Yahoo announces email encryption plugin, password-free logins
Yahoo email users will soon be able to encrypt the emails they send out by simply clicking on a button. In addition to this, users will be able to effectively forget their email passwords and request an on-demand password (a verification code) each time they want to access their account.
Yahoo CISO Alex Stamos introduced the end-to-end email encryption plugin at the SXSW festival this Sunday, and shared that they have been working on it with Google. In fact, the two companies’ email encryption solutions will be compatible, allowing users of both services to send each other encrypted emails.
The plugin is a fork of Google’s End-to-End Chrome extension, which uses the OpenPGP standard for key generation, encryption, decryption, digital signature, and signature verification, and whose source code has been made open for review by Google in June 2014.
The source code for Yahoo End-to-End is also available for review, an the company is hoping that security researchers will take a look and report vulnerabilities they might find via Yahoo’s Bug Bounty program.
“Just a few years ago, e2e encryption was not widely discussed, nor widely understood. Today, our users are much more conscious of the need to stay secure online,” Stamos pointed out in a blog post following the announcement.
“There is a wide spectrum of use for e2e encryption, ranging from the straightforward (sharing tax forms with an accountant), to the potentially life-threatening (emailing in a country that does not respect freedom of expression),” he explained, adding that they are hoping to provide an intuitive e2e encryption solution for all users by the end of 2015.
They also showed just how intuitive and easy to use the plugin will be by comparing it to the same process effected with GPGTools:
But there is one thing that users should be aware of: while the content of the message is encrypted, the information held in its header is not, so if someone bothers to look, the recipient’s email address, the subject line, and the date and time when it was sent will be known.
Also on Sunday, Chris Stoner, Director of Product Management at Yahoo, announced on-demand passwords. Users who select the option will not have to remember their email passwords anymore, but will simply demand one from Yahoo when they need to log in, and will receive it via SMS. This will hopefully also minimize the effectiveness of phishing attacks.
The option is currently only available to US-based users.