Controversial innovation from Yandex - login to your account through a letter

    Having once again logged into the Yandex account through a browser, I noticed an innovation under the login button - the ability to log in to your account simply by clicking on the link in the letter that will be sent to the mail in this account.

    Apparently, this function is in A / B testing, since the button is not always displayed.

    According to the description of the function , after clicking on the button, you will receive a letter in which you are asked to compare the pictures displayed on the login form, and then confirm the entry by clicking on the login button. No password or code entry from the letter to the login form.

    In the description for the moment, the last item is:
    Can I disable sign-in via email?
    It is not yet possible to disable sign-in via email.
    The only option where entering through a letter is impossible is to use 2FA, which works only with the Yandex.Key application and completely excludes password entry.

    An interesting fact: in a post with the announcement of 2FA from Yandex (2015), the first point in explaining their approach to 2FA was:
    To begin with, the average user's computer cannot always be called a security model: here you can turn off Windows updates, and a pirated copy of antivirus without modern signatures, and software of dubious origin ─ all this does not increase the level of protection. In our estimation, compromising a user's computer is the most massive way to “hijack” accounts
    Sharing the opinion that PCs are less secure with respect to smartphones, I turned to Yandex support with the question of the possibility of disabling email sign-in for accounts without 2FA - because, perhaps, most people keep authorization on personal PCs in cookies.

    Speaking of a new authorization method, you can not even consider the option of viruses, the possibility of sending letters, etc. - just a half-minute access to the mouse and monitor of an unlocked PC with open mail is enough to make three clicks (click on the letter, on the link in the letter, and on the confirmation button) to enter the account. Three or four more clicks are required to delete a message without a trace, then you can find out about authorization only by the security log - how often do you look there?

    They answered me like this:
    Logging in through the letter is completely safe, and in the case you described with an unlocked PC, access to the account opened on it can be easier - for example, by looking at the password stored in the browser.

    Answering the question about the possibility of disabling the function - “We wrote down your wish, we will think about it.”

    Unobvious innovations to simplify authorization can result in very unpleasant surprises for users who do not expect a trick. Or maybe it only seems to me a deterioration in security?

    Also popular now: