Two-factor authentication yandex. Yandex two-factor authentication - additional account protection

Hello again everyone. Agree, the most important thing when working on the Internet is safety. She needs special attention. When registering on an important site, you should create a strong password or use. Because the more complex the combination of letters and numbers, the more difficult it will be for attackers to hack it. However, there are times when hackers manage to gain access to your account, for example, to your personal email. This is very sad: important information may end up in the wrong hands and may be used against you, correspondence with your partners may be completely deleted, etc. In a word, your account should be protected like the apple of your eye.

To increase security, many services offer two-factor authentication. Today we will look at what this is using the example of Yandex mail.

When you enable this function, an attacker, even if he guesses your main password correctly, will not be able to get into your mailbox. Because to do this you will need to specify a random one-time password, which is generated by a special application on your smartphone or tablet. Now we will try to tell you in detail how to enable two-factor authentication in Yandex. In the future, there will be a similar review on Google Mail and Mail.ru.

So, to connect this function we need a smartphone or tablet. Go to your Yandex mailbox. If you don't have one yet, create one. How? Read in.

After we have logged into our account, click on your account and select “ Account Management»

A Yandex passport will open with all sorts of settings. In the block " Access control"follow the link" Set up two-factor authentication»

Now we have to go through 4 steps.

1 step. Confirming your phone number.

Your account after activation new feature will be linked to your phone number. Therefore, indicate the number to which you have free access. After that, click on the button “ Get code»

In a couple of seconds you will receive an SMS message containing the code that we enter in the field...

... and click " Confirm»

Step 2. Pin code.

In order for the application to generate a one-time password, you need to enter a PIN code, the one that we will now indicate. Attention!!! Remember this code and do not share it with anyone. Even if your phone is stolen, without knowing your PIN code, attackers will not be able to use this application.

Enter your PIN code, then repeat. To open symbols, click on the eye. This way you can make sure you typed everything correctly. And click " Create».

Step 3. Yandex Key mobile application.

At this stage, we need to install the very application that will create one-time passwords. Click on the button " Get a link to your phone».

Let's move along it. Phone on Android based will automatically open the service Google Play with a proposal to install the Yandex Key application. Let's install it.

Open Yandex Key. After a few introductory pages, you will be asked to scan a QR code. The app will ask for permission to access your camera. We agree. Next, we point the camera at the monitor screen so that the square with the QR code falls into the camera lens. The application will automatically scan and add your account. If scanning fails, you can maintain a secret key. To view it, click on the link " Show secret key"under the QR code. In the application, also select the method for entering the secret key.

Now let's move on to the next step.

Step 4. Entering a one-time password from the Yandex key.

We launch our application on our gadget. Now you will need to enter your PIN code. And after that you will see that same random one-time password.

The password is updated every 30 seconds. Therefore, have time to enter it in the field before updating and click the “ Turn on».

That's it, we have enabled two-factor authentication for our Yandex account.

Let's check how it works. Log out of your current account.

Now you can log into your account in 2 ways. 1) enter your login (or address email Yandex) and then enter NOT the password that we used before, permanent, but the ONE that we receive in the Yandex mobile application key after entering the PIN code. And click the Login button. Second way means logging in using QR code. Click on the QR code icon (to the right of the Login button).

Then we get to this page

We follow the instructions: launch Yandex Key, enter our PIN code and then select “ Login using QR code»

Then we point the camera of the tablet or phone at the QR code. The application scans the code and we get access to our mail.

How to disable two-factor authentication in Yandex

If for some reason you decide to disable two-factor authentication, then this can be done quickly and easily. Log in to your mailbox, go to Account Management (see where and how to do this at the beginning of this article) and turn off this function.

In the next step we need to enter a one-time password from the Yandex Key application

Enter it and confirm.

We create New Password(this time permanent), repeat it and save.

That's it, now our two-factor authentication is disabled. The permanent password created in the previous step will be used to log in.

So, today we looked at how to make our Yandex mail account more secure by connecting two-factor authentication to it. Are you using this feature? Share in the comments.

