ForgeRock Blog

How To Avoid Being YAHOOdwinked!

Last week Yahoo disclosed a breach of its Yahoo Mail service. Just as horrifying, a few weeks earlier Yahoo had to take down advertisements containing malware that were shown to visitors of its European sites between Dec. 31 and Jan. 3. In short, Yahoo has had a rough few weeks. It’s led to lots of people wondering what Yahoo could have done to protect consumers better.

When it comes to Identity Relationship Management there are a few technologies that every company should consider.

Federated Single Sign-on (FSSO): In the case of the Yahoo Mail hack, the attack occurred in a partner application. That is, a partner database containing Yahoo consumer data was attacked rather than Yahoo directly. This immediately makes me wonder if they were using Federated SSO to better protect users.

Federation would allow Yahoo to provide partners access to Yahoo users without having to also share that user’s credentials. That is, Yahoo forms a trusted relationship with the partner, the partner application accepts a token from Yahoo and authenticates the user anonymously. This eliminates the need to share and populate user credentials across thousands of partner applications, thereby better protecting end-users.

Multi-Factor Authentication (MFA): When it comes to breaches, multi-factor authentication is another important tool that protects end-users. In this case, Yahoo does offer a MFA service, but not all end-users take advantage of it.

MFA requires the use of more than one form of authentication to verify the legitimacy of a user. With MFA, even if a customer’s credentials were stolen, the thieves could not access the Yahoo service because additional forms of authentication would be required.  Banks commonly use MFA technology by providing customers with token cards that must be used as part of the authentication process.

Other forms of MFA include one-time password using mobile phones, asking the user to answer a secret question, and using biometric devices such as fingerprinting or retina scans. The down side to MFA is that it requires a physical device a user has to use in addition to remembering their credentials, thus negatively affecting user experience when accessing the service.

Risk-based Authentication: Risk-based authentication provides end-user protection by making access decisions based on context. It looks at real-time attributes including IP address, country, device, time of day, and behavioral patterns of the user. How you authenticate is based on the real-time data received..

For example, if you try  to Access Yahoo from Colombia, but have never done so before, the system may require additional forms of authentication. To enable access from Colombia, it may require that you go through an authorization process vial email. This can also be done by authorizing remote devices. That is, in order to access a service via mobile phone, ipad, or a new laptop, you need to approve the device before accessing the service


Daniel Raskin


More posts by Daniel :