There is a number of ways how malicious actors could learn your password, e.g. Instead of logging in with merely a password (something you know), you also have to demonstrate access to a device like your phone (something you have). The idea behind two-factor authentication is making account takeover more complicated. No, I did not log into their account… How two-factor authentication is supposed to work And not just that: adding a recovery phone number doesn’t necessarily require verification! So when I tested it out, I was offered access to a Yahoo! account which was associated with my phone number even though the account owner almost certainly never proved owning this number. Nothing will stop you from taking over that account. So if you’ve got a new phone number recently, you could check whether its previous owner has a Yahoo! or AOL account. Yet here we still are: anybody can take over a Yahoo! or AOL account as long as they control the recovery phone number associated with it. For example, Brian Krebs mentioned this a year ago. I’m not even the first one to write about this issue. Surprise, I logged in ACCIDENTALLY to the Yahoo! mail of the previous owner of my current phone number!!! So I did that, and typed in the access key… I entered my phone number to the Yahoo! login, and it asked me if I wanted to receive a verification key/access key (2fa authentication). I’m not the one who discovered the issue. What does Verizon Media think about that?.The Yahoo! and AOL account recovery process.How two-factor authentication is supposed to work.
0 Comments
Leave a Reply. |