Not while ago and following major Yahoo mail security issues, Yahoo changed the way its users access Yahoo mail. Before the change which I will cover shortly, accessing Yahoo emails consisted of entering a password. When Yahoo experienced a major data breach in August 2013 which was well publicized and attributed to state-sponsored hackers, Yahoo disclosed the breach in December 2016 and reported that only 1 Billion accounts were compromised initially. It was later revealed that 3 Billion accounts were breached which affected all of the users of Yahoo Mail. The 2013 hack exposed user account information including names, email addresses, telephone numbers, dates of births, hashed passwords (using MD5), and, in some cases, "encrypted or un-encrypted security questions and answers," Yahoo said in 2016.
The Yahoo mail security change included the initial validation of a user’s smartphone and subsequent authorization of email access through the registered phone. The ownership of the phone was initially validated by entering the password in the yahoo mail login one last time. Following smartphone registration for authentication purposes, when a user wants to access Yahoo email, the user enters his or her Yahoo email address or ID and quickly receives a message on the registered cell phone asking "Are you trying to sign in?" to validate and approve the access request. The person has a chance to press Yes or No to access Yahoo mail without entering any other code.
Many people mistakenly refer to this as two-factor authentication because an email or ID is entered and the phone is used to approve access but unfortunately, this is not true. If the person loses the phone and the phone has no lock screen, the person who finds the phone can enter the email address or ID in Yahoo and approve the access on the smartphone. If you consider the email address to be one factor and the smartphone a second factor, then read on to better understand the misconception.
I personally love Yahoo’s mail access approval process. It’s very efficient and takes away the hassle of maintaining a password. And, I have a lock screen activated to prevent unauthorized access in case I lose the phone. But, how many people have activated a lock screen on their cell phones? Well, according to a recent research, 28% of smartphone users have no lock screen on their phones.
Now, you may say, the hacker would still need the email address or ID. Yes, but how difficult is it for the person who finds or steals the smartphone to get the smartphone owner’s name, email, phone number and a whole a lot of other data when the smartphone is not locked. This fact alone eliminates the two-factor authentication concept considering that the phone provides access to both the email address and option to approve the access request made with the email address.
To improve Yahoo mail security, the company must assume a few things. First, remember that 28% of its users do not have active lock screen. Second, it’s the highly privileged employee accounts that often lead to mass data breach cases. How is employee access to Yahoo mail server and data managed? Because without a comprehensive identity and access management that controls employee access, user accounts may become targets yet again.