Yahoo! adds 2-step verification for account security

Yahoo! have now joined Google in adding 2-step verification for account security although it is only ‘beta’ right now. This means, after you login to your account with your password, you will have to verify the code sent to your mobile device or will have to answer a security question.Β It’s about time too. I personally believe the 2-step verification should be set as default for any cloud-based account.

Yahoo! users will have to enable the second sign-in verification feature from their Yahoo! account information page. You will be asked to enter a mobile phone number for authentication. The number will be verified by SMS before the new account verification option is enabled for your account.

Note: This 2-step verification is only available in the US, Canada, India and the Philippines. It is expected to launch in March 2012 for all Yahoo! users.

Yahoo! users can enable this new security feature on the following page:

  • OPTION: You can also sign in on the Yahoo! homepage if you wish
  • Hover over your name and select ‘Account Information’ from ‘options’ to open your profile preferences and select the new security option

Worth noting, if you do indeed turn on the new account verification service, you will have the option to use your security question and mobile phone (or only your mobile phone) to authenticate your account ownership.

Safe surfing folks!


This entry was posted in privacy. Bookmark the permalink.

13 Responses to Yahoo! adds 2-step verification for account security

  1. It seems that at long last these giant custodians of our data – Yahoo / Google / Amazon etc – have realised their obligations to their customers and their data. However i would say (I would wouldn’t I ) that to go for an SMS OOB solution is like eating your food with plastic cutlery. They work for a while – but then they break. The issues they should be concerned about are 1) security ( how secure is the solution – well SMS is not secure and is acknowledged as such by the operators 2 ) usability ( it should be easy to understand and use for the end user) . Does this product satisfy those 2 minimum criteria. ? Hmmm.

    • Julian says:

      #Ross# You make valid points. One Time Passwords (OTP) are not 100% secure. The delivery end points are the obvious weak points in the OTP design. Usability on the other hand is something the security industry will always have trouble with. I can suggest new authentication technologies but most businesses wouldn’t deploy them because it would actually deter users from using the websites/apps. It’s all about user behaviour. In time this might change. I’d go so far as to say people will use 2-step verification, if they have been a victim of crime/fraud. Security still remains ‘reactive’ unfortunately. πŸ™

  2. Pingback: Yahoo! adds 2-step verification for account security | Events | IT Security Magazine - Hakin9

  3. Bryan says:

    The only people I find who aren’t praising the addition of SMS OOB for consumer systems like Gmail, Yahoo & Facebook… are people who sell fancier systems. Sure, it’s not the best way to protect corporate banking accounts or government secrets… but it’s a pretty dramatic improvement for the average webmail or social network user.

    • Julian says:

      #Bryan# You make some interesting points. I would say the biggest security improvement with SMS OOB has to be the reduced risk associated with MitB attacks. MitB has been one attack vector that has proved successful for the cyber criminals but with the introduction of SMS OOB it became far harder to defraud customer online banking accounts.

  4. Anonomous says:

    I don’t like this at all. If you ask me the password systems are broken – there are no standards as to how many and what type of characters are needed, which means people have to create 15 different passwords for all the sites they access… and then they can’t remember them… and so they write them down on a Post It and stick it on their monitors. Technological solutions are useless if they don’t take into account human factors.

    And privacy is a huge issue. Google, Facebook, Yahoo – they already know WAY too much about us, our habits, networks, what we write in our emails. I refuse to give them my phone number because I don’t trust what they’d do with it, or even that someone wouldn’t just steal it from them. It is the security of data at places like Yahoo that is the problem, much more than someone hacking an individual users account.

  5. jack says:

    It is another intrusion of privacy. Now if I want to open an account on yahoo, I am forced to give them my personal cell phone number so they can sms me ? What if I wish to use the yahoo account to criticize a political figure. Is this not a soft backdoor form of censorship ? I am shocked I am the only one who has commented about this. Shocked.

  6. md. habibur rahman says:

    I have suffering from yahoo

  7. Alan says:

    I think it is a shame that Yahoo asks for your personal info like a cell phone number. I don’t want to do this at all. If they cannot have our accounts save without this information, they are not worth to be called a mail provider.
    By the way does anybody know how to block the startup pages of yahoo where they ask to change your password (I have allready changed it ) and to add your cell phone number? (As I don’t want them to know that.)

    • Julian says:

      #Alan# Yahoo requires your cell phone number so that it can send you a notification when someone attempts to hack your Yahoo account (this is no different to online banking). It is also used for account sign in verification. After all it is there for your protection and believe it or not convenience. The ‘convenience’ bit only applies if you ever got hacked because it might take some time to recover your account and recover your identity from identity theft. As for blocking startup pages – noted the widespread problem online, but haven’t a solution right now. πŸ™

  8. vanessa says:

    i don’t use the same number i use on my yahoo account.. is it possible to change it.. i can’t sign in.. what should i do..

  9. DoneWithTheSecurityLineBS says:

    I am severely opposed to any internet based service stepping out of its bounds and into my personal life or data by requesting or requiring any verification outside of the internet. It is a definite invasion of privacy, and as long as people like the original poster laud privacy invasion in the name of “feel-good/security/whatever”, then the big companies will continue to data-rape the public. Thanks, OP for selling out everyone in the name of your convenience. It’s about time people stood up for themselves, because no one else will as long as the passive “sheep” attitude continues.

Leave a Reply

Your email address will not be published. Required fields are marked *