A half-assed additional factor does not equal two-factor security

A half-assed additional factor does not equal two-factor security

Summary: When is two-factor authentication not? When it's as bypassable as Yahoo's.

TOPICS: Security

Two-factor authentication is not a silver bullet, but it's a great way to add that extra bit of security to an account. That is, when it works.

An important criterion for two-factor authentication is that the second factor of security is mandatory. If you can circumvent it, then what's the point? It's like putting an additional lock on your front door, but doing nothing about the side door.

But that's exactly what Yahoo is doing with its system, even though it's had plenty of time to get it right since introducing it in December 2011.

Yahoo's optional two-factor system works by requiring users to enter in a one-time password sent to their mobile device in addition to their regular password. But despite enabling the option, users aren't required to use the second factor of authentication for Yahoo Messenger, and two-factor authentication for its email service, Yahoo Mail, can easily be bypassed.

Although logging in to Yahoo Mail via the web interface does prompt the user for a second factor of authentication, users aren't challenged if they attempt to log in to the exact same mail account via other means.

For example, even when two-factor authentication is turned on, users are able to log in to Yahoo's IMAP mail server without being challenged for a second factor of authentication.

Logging in via IMAP shows no additional factor challenge after entering our "highly secure" password.

ZDNet reported the email issue to Yahoo's security team on May 20, and alerted its Australian corporate communications representatives on the same day. We received an automated response from its security team, and the local communications team said it would raise the issue with the US. Yahoo's US communications team was brought in to handle the issue on May 27.

We never heard back from the security team, but after telling Yahoo that we believed June 20 to be a reasonable enough period to disclose the issue, a Yahoo US spokesperson told us on June 22 that the company had looked into the issue and did not consider it to be a vulnerability.

"We currently offer two-factor authentication for our Yahoo Mail web experience, but we do not offer it on IMAP. Namely, because it would be a poor user experience if we implemented two-factor authentication on IMAP, and because two-factor authentication isn't compatible with all of our users' browsers and email clients."

While I hope it's not the case, Yahoo's stance on the issue screams to me that it has no idea why two-factor authentication needs to secure all login points. And I know I'm not alone when I start to wonder if its original plans to implement two-factor authentication were only made because it seemed like the popular thing to do at the time, and it gave people a sense of security, even if it was false.

Supporting legacy systems and protocols like IMAP is a difficult problem. That's evidenced by Google, which also doesn't support true out-of-the-box two-factor authentication for IMAP. But Google still challenges users for an application-specific password for its IMAP logins, so it can be done.

And although it could be argued that Google has had all the time in the world to get this right since it rolled out two-factor authentication in February 2011, Microsoft has got its "app passwords" lined up since its system went live in April 2013.

My challenge to Yahoo is to do more than pay lip service to its security. If a company is going to build security features into its products, it should make sure they actually work! While this isn't going to make thousands of email accounts vulnerable overnight, it's misleading to customers who believed that their second factor of authentication was actually doing something to stop attackers.

Topic: Security

Michael Lee

About Michael Lee

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Its Arse, not Ass

    Only Americans say ass!
  • IMAP

    and other protocols were designed before 2 factor authentication, so it isn't a surprise that you can't use 2 factor authentication on a protocol that doesn't support it...

    Is it a security risk? Yes. Is there a way around it? No. You would need to scrap IMAP and come up with a new protocol that accepts 2 factor authentication.

    The other problem is, that IMAP polls the server every few minutes, it does not hold a session open. That means that every 5 minutes or half an hour, or whatever period you sent in your client, it would prompt you for a new token.

    An application password, like Google, could help. If the main password was cracked, they couldn't get in via IMAP and if the IMAP password is cracked, they can't get in via web or other routes. But it is still no 2 factor authentication.

    You have to trade off security for convinience. If you want to use IMAP to get your mail onto your PC or smartphone through your favourite mail client, you will have to accept a slightly higher security risk.

    Another point about 2 factor that is "silly" at the moment is that it sends an SMS to your 'phone, even if you are trying to authenticate on THAT PHONE! (Or you have to open the Authenticator app and copy the code into the 'phone's browser.) That is an even bigger security risk. If the phone is stolen, they have your 2nd factor and if they have your password (i.e. it is in the browser password cache), then they slip straight into your account.

    I hope you use a complicated password to lock your phone and that you never use the browser cache to store passwords for convinience.

    At the end of the day, 2 factor authentication in its current form is pretty useless. I've been caught out a few times, where I needed to quickly check my email, when out and about and I needed to enter the 2nd factor code, only to give up, because I didn't have my phone with me.

    Worse, one weekend, my smartphone stopped working and my PCs and tablets I tried decided now was a good time to re-authenticate! In the end, I found 1 laptop in the cellar that was still validated, so I could quickly log in to Google and disable 2nd factor authentication.

    When I got the replacement phone, I re-enabled 2 factor, but use the Authenticator app now, and that is running on a spare 'phone and I have the QR-Code in the safe, just in case!
    • wright_is - you know for Google's 2factor, print out temp codes

      I'm not sure if you know this wright_is, but for Google, you can print out a list of 10 sequential 2factor temporary codes and stick them in your wallet for emergencies. Please correct me if there's a reason why this won't work for you.

      This is also useful when you travel and don't want to bring your phone with you but want to use an internet cafe. Once you're down to your last few codes, you print out another set of 10 codes and stick it in your wallet.
  • Get a thesaurus

    Really? "Half-assed" in both a headline and the body?

    What's wrong with: half-hearted, half-baked, or poorly implemented?

    What next? "Yahoo not f*cked about security" ?

    I know slang is all around us, but using the word "assed" (which, as NZO893 points out, should be "arsed" anyway) is really poor.
  • get it together yahoo!

    I've been a paying Yahoo Mail user for years, and have had my 2-factor authorization on for at least a year. Yesterday there was unauthorized access to my account from "Yahoo! Messenger for iPhone", as described in my "Recent Login Activity".

    A lot of good this 2-factor authorization did me and my entire contact list that were spammed!

    Get it together Yahoo or I'll be taking my money somewhere else!