A controversial innovation from Yandex - login to your account through a letter
Logging into the Yandex account once again through the browser, I noticed a novelty under the login button - the ability to log in to the account, simply by clicking on the link in the letter that comes in the mail of this account.
Apparently, this feature is in A / B testing, since the button is not always displayed.
According to the description of the function , after clicking on the button you receive a letter in which it is proposed to compare the pictures with those displayed on the login form, and then confirm the entry by clicking on the login button. No input password or code from the letter in the login form.
')
In the description at the moment, the last item is:
An interesting fact: in the post with the announcement of 2FA from Yandex (2015), the first item in explaining their approach to 2FA was:
Speaking about the new authorization method, you can not even consider the option of viruses, the possibility of sending letters, etc. - just half a minute access to the mouse and monitor of an unlocked PC with open mail is enough to make three clicks (click on the letter, click the link in the letter, and click the confirmation button) to enter the account. Three or four more clicks are required to delete a letter without a trace, then authorization can only be recognized by the security log - how often do you look there?
They answered me like this:
Answering the question about the possibility of disabling the function - "We have written down your wish, we will think about it."
Unobvious innovations to simplify authorization can result in very unpleasant surprises for users who do not expect a trick. Or maybe it is just me that seems like a deterioration in security?
Apparently, this feature is in A / B testing, since the button is not always displayed.
According to the description of the function , after clicking on the button you receive a letter in which it is proposed to compare the pictures with those displayed on the login form, and then confirm the entry by clicking on the login button. No input password or code from the letter in the login form.
')
In the description at the moment, the last item is:
Is it possible to disable login through a letter?The only option in which entering through a letter is impossible is the use of 2FA, which only works with the Yandex.Key application and completely eliminates entering a password.
It is not yet possible to disable login via email.
An interesting fact: in the post with the announcement of 2FA from Yandex (2015), the first item in explaining their approach to 2FA was:
Let's start with the fact that the average user's computer cannot always be called a sample of security: here both turning off Windows updates and a pirated copy of antivirus without modern signatures, and software of dubious origin ─ all this does not increase the level of protection. According to our estimates, the compromise of the user's computer is the most widespread way to “hijack” user accounts.Sharing the opinion of a lower PC security with respect to smartphones, I turned to Yandex in support with the question of the possibility of disabling login by email for accounts without 2FA - after all, perhaps, most retain authorization on personal PCs in cookies.
Speaking about the new authorization method, you can not even consider the option of viruses, the possibility of sending letters, etc. - just half a minute access to the mouse and monitor of an unlocked PC with open mail is enough to make three clicks (click on the letter, click the link in the letter, and click the confirmation button) to enter the account. Three or four more clicks are required to delete a letter without a trace, then authorization can only be recognized by the security log - how often do you look there?
They answered me like this:
Logging in via a letter is completely secure, and in the case described by you with an unlocked PC, you can access the account opened on it even easier - for example, by viewing the password stored in the browser.
Screenshot
Answering the question about the possibility of disabling the function - "We have written down your wish, we will think about it."
Unobvious innovations to simplify authorization can result in very unpleasant surprises for users who do not expect a trick. Or maybe it is just me that seems like a deterioration in security?
Source: https://habr.com/ru/post/456412/
All Articles