YAHOO! ATT SBC Password Fiasco

Yahoo! has had poor and recurring issues with Security and Useability. They provide Email service for ATT.NET & SBCGLOBAL.NET also, plus other regional DSL services like Southwestern Bell, Etc. ALL share these Problems.

* You Cannot Log In and your Password Does Not Seem To work
* You MAY be able to log in on a web page to see email- But the exact same password refuses to work on your iPhone, Android, iPad etc.

Yahoo! is now using their version of “oAuth” to verify you, using special ‘Secure Keys” associated with your account. Yep, the exact same one you can log into with your old password the old way on a Web Page.
Google Gmail automates this process for Gmail.Com and makes this very simple. 
Yahoo! Makes it as ugly & confusing as it possibly can.

I suspect they want you to stick to using their ad-cluttered
slow insecure Web Page rather than you using your own peaceful relatively secure eMail app WITHOUT all the ads. 

Real solution is: Shift all correspondence & contacts off (This warrants another whole blog in itself)
Then Stop Using Yahoo! Delete the Account after ensuring everything important is gone. 
DO NOT Abandon the account-
it will get broken into and misused.  DELETE IT 
They also make this as “Difficult As Possible” (c)

Aaaaaaaaanyway. Where was I. Oh Yes.

So the Password you WERE using that WAS working or looks like it might but does not when configuring iPhone Email etc will in fact Not Work.

You need to RETURN to the web page (do this on a real live computer laptop or desktop not a tiny web browser or you will Lose what’s left of your Mind) 
…where you DID log into your account and have Yahoo! (or ATT etc, makes no difference)  generate a “Secure Key” which is a sequence of I believe 16 lowercase letters. 

It’s this “Key” you will then use on your iPhone by YES typing that whole lot of 16 characters  in instead of what you thought your Password was.

For this next stage on your ‘real’ Computer
be sure to turn off pop up blockers, uBlock Origin and God knows what else as a ridiculous series of page redirects follows and the final page often will not come up without Refresh, reload, who knows what else. Patience!.
This also prevents me from being able to simply paste a fixed link in here.

Go Here:
Last item top right is “Account>”
Now go down to: “Account Overview”.. “Manage  Profile”..

Now, Way at the far bottom, left of the resulting screen will be:
“Manage secure mail key”
Click on “Add Secure Mail Key”

and give it a Nickname as they suggest, such as “For iPhone”
(for the Hell of it I called mine “Hippopotamus” for the bloated and clunky way it was all done)
An equally ugly all-lowercase 16 character set of letters shows up.

Now paste that somewhere– likely in an Email to yourself, notes etc.
Or, Hell! Write it Down?
You will NOT be able to re-view that key ever again within the Yahoo! Web page.
(Unless perhaps within the EMail to yourself where you pasted it! : ))
You can Delete it, create multiple different new  keys etc, but, you will never see it again from Yahoo! itself.
YOu Now Own It. Now use It. Good Luck.

I blacked out this sample key even though it is supposed to be of no use to anyone but the subscriber and once on an app–
But this is Yahoo! so its impossible to think what screw up may make it hackable….

Some Ideas– the Principle of oAuth is: “Online Authentication”
Meaning, you confirm who you are to the web site owner by logging in on a secure web page on their website with your original password.

Once that site feels confident it is really “You” they feel happy to issue you a one time “Token”, like a laundry ticket against your name for one article of clothing– that is, your App for use on ONE  Email app which is NOT your password itself.
I think (but I am not sure) that to use it on a second device you need a seperate– different- key. Have Not tried

Why? Because Site has NO idea what breed of eMail application you may be using and whether someone could get in there and filch that password or key back out and use it for “Other Purposes”?

If somebody is able to Steal that key for your iPhone, because, well, you wrote it on a bit of paper, right?
it will do them NO good because:
– They cannot log into your Web page with it, the ‘real’ original password is still required for that
– If they try sticking the same auth key into their own phone so they can read YOUR mail then as far as I know,
it will not work as it only provides for one ‘check in’ and one use on the one app.

It MAY be that there is also a way that your log in becomes associated to your particular unique phone to further secure things,
but I do not have the details

This MAY create a situation where an Upgrade to the App makes it look like a different App and the key needs to be re-entered– or Worse– Re Created. But I do not know for sure either.
Security-wise, if they mean business, this is what would happen,
but Who Knows.

It is a good reason to NAME the key for the device it’s intended for. Problems? Delete and Re Make a Key.

What happens if you change your principle site password? Do the Keys Change? I think that they should, but what a Pain in the Ass. 
I cannot answer this because I do not use Yahoo! But, I need to know this for my long suffering clients and friends.

I hope you do not have to find out much.