I thought I would up my security game and enable multifactor authentication (MFA) for my Yahoo! account. The results have me dumbfounded.
The whole reason behind registering multiple hardware security keys is if you lose your primary key, whether that's due to physical destruction or theft, one of the remaining keys can be used. This is SOP for many, many other operators, such as Google, who allow multiple USB security keys to be registered.
Nope. Not with Yahoo!. You have to declare precisely one way to MFA. If you register two Yubikeys, one will be marked in use and the other not in use. You have to log in and switch. Except....
Wait a minute...so in order to change my logon options, I have to log on. Can you not see the problem here????
Fine. I preferred not to go the RFC6238 code route, but it's available, might as well add that. But...what's this? You're giving me more emergency backup codes? Uhhh...sure. Just like the ones you gave me five minutes ago, I'll GPG encrypt them in my passwords directory which I use to store those.
Sooo...that seems all well and good. Maybe I can even set up a Passk...oh, no, I don't believe what I'm seeing. So now the ONLY active option is "authenticator app". Well, based on what has happened in the past five to ten minutes, I suppose I shouldn't be surprised. I clicked on security key(s), and activated my first (zeroeth?) security key. And of course, the dunderheads at Yahoo! don't seem to have a particularly good concept of how to maintain MFA, so they give me yet another emergency MFA passphrase.
Mind you, I really, really don't want to start playing with this and locking myself out, but I have to imagine every time I choose to switch my preferred MFA, it invalidates any previous emergency passphrases.
So let's review.
- I can only have, not one style, but one specific MFA at a time, whether that's my RFC6238 app or a single specific Yubikey.
- In order to change that, I have to log in.
- In order to log in without that specific Yubikey, I'll have to use up my emergency passphrase. Well...it is possible it won't be invalidated once used, but it probably should be; that's the way backup codes work at other providers.
- Every time I choose another form of MFA, I get a new passphrase.
- I might be incorrectly assuming, but every time I get a new passphrase, it invalidates previous passphrases.
- So it's looking like, if by some chance the one Yubikey gets zapped, I have no other option but using my one current emergency backup passphrase to get in to activate another, or my auth app.
Please wake up, and implement MFA like virtually every other provider.
- All forms of MFA are valid in parallel. Users should not have to choose exactly one. That's the whole idea of regsitering multiple ways, if one becomes unavailable for WHATEVER reason whatsoever, there will be SOME way to get in.
- Backup codes are a great idea, but do not issue a new one every time a new MFA method is registered.
- Issue multiple backup codes simultaneously. Invalidate each one as it is used.
English is a difficult enough language to interpret correctly when its rules are followed, let alone when the speaker or writer chooses not to follow those rules.
"Jeopardy!" replies and randomcaps really suck!