Is Yahoo Account Key secure? If yes then how much?
Along with a billion other people, I was also notified that my Yahoo! Account was potentially compromised yesterday. Although I'm not worried about that (I have changed my password since then, have a very long and complex password, and don't reuse it), they did take the time to point out the Yahoo Account Key feature. Yahoo Account Key is a feature that, when you log in, sends a notification to the Yahoo! app on your mobile phone, and you must approve that before the login can continue further.
You'll no longer need to remember those complicated passwords when you use Yahoo Account Key to access your account. To sign in, tap "Yes" on the notification we send to your mobile phone. With Account Key enabled, there's no password on your account, so no one other than you can sign in.
This is similar to Google’s two-factor Authentication option, Google Prompt, which is certainly better than just single-factor authentication. But the difference here is that while Google requires the password AND the prompt, Yahoo does not require the password: so this is single-factor authentication, just a different factor.
So Is Yahoo account key secure enough? How secure is this, compared to a good, complex, long, never reused password? Are there any known methods to subvert mobile phone notifications that could affect something like this?
As you point out, this is not TFA. It is simply providing you with 2 different ways to access your account. You can choose whichever way you feel is more secure for your situation: a password, or a physical device (such as your phone).
There are certain advantages to having a password for authentication: No one should ever be able to gain access to your account via the provided login mechanisms without knowing your password. If your password is sufficiently long and complex such that it can only be guessed via brute force, then even if Yahoo were hacked and password hashes were stolen, there are almost no chances that your password would be hacked prior to you being notified that you need to change it.
However, there are certain disadvantages to accessing your account from a password: Your password could be compromised without you knowing it. For example, this could happen if you enter in your password from a compromised computer (keylogger) or when using a compromised network (MITM attack) and you happen to click through the browser warning about an invalid certificate. Another (usability, not security) is that if your password is long and complex, it is annoying to manually enter it on a computer where your password manager is not installed.
Now let’s talk about the advantages of logging in with the device: Someone would need to have physical access to your device in order to log in. (Or they must be able to do what you would have to do if you lost your device: reset your password by having access to your email and possibly being able to answer security questions about you). If you have your device on you, then you can be pretty certain no one is currently using your Yahoo account.
Device Disadvantages : If someone gains access to your device, they can easily access your account. Furthermore, if you lose or misplace your device, you will not be able to use your account until you have your device again, or you will have to recover your account with a reset. As for is Yahoo account key safe with a password or device logging, there are some things to consider:
- Do you frequently use public or shared computers? Then I would suggest the Account Key.
- Is your device frequently left unlocked or using a weak protection algorithm (easy pattern, easy 4 digit passcode)? Then perhaps go for a strong password.
- Do other people have access to your phone that you don't want to have access to your account? Then definitely use a password.