Y! Security
11 August 2015
Whenever I travel out of the UK, the first time I connect to the internet with one of my gadgets I get an email from Yahoo! stating they detected a sign-in attempt from an unrecognised device in {name of the country I’m in}, and asking me to sign in with the device I ‘usually use’.
Huh? I just signed in with a laptop/phone I use every day. What gives?
Usability and security aren’t comfortable bedfellows. Indeed, the point of security is to make a device or system unusable to most users. Where the two fields meet, the result is often awkward. Yahoo’s ‘unrecognised sign-in’ process is a classic example.
Disclosure/disclaimer: I worked at Yahoo! for 5 years. I still know people there. I am not second-guessing their decisions, as I don’t know the technical, legal, and economic constraints they are balancing. Rather, I am highlighting the difficulty of balancing security and usability in a mobile, multi-device world.
Presumably, Yahoo! is using some combination of a software identifier (such as a cookie) and some form of geolocation to determine whether you’ve signed in from that device before. It’s a security feature, designed to detect when a sign-in attempt is being made by someone other than the account owner: if the sign-in comes from a country other than the one the account holder is usually in, it gets flagged as a possible hack attempt. But the email isn’t clear. They mention ‘keeping your account safe’, but don’t explain what they think is happening and why.
Google sends a similar email when you add your Google account to a new device, but they are much clearer about what is happening and why:
Why are we sending this? We take security very seriously and we want to keep you in the loop on important actions in your account.
We were unable to determine whether you have used this browser or device with your account before. This can happen when you sign in for the first time on a new computer, phone or browser, when you use your browser’s incognito or private browsing mode or clear your cookies or when somebody else is accessing your account.
They also don’t require any action if the sign-in attempt was legitimate. Yahoo! asks you to sign in with your ‘usual device’. But which usual device? Phone? Laptop? Work laptop? I sign in from all three daily. More, I’m out of country. What if I don’t have my ‘usual device’? Will my account be locked? Will I still get email?
Some years back, Yahoo! used to ask you to sign in to your Yahoo! account via the web, so I tried signing in to my Yahoo! Mail account via the web. I got another email much more like the Google email, telling me I’m all set if the unrecognised sign-in attempt was from me.