And that's all for today. See you again!

Every person should have a dream. A dream is what drives a person. When you are little, you dream of growing up. A dream must first become a goal. Then you must achieve your goal. And you should have a new dream!

Development for iOS,

Mobile application development

It was a rare post on the Yandex blog, especially one related to security, without authentication. We have been thinking for a long time about how to properly strengthen the protection of user accounts, and in such a way that it can be used without all the inconveniences that include the most common implementations today. And they, alas, are inconvenient. According to some data, on many large sites the percentage of users who have enabled additional authentication means does not exceed 0.1%.

It seems that this is because the common two-factor authentication scheme is too complex and inconvenient. We tried to come up with a method that would be more convenient without losing the level of protection, and today we present its beta version.

We hope it becomes more widespread. For our part, we are ready to work on its improvement and subsequent standardization.

After enabling two-factor authentication in Passport, you will need to install the Yandex.Key application in the App Store or Google Play. In the authorization form for home page Yandex, QR codes appeared in Mail and Passport. To log into your account, you need to read the QR code through the application - and that’s it. If the QR code cannot be read, for example, the smartphone camera does not work or there is no access to the Internet, the application will create a one-time password that will be valid for only 30 seconds.

I'll tell you why we decided not to use such “standard” mechanisms as RFC 6238 or RFC 4226. How do common two-factor authentication schemes work? They are two-stage. The first stage is normal authentication with a login and password. If it is successful, the site checks whether it “likes” this user session or not. And, if “I don’t like it,” it asks the user to “re-authenticate.” There are two common methods of “pre-authentication”: sending an SMS to the phone number associated with the account and generating a second password on the smartphone. Basically, TOTP according to RFC 6238 is used to generate the second password. If the user entered the second password correctly, the session is considered fully authenticated, and if not, then the session loses the “pre-authentication” as well.

Both methods ─ sending SMS and generating a password ─ are proof of ownership of the phone and therefore are a factor of availability. The password entered at the first stage is the knowledge factor. Therefore, this authentication scheme is not only two-step, but also two-factor.

What seemed problematic to us in this scheme?

Let's start with the fact that the average user's computer cannot always be called a model of security: this is where turning off Windows updates, and a pirated copy of the antivirus without modern signatures, and software of dubious origin ─ all this does not increase the level of protection. According to our assessment, compromising a user’s computer is the most widespread method of “hijacking” accounts (and this has happened recently), and this is what we want to protect ourselves from in the first place. In the case of two-factor authentication, if you assume that the user's computer is compromised, entering a password on it compromises the password itself, which is the first factor. This means that the attacker only needs to select the second factor. In the case of common implementations of RFC 6238, the second factor is 6 decimal digits (and the maximum allowed by the specification is 8 digits). According to the bruteforce calculator for OTP, in three days an attacker is able to find the second factor if he somehow became aware of the first. It is not clear what the service can counteract this attack without disrupting the normal user experience. The only possible proof of work is captcha, which, in our opinion, is the last resort.

The second problem is the opacity of the service’s judgment about the quality of the user session and making a decision on the need for “pre-authentication”. Even worse, the service is not interested in making this process transparent, because security by obscurity actually works here. If an attacker knows on what basis the service makes a decision about the legitimacy of a session, he can try to forge this data. As a general rule, the judgment is made based on the user's authentication history based on the IP address (and its derivatives of the ISP Autonomous System Number and geobase-based location) and browser data such as the header User Agent and a set of cookies, flash lso and html local storage. This means that if an attacker controls a user’s computer, he can not only steal all the necessary data, but also use the victim’s IP address. Moreover, if the decision is made based on ASN, then any authentication from public Wi-Fi in a coffee shop can lead to “poisoning” from a security point of view (and whitewashing from a service point of view) of the provider of this coffee shop and, for example, whitewashing all coffee shops in the city . We talked about the work, and it could be applied, but the time between the first and second stages of authentication may not be enough to confidently judge the anomaly. Moreover, the same argument destroys the idea of ​​"trusted" computers: an attacker can steal any information that influences the trust judgment.

