Yahoo announced a new method of authentication for its services that relies solely on an on-demand generated password that is sent to the user’s mobile phone number. This is not two-factor authentication (which Yahoo already had), but rather single-factor authentication where the single factor is the user’s mobile phone. It seems that if someone obtains temporary access to a user’s unlocked phone they could generate a Yahoo one-time password that allows them to log in.
Security experts from Tripwire and Lancope offered their opinions
Tim Erlin, Director of Product Management, Security and IT Risk Strategist for Tripwire (www.tripwire.com):
Yahoo just made it easier for attackers to compromise an account. Ease of use is taking center stage for Yahoo, but it opens up some new attack vectors as well. Two-factor authentication is more secure because it requires an attacker to compromise more than a single piece of information to be successful. While Yahoo is lifting the burden of remembering a password, they are maintaining a single target for compromise: your SMS messages. Malware on your phone could be used to grab those SMS messages, and then have full access to your account. On-demand passwords are also mutually exclusive with Yahoo’s two-step verification, so enabling them forces users to effectively downgrade security on their account.
TK Keanini, CTO of Lancope (www.lancope.com):
We need more innovation like this with authentication. Passwords are just pieces of information and in all these strategies, we want to make it useful for the shortest amount of time but not be an administrative burden. Yahoo knows that the most personal device on a person these days is their mobile phone and lets not stop here, let’s keep innovating even more techniques to raise the cost to our attackers.
While only leveraging a single factor (something you have – your phone), the security of the system will depend on how secure that device remains over time. We will see a major shift by the attacker to target malware on these mobile platforms because of their larger role in the overall security of the individual. It is also important these days to ensure that the mobile account is secure because you don’t want attackers changing features like call forwarding and other features that can put them in the middle of this communication stream.
Tripwire, Inc., a global provider of risk-based security and compliance management solutions, today announced Tripwire® Enterprise™ version 8.3 featuring a new, stand-alone Policy Manager™. Tripwire Policy Manager provides the detailed visibility into system configurations critical to minimizing security risks and ensuring compliance.
Lancope, Inc. is a leading provider of network visibility and security intelligence to defend enterprises against today’s top threats. By collecting and analyzing NetFlow, IPFIX and other types of flow data, Lancope’s StealthWatch® System helps organizations quickly detect a wide range of attacks from APTs and DDoS to zero-day malware and insider threats. Through pervasive insight across distributed networks, including mobile, identity and application awareness, Lancope accelerates incident response, improves forensic investigations and reduces enterprise risk. Lancope’s security capabilities are continuously enhanced with threat intelligence from the StealthWatch Labs research team.For more information, visit www.lancope.com.