Is Yahoo Account key secure?
A friend received this notification from Yahoo -
You'll no longer need to remember complicated passwords when you use Yahoo Account Key to access your account. To sign in, tap "Yes" on the notification we send to your mobile phone. With Account Key enabled, there's no password on your account, so no one other than you can sign in.
This seems similar to the Google TFA option, Google Prompt, which is certainly better than just single-factor authentication. But the difference here is that while Google requires the password AND the prompt, Yahoo does not require the password: so this is single-factor authentication, just a different factor.
How secure is this, compared to a good, complex, long, never reused password? Are there any known methods to subvert mobile phone notifications that could affect something like this?
As you point out, is Yahoo Account secure - this is not TFA. It is simply providing you 2 different ways to access your account. You can choose which way you feel is more secure for your situation: a password, or a physical device (such as your phone). Password advantages: No one should ever be able to gain access to your account via the provided login mechanisms without knowing your password. If your password is sufficiently long and complex such that it can only be guessed via brute force, then even if Yahoo were hacked and password hashes were stolen, it is extremely unlikely that your password would be hacked prior to you being notified that you need to change it.
Password disadvantages: Your password could be compromised without you knowing it. For example, this could happen if you enter in your password from a compromised computer (keylogger) or when using a compromised network (MITM attack) and you happen to click through the browser warning about an invalid certificate. Another (usability, not security) disadvantage is if your password is long and complex, it is annoying to manually enter it in on a computer where your password manager is not installed. Device Advantages: Someone would need to have physical access to your device in order to login. (Or they must be able to do what you would have to do if you lost your device: reset your password by having access to your email and possibly being able to answer security questions about you). If you have your device on you, then you can be pretty certain no one is currently using your Yahoo account. Device Disadvantages: If someone gains access to your device, they can easily access your account. Furthermore, if you lose or misplace your device, you will not be able to use your account until you have your device again, or you will have to recover your account with a reset.
- As for which is better in your situation, some things to consider:
- Do you frequently use public or shared computers? Then I would lean towards the Account Key.
- Is your device frequently left unlocked or using a weak protection algorithm (easy pattern, easy 4 digit passcode)? Then perhaps lean towards a strong password.
- Do other people have access to your phone that you don't want to have access to your account? Then definitely use a password.