Finally, two-step authentication is simply inconvenient: our usability research shows that nothing irritates users more than an intermediary screen, additional button clicks and other “unimportant” actions from their point of view.
Based on this, we decided that authentication should be one-step and the password space should be much larger than is possible within the framework of “pure” RFC 6238.
At the same time, we wanted to preserve two-factor authentication as much as possible.

Multifactor authentication is defined by assigning authentication elements (actually, they are called factors) to one of three categories:

1. Knowledge factors (these are traditional passwords, PIN codes and everything that looks like them);
2. Ownership factors (in OTP schemes used, this is usually a smartphone, but can also be a hardware token);
3. Biometric factors (fingerprint is the most common now, although someone will remember the episode with Wesley Snipes’ character in the film Demolition Man).

Development of our system

When we started working on the problem of two-factor authentication (the first pages of the corporate wiki on this issue date back to 2012, but it was discussed behind the scenes before), the first idea was to take standard methods authentication and apply them with us. We understood that we couldn’t count on millions of our users to buy a hardware token, so we postponed this option for some exotic cases (although we are not completely abandoning it, perhaps we will be able to come up with something interesting). The SMS method also could not be widespread: it is a very unreliable delivery method (at the most crucial moment, the SMS may be delayed or not arrive at all), and sending SMS costs money (and operators have begun to increase their price). We decided that the use of SMS is for banks and other low-tech companies, and we want to offer our users something more convenient. In general, the choice was small: use the smartphone and the program in it as the second factor.

This form of one-step authentication is widespread: the user remembers the PIN code (first factor) and has a hardware or software (in a smartphone) token that generates an OTP (second factor). In the password entry field, he enters the PIN code and the current OTP value.

In our opinion, the main disadvantage of this scheme is the same as that of two-step authentication: if we assume that the user’s desktop is compromised, then entering the PIN code once will lead to its disclosure and the attacker can only find the second factor.

We decided to go a different route: the entire password is generated from the secret, but only part of the secret is stored in the smartphone, and part is entered by the user each time the password is generated. Thus, the smartphone itself is a factor of ownership, and the password remains in the user’s head and is a factor of knowledge.

The Nonce can be either a counter or the current time. We decided to choose the current time, this allows us not to be afraid of desynchronization in case someone generates too many passwords and increases the counter.

So, we have a program for a smartphone where the user enters his part of the secret, it is mixed with the stored part, the result is used as an HMAC key, which is used to sign the current time, rounded to 30 seconds. The HMAC output is converted to readable form, and voila ─ here is the one-time password!

As stated earlier, RFC 4226 specifies that the HMAC result be truncated to a maximum of 8 decimal digits. We decided that a password of this size is not suitable for one-step authentication and should be increased. At the same time, we wanted to maintain ease of use (after all, remember, we want to make a system that will be used by ordinary people, and not just security geeks), so as a compromise in the current version of the system, we chose to truncate the Latin alphabet to 8 characters. It seems that 26^8 passwords valid for 30 seconds are quite acceptable, but if the security margin does not suit us (or valuable tips on how to improve this scheme appear on Habré), we will expand, for example, to 10 characters.

Learn more about the strength of such passwords

In fact, for case-insensitive Latin letters, the number of options per character is 26, for large and small Latin letters plus numbers, the number of options is 26+26+10=62. Then log 62 (26 10) ≈ 7.9, that is, a password of 10 random small Latin letters is almost as strong as a password of 8 random large and small Latin letters or numbers. This will definitely be enough for 30 seconds. If we talk about an 8-character password made of Latin letters, then its strength is log 62 (26 8) ≈ 6.3, that is, a little more than a 6-character password made of uppercase, lowercase letters and numbers. We think this is still acceptable for a 30 second window.

Magic, passwordlessness, applications and next steps

In general, we could have stopped there, but we wanted to make the system even more convenient. When a person has a smartphone in his hand, he doesn’t want to enter the password from the keyboard!

