Hacker News new | past | comments | ask | show | jobs | submit login

I use Yahoo for fantasy sports. When I signed up I was forced to register a RocketMail account. Logging into Yahoo Fantasy is the only thing I've used it for. I wonder how many other people are in this scenario.

Some hacker might have my password, hopefully they don't pull Aaron Rodgers from my line up this week.




Yahoo's been authenticating me nearly every time I try to access the fantasy app on my phone. They've made me change my password 3 times in the past month or so. And the password I set doesn't seem to work, so I keep having to use their phone based authentication. With all the money that they have, it's hard to fathom how Yahoo is so bad at delivering secure identity services.


I started using their "Account Key" process, any time I log in on the site from a computer, I get a notification from my Yahoo sports app (iPhone) asking me if I would like to allow the login attempt. I actually like it better than the two-factor auth I use for other accounts. Whether it's more secure or not, I don't know..

EDIT: just for clarification, this replaces the password entirely. So I never enter a password on the site.


Can you help me understand how it replaces the password entirely? What if I lost my phone, or just deleted their app? Does it basically fall back to letting you click a link in your email to approve logging in? Or, SMS, or...? I've been skeptical of it.

Fortunately iCloud Keychain means my current Y! password is random as hell and not reused anywhere, but I'm slightly nervous wondering what the hell password I had in 2014 or 2012 or whenever this stupid leak happened. :/


If you don't enter a password, then it isn't two factor auth at all. It just swapping one-factor (something you know) for another (something you have).


I know that it's not, I just said that I like it better than the two-factor auth that I use elsewhere. If I need to pull out my phone; its just easier to click my notification and click "approve", than to go to Authy to get the 6 digit code, and type it in to my computer.


Sorry, I misunderstood your statement. I thought you were comparing it to 2FA elsewhere. Now I see that you were just comparing it to the second factor elsewhere (not the whole 2FA0).


if something you have requires a password, you still have two-factor. Kind of.


Right, but in this case, it does not require a password. So it is not two-factor.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: