me a new card with the same number (but new expirey). After
discovering a fresh charge in the next yearly cycle, I called my bank to
"contest" the charges. They asked if I had talked to them (the vendor, Yahoo
in this case) or otherwise explicitly cancelled my "subscription" and told
them I had no way of recovering my account information and wasn't about to
navigate their phone-based customer service. My bank did absolutely nothing to
help me. Moving forward, I've sought to minimize any form of accounts
following this paradigm. Getting rid of passwords is great, long over due, but
there are bigger problems with these organizations.

------
Couto
Quick question... assuming that this would work on all yahoo services.

Now imagine that I lose my phone, I guess that I will have to ask to receive a
reset token, or something similar, on my yahoo mail, right?

But then how do I login on the mail service without my phone?

(it's a honest question)

~~~
dummyfellow
existing password should still work, also you can give gmail/outlook id as an
alternate email to get password reset mail, it works that way right now.

------
solvitor
Doesn't work with VoIP numbers e.g. Google Voice, so that's a non-starter for
me.

------
hasenj
I noticed Twitter did something similar the other day. I was trying to login
from my phone, and after two failed login attempts, I got an email with a
confirmation code that I could enter into the Twitter app (on my android
phone) to login. The email said I could also use this "code" in place of my
password.

> We noticed that someone recently tried to sign in to your Twitter account
> (...)

> If this was you, confirm your identity by using this temporary code: (....)

> You can also enter this code where you would normally enter your password
> when you sign in.

I couldn't tell whether the email was sent because the second password attempt
was successful or because it wasn't successful.

------
geoffsanders
This is a gift to hackers, government snoops, and the like: access is now
granted to anyone with the trivial ability to intercept SMS messages, spoof
cell towers (Stingrays), or clone SIM cards.

------
z3t4
Best thing would be using a password protected key like in SSH. It should be
baked in to SSL somehow to make it easier to password protect web apps.

It's a bit ironic that Yahoo changed their password policy so that I need to
have at least two numbers and different caps and something like max ten
characters. Making it impossible to remember the password.

I always use something like "magicunicornridingsousages" witch I find both
easy to remember and long enough to prevent brute force. Too bad Yahoo wont
allow it.

------
arfliw
They need on-demand email addresses too, then. Because I don't remember my
yahoo email address, either. That's how long it's been since I've signed in.

Maybe every other month for one reason or another I'm prompted to sign-in to
Yahoo. I sit there for a frustrated three seconds wanting to punch the screen
and then just close the page. Can't remember the email address, know I won't
be able to remember the password and no way I'm dealing with creating a new
account.

------
sarciszewski
Instead of sending a SMS message to their phone, could Yahoo send a push
notification (with TextSecure support)?

I'd like to see this. I'd love to help make it happen.

------
transitorykris
This isn't even 1 factor auth, this is 0 factor auth.. unless you accept the
pain of disabling text message notifcations on your phone.

------
nso95
So now less security is better? I'm confused.

~~~
blowski
Many people are currently hugely insecure because they are too technically
illiterate to know any better. Even if this solution is only slightly better
than using "James1" as your password on everything, it's still better and more
likely to be adopted, and as such would be an improvement.

Ideally, we need systems which are both significantly more secure while still
being extremely usable, but I'm not seeing any. Note that I'm saying they need
to be more usable for the kind of person that doesn't understand the
difference between Google, email, Facebook and the internet - NOT your average
Hacker News reader.

------
chrismcb
This is awesome, as long as you have phone service and have your phone with
you. While I want my stuff to be secure, a hacker, nor government snooping
isn't the highest priority. Allowing me to access my stuff is the highest
priority. Passwords are a pain, but this isn't the solution (nor are
biometrics)

------
th3iedkid
From a general perspective , i see this to be a flaw.

But there are some use-cases where i see it to be useful.One is with old
people (in 70s/80s) with little tech. exposure beforehand.They just need the
phone with them and they don't care if someone reads/opens their emails from
somewhere else for a time or two.

------
itsbits
It won't be accepted by people. Imagine, what will happen if you forgot your
phone with someone you know.

~~~
vidyesh
Assuming one has a smartphone, they don't even need the password to login.
They already have access to your mailbox.

If one doesn't have a smartphone, then they need to first find out your email
then try to login. By the time that is figured out you might have disabled it
by logging to your account from somewhere else.

~~~
shawabawa3
Some phones show the contents of texts on the lock screen, so people could
potentially access your email without unlocking your phone

~~~
maccard
My phone shows contents of my mail on the lock screen already

------
blowski
If you lose your phone, somebody would be able to log in to your email,
although the problem is less serious in practice. It would require stealing
the phone and then doing some nefarious activity with it before the phone and
email account are blocked.

~~~
lazyseq
I agree with you mostly. Although you are right that most people who steal
phones probably would not to do this, thieves and others are becoming more
aware. Thieves have friends too and some are even technical, especially people
who specifically target phones. Also consider how many people forget they
actually have certain accounts. It's not hard to use these accounts as the
keys to more things or to use as social engineering tools.

As for the frequency of lost phones, I think it happens more than people know.
Ask a friend who works at a restaurant, hotel, store, etc. how many times
people accidentally leave or drop phones. With all the things like payments,
passwords, personal information, etc. tied to phones, these are becoming
treasure troves for people who have any idea of what they are doing. On the
plus side, people who don't know what they are doing and spend time online on
a stolen phone might be caught easier if the thieves have an idea.

------
mkagenius
Now how many usernames do I need to know to get access to atleast one of them?

4 digits = 10000 usernames, with luck only half of them.

------
ulfw
I have forgotten mine years ago already.