That's why we started working on the “magic login”. With this authentication method, the user launches the application on their smartphone, enters their PIN code into it and scans the QR code on their computer screen. If the PIN code is entered correctly, the page in the browser is reloaded and the user is authenticated. Magic!

How does it work?

The QR code contains the session number, and when the application scans it, this number is transmitted to the server along with the generated in the usual way password and username. This is not difficult, because the smartphone is almost always online. In the layout of the page showing the QR code, JavaScript is running, waiting for a response from the server to check the password for this session. If the server responds that the password is correct, session cookies are set along with the response and the user is considered authenticated.

It got better, but we decided not to stop here either. Since iPhone 5S in phones and Apple tablets a TouchID fingerprint scanner appeared, and in iOS versions 8, third-party applications can also work with it. In reality, the application does not gain access to the fingerprint, but if the fingerprint is correct, then the additional Keychain section becomes available to the application. We took advantage of this. The second part of the secret is placed in the TouchID-protected Keychain record, the one that the user entered from the keyboard in the previous scenario. When unlocking the Keychain, the two parts of the secret are mixed, and then the process works as described above.

But it has become incredibly convenient for the user: he opens the application, places his finger, scans the QR code on the screen and finds himself authenticated in the browser on his computer! So we replaced the knowledge factor with a biometric one and, from the user’s point of view, completely abandoned passwords. We are sure that ordinary people will find this scheme much more convenient than manually entering two passwords.

It's debatable how technically two-factor authentication this is, but in reality you still need to have a phone and have the correct fingerprint to successfully complete it, so we believe that we have been quite successful in eliminating the knowledge factor, replacing it with biometrics. We understand that we rely on the security of the ARM TrustZone that underlies iOS Secure Enclave, and we believe that this subsystem can currently be considered trusted within our threat model. Of course, we are aware of the problems with biometric authentication: a fingerprint is not a password and cannot be replaced if compromised. But, on the other hand, everyone knows that security is inversely proportional to convenience, and the user himself has the right to choose the ratio of one and the other that is acceptable to him.

Let me remind you that this is still a beta. Now, when two-factor authentication is enabled, we temporarily disable password synchronization in Yandex Browser. This is due to the way the password database is encrypted. We are already coming up with a convenient way to authenticate the Browser in the case of 2FA. All other Yandex functionality works as before.

This is what we got. It seems to have turned out well, but you be the judge. We will be glad to hear your feedback and recommendations, and we will continue to work on improving the security of our services: now, along with everything else, we now have two-factor authentication. Do not forget that authentication services and OTP generation applications are critical and therefore a double bonus is paid for errors found in them as part of the Bug Bounty program.

Tags:

• safety
• authentication
• 2FA

Add tags

Attention. Applications developed in Yandex require a one-time password - even correctly created application passwords will not work.

1. Login using QR code
2. Transfer of Yandex.Key
3. Master password
4. How one-time passwords depend on precise time

Login to a Yandex service or application

You can enter a one-time password in any form of authorization on Yandex or in applications developed by Yandex.

Note.

You must enter the one-time password while it is displayed in the application. If there is too little time left before the update, just wait for the new password.

To get a one-time password, launch Yandex.Key and enter the PIN code that you specified when setting up two-factor authentication. The application will start generating passwords every 30 seconds.

Yandex.Key does not check the PIN code you entered and generates one-time passwords, even if you entered your PIN code incorrectly. In this case, the created passwords also turn out to be incorrect and you will not be able to log in with them. To enter the correct PIN, just exit the application and launch it again.

Features of one-time passwords:

Login using QR code

Some services (for example, the Yandex home page, Passport and Mail) allow you to log into Yandex by simply pointing the camera at the QR code. At the same time, your mobile device must be connected to the Internet so that Yandex.Key can contact the authorization server.

Click on the QR code icon in your browser.

If there is no such icon in the login form, it means this service You can only log in using a password. In this case, you can log in using the QR code in Passport, and then go to the right service.

