A half-assed additional factor does not equal two-factor security

When is two-factor authentication not? When it's as bypassable as Yahoo's.

Two-factor authentication is not a silver bullet, but it's a great way to add that extra bit of security to an account. That is, when it works.

An important criterion for two-factor authentication is that the second factor of security is mandatory. If you can circumvent it, then what's the point? It's like putting an additional lock on your front door, but doing nothing about the side door.

But that's exactly what Yahoo is doing with its system, even though it's had plenty of time to get it right since introducing it in December 2011.

Yahoo's optional two-factor system works by requiring users to enter in a one-time password sent to their mobile device in addition to their regular password. But despite enabling the option, users aren't required to use the second factor of authentication for Yahoo Messenger, and two-factor authentication for its email service, Yahoo Mail, can easily be bypassed.

Although logging in to Yahoo Mail via the web interface does prompt the user for a second factor of authentication, users aren't challenged if they attempt to log in to the exact same mail account via other means.

For example, even when two-factor authentication is turned on, users are able to log in to Yahoo's IMAP mail server without being challenged for a second factor of authentication.

Logging in via IMAP shows no additional factor challenge after entering our "highly secure" password.

ZDNet reported the email issue to Yahoo's security team on May 20, and alerted its Australian corporate communications representatives on the same day. We received an automated response from its security team, and the local communications team said it would raise the issue with the US. Yahoo's US communications team was brought in to handle the issue on May 27.

We never heard back from the security team, but after telling Yahoo that we believed June 20 to be a reasonable enough period to disclose the issue, a Yahoo US spokesperson told us on June 22 that the company had looked into the issue and did not consider it to be a vulnerability.

"We currently offer two-factor authentication for our Yahoo Mail web experience, but we do not offer it on IMAP. Namely, because it would be a poor user experience if we implemented two-factor authentication on IMAP, and because two-factor authentication isn't compatible with all of our users' browsers and email clients."

While I hope it's not the case, Yahoo's stance on the issue screams to me that it has no idea why two-factor authentication needs to secure all login points. And I know I'm not alone when I start to wonder if its original plans to implement two-factor authentication were only made because it seemed like the popular thing to do at the time, and it gave people a sense of security, even if it was false.

Supporting legacy systems and protocols like IMAP is a difficult problem. That's evidenced by Google, which also doesn't support true out-of-the-box two-factor authentication for IMAP. But Google still challenges users for an application-specific password for its IMAP logins, so it can be done.

And although it could be argued that Google has had all the time in the world to get this right since it rolled out two-factor authentication in February 2011, Microsoft has got its "app passwords" lined up since its system went live in April 2013.

My challenge to Yahoo is to do more than pay lip service to its security. If a company is going to build security features into its products, it should make sure they actually work! While this isn't going to make thousands of email accounts vulnerable overnight, it's misleading to customers who believed that their second factor of authentication was actually doing something to stop attackers.