Enter your PIN code in Yandex.Key and click Login using QR code.

Point your device's camera at the QR code displayed in the browser.

Yandex.Key will recognize the QR code and send your login and one-time password to Yandex.Passport. If they pass the verification, you are automatically logged in to the browser. If the transmitted password is incorrect (for example, because you entered the PIN code incorrectly in Yandex.Key), the browser will display a standard message about the incorrect password.

Logging in with a Yandex account to a third-party application or website

Applications or sites that need access to your data on Yandex sometimes require you to enter a password to log into your account. In such cases, one-time passwords will not work - you need to create a separate application password for each such application.

Attention. Only one-time passwords work in Yandex applications and services. Even if you create an application password, for example, for Yandex.Disk, you will not be able to log in with it.

Transfer of Yandex.Key

You can transfer the generation of one-time passwords to another device, or configure Yandex.Key on several devices at the same time. To do this, open the Access Control page and click the button Replacing the device.

Several accounts in Yandex.Key

The same Yandex.Key can be used for several accounts with one-time passwords. To add another account to the application, when setting up one-time passwords in step 3, click the icon in the application. In addition, you can add password generation to Yandex.Key for other services that support such two-factor authentication. Instructions for the most popular services are provided on the page about creating verification codes not for Yandex.

To remove an account link to Yandex.Key, press and hold the corresponding portrait in the application until a cross appears to the right of it. When you click on the cross, the account linking to Yandex.Key will be deleted.

Attention. If you delete an account for which one-time passwords are enabled, you will not be able to obtain a one-time password to log into Yandex. In this case, it will be necessary to restore access.

Fingerprint instead of PIN code

You can use your fingerprint instead of a PIN code on the following devices:

smartphones under Android control 6.0 and a fingerprint scanner;

iPhone starting from model 5s;

iPad starting with Air 2.

Note.

On iOS smartphones and tablets, the fingerprint can be bypassed by entering the device password. To protect against this, enable a master password or change the password to a more complex one: open the Settings app and select Touch ID & Passcode.

To use enable fingerprint verification:

Master password

To further protect your one-time passwords, create a master password: → Master Password.

With a master password you can:

make it so that instead of a fingerprint, you can only enter the Yandex.Key master password, and not the device lock code;

Backup copy of Yandex.Key data

You can create backup copy Key data on the Yandex server to be able to restore them if you have lost your phone or tablet with the application. The data of all accounts added to the Key at the time the copy was created is copied to the server. You cannot create more than one backup copy; each subsequent copy of data for a specific phone number replaces the previous one.

To retrieve data from a backup, you need to:

have access to the phone number that you specified when creating it;

remember the password you set to encrypt the backup.

Attention. The backup copy contains only the logins and secrets necessary to generate one-time passwords. You must remember the PIN code that you set when you enabled one-time passwords on Yandex.

It is not yet possible to delete a backup copy from the Yandex server. It will be deleted automatically if you do not use it within a year after creation.

Creating a Backup

Select an item Create a backup in the application settings.

Enter the phone number to which the backup will be linked (for example, “71234567890” “380123456789”) and click Next.

Yandex will send a confirmation code to the entered phone number. Once you receive the code, enter it in the application.

Create a password that will encrypt the backup copy of your data. This password cannot be recovered, so make sure you don't forget or lose it.

Enter the password you created twice and click Finish. Yandex.Key will encrypt the backup copy, send it to the Yandex server and report it.

You can enable two-factor authentication in . You will need the Yandex.Key application, which can be installed on a mobile device based on iOS or Android. A device that does not support installing applications (for example, Amazon Kindle Fire) cannot be used.

After you enable two-factor authentication:

All Yandex applications, programs and services will require a one-time password. A one-time password will also be required when logging in using a social network and logging into your Mailbox for domains.

You don't have to enter your login and password if you log into Yandex using a QR code.

For third party mobile applications, computer programs and mail collectors will need to use individual application passwords.

Note. To transfer your account to another smartphone or tablet, open the page and click the button Replacing the device.

The setup takes place in several steps. Two-factor authentication is enabled only after you click the button Complete setup at the last step.

1. Step 2: Create a PIN
2. Step 3. Set up Yandex.Key

Step 1: Confirm your phone number

If you have a phone number associated with your account, the browser will display that number and ask you to confirm or change it. If your current phone number is not linked to your account, you will need to link it, otherwise you will not be able to restore access to your account yourself.

To link or confirm a number, request the code via SMS and enter it in the form. If the code is entered correctly, click the Confirm button to proceed to the next step.

Step 2: Create a PIN

Create and enter a four-digit PIN code for two-factor authentication.

Attention. As with many bank cards, only you know the PIN code and you cannot change it. If you forget your PIN code, Yandex.Key will not be able to generate the correct one-time password, and you will only be able to restore access to your account with the help of support.

Click the Create button to confirm the entered PIN code.

Step 3. Set up Yandex.Key

Yandex.Key is required to generate one-time passwords for your account. You can get the app link directly to your phone or install it from the App Store or Google Play.

Note. Yandex.Key can request access to the camera in order to recognize QR codes when adding accounts or when authorizing using a QR code.

Click the button in Yandex.Key Add an account to the application. Yandex.Key will turn on the camera to scan the QR code shown in the browser.

If you can't read the QR code, click the link in your browser Show secret key, and in the application - a link or add it manually. In place of the QR code, the browser will display a sequence of characters that must be entered in the application.

Having recognized the account, the application will ask for the PIN code that you created in the previous 2FA setup step.

Step 4: Check your OTP

To make sure everything is configured correctly, you need to enter a one-time password in the last step - two-factor authentication will only be enabled when you enter the correct password.

To do this, in Yandex.Key you need to correctly enter the PIN code that you created in the second step. The application will show the one-time password. Enter it next to the Enable button and click this button.

It is no coincidence that there are many tips on the Internet on how to protect your account from hacking, and perhaps the most popular of them is to use complex passwords and change them regularly. This is, of course, not bad, but constantly remembering new complex passwords can be quite tedious. Especially for those who are concerned about the security of their account, Yandex has launched a beta version of two-factor authentication. With it, the key to your account will be only in your hands. More precisely, in your smartphone. When logging in to Yandex - or any other site - you enter your username and password. The system checks whether the password matches the login and lets you in if everything is in order. But the password is only one verification factor. There are systems for which one factor is not enough. In addition to a password, they require, for example, a special code sent by SMS, or a USB key that must be inserted into the computer. These systems use two-factor or multi-factor authentication. For our two-factor authentication scheme, we created Yandex.Key - mobile application for iOS and Android. It is enough to consider the QR code on the Yandex main page, in the Passport or in the Mail authorization field as an application - and you will find yourself in your account. To use the Key, you need to enable two-factor authentication, install the application and link it to your account. Then you set a four-digit PIN code in the application. This code will become one of the factors, part of the “secret”, based on which the algorithm will create one-time passwords. The second factor is stored in the smartphone. When you subsequently read the QR code in the authorization form, the application will send your login and one-time password to the Yandex servers. The server will check them and give the page a command to let you in or not. When you can’t read the QR code, for example, your smartphone camera doesn’t work or you don’t have access to the Internet, you can enter a one-time password manually. Entering a password in this case replaces reading a QR code - the only difference is that the password is not sent to the servers automatically; instead, you enter it in the authorization form along with your login. A one-time password is valid for only 30 seconds. This is done so that it cannot be stolen from your computer (for example, using a program that remembers passwords entered into the browser). No one except you will be able to use the Key to log into your account, because when generating passwords, the Key uses the PIN code that you came up with. Without the correct PIN code, the application will create incorrect passwords that will not work with your account. If you have an Apple smartphone or tablet with Touch ID, you can use a fingerprint instead of a PIN code. The two-factor authentication mechanism is another tool that will help make the work of Yandex users on the Internet more secure. If you need additional protection for your account, it’s time to close it on Yandex.Key.