Secure Mail Key and AT&T/Yahoo

Email-related messages: Mail service provider announcements, general help, other
Post Reply
User avatar
Godiva
Posts: 183
Joined: Sat Mar 06, 2010 5:22 pm

Secure Mail Key and AT&T/Yahoo

Post by Godiva » Thu Oct 24, 2019 9:39 pm

I use AT&T's Yahoo for one of my email accounts. Recently I've been getting more and more 'warning' notices of an impending requirement to use either OAuth or a Secure Mail Key (neither seem to be required yet). For Pop Peeper, I am using OAuth, but I have older email clients that do not (and never will) support OAuth, so for those I guess I'll have to use a Secure Mail Key. The AT&T website steps you through creating a Secure Mail Key and giving it a name (not sure why the name is necessary).

My question is this: A Secure Mail Key seems to simply be a password, except that the AT&T website generates it, instead of my being able to create it with my own rules. Is that the only difference, or am I missing something?

If that's the only difference, why is it considered more secure (other than people possibly choosing stupidly simple passwords)?

As it stands now, my Secure Mail Key is actually less complex than the passwords I've created to access the account.

User avatar
lakrsrool
Moderator
Posts: 1360
Joined: Sun Jul 17, 2011 2:36 am

Re: Secure Mail Key and AT&T/Yahoo

Post by lakrsrool » Thu Oct 24, 2019 11:34 pm

I use an AT&T (yahoo) email account as well and am currently using the (if I recall correctly 16 digit) "Secure Mail Key" that AT&T generated for this account. I would presume for one thing that most users do not tend to use a PWD that size. Beyond that, as a result of doing this the account uses OAuth (which was previously not the case) and is therefore presumably considered more secure as a result.

That's my 2-cents as far what I'd assume is AT&T's perspective FWIW. :wink: (I have no idea what the purpose is regarding the required "name"). Oh and users do have the option to have AT&T generate a new "Secure Mail Key" at any time (which is obviously helpful in the event it might be forgotten).
Good judgment comes from experience and a lot of that comes from bad judgment. - Will Rogers

User avatar
Godiva
Posts: 183
Joined: Sat Mar 06, 2010 5:22 pm

Re: Secure Mail Key and AT&T/Yahoo

Post by Godiva » Fri Oct 25, 2019 5:23 am

While it may be around 16 characters (not just digits), as I said in my previous post, in my case the Secure Mail Key is actually shorter than my account password (because I use a password manager, my passwords are obnoxiously long). Also, the Secure Mail Key is used as an alternative to OAuth. As far as I can tell it can't be used in combination with OAuth.

So again I ask - is a Secure Mail Key simply a password generated by AT&T, but given a different name (maybe for marketing purposes)?

User avatar
Jeff
Admin / Developer
Posts: 8279
Joined: Sat Sep 08, 2001 9:46 pm

Re: Secure Mail Key and AT&T/Yahoo

Post by Jeff » Fri Oct 25, 2019 11:50 am

The purpose of using a "secure mail key" is so that if your email password is compromised, then the only thing that can be accessed with your password is your email, as opposed to accessing your main account, which could have much more compromising/sensitive information (e.g. access to bank/credit card information, even if just partial).

The idea behind naming it is so that you can have multiple passwords for different apps. e.g. maybe you want to have one password for POP Peeper and another password for a mobile app that you want to test. If you decide you don't want to use that mobile app (maybe you don't trust it), then you can disable/delete that password without having to affect POP Peeper's password.

And, yes, the concepts of Oauth and secure mail keys are completely different from each other.


There was someone who had problems setting OAuth2 up with their at&t email address. I assume that you're just using the default Yahoo servers (imap.mail.yahoo.com and smtp.mail.yahoo.com)? Is there anything else that you needed to do? What specific email domain do you have (e.g. @att.net)?

User avatar
Godiva
Posts: 183
Joined: Sat Mar 06, 2010 5:22 pm

Re: Secure Mail Key and AT&T/Yahoo

Post by Godiva » Fri Oct 25, 2019 12:23 pm

Actually, I'm not using OAuth for my AT&T/Yahoo account. I thought I had set it up about a month ago, but I just checked and discovered I hadn't finalized the setup. Then I again looked at the "Yahoo OpenID and OAuth Additional Terms of Service" https://policies.yahoo.com/us/en/yahoo/ ... /index.htm, and realized why: They seem to be denying all responsibility for the security of your email once you enable OAuth. So far now, I'm still using a normal password method to access the account, and I have a test account that successfully uses a Secure Mail Key. So if/when they finally eliminate the normal password, I'll be able to switch over to Secure Mail Key. If I ever become comfortable with the release required for OAuth, maybe I'll enable it (I do use OAuth for some non AT&T accounts, but those don't have contain anything I worry about being private).

I realize that OAuth is supposed to increase the security of an account, but all those disclaimers don't inspire me with a lot of confidence. Remember this is Yahoo, the company that had their system hacked twice and exposed all 3 billion of their accounts, but didn't report it for a couple of years (https://en.m.wikipedia.org/wiki/Yahoo!_data_breaches). I may just end up moving my email away from AT&T/Yahoo.

BTW, your explanation for why they have you name the Secure Mail Key doesn't apply to AT&T/Yahoo, because they only allow you to have one Key for each email address. So if you are using different programs/devices to access that same address, they all have to use the same Secure Mail Key.

User avatar
Jeff
Admin / Developer
Posts: 8279
Joined: Sat Sep 08, 2001 9:46 pm

Re: Secure Mail Key and AT&T/Yahoo

Post by Jeff » Fri Oct 25, 2019 3:14 pm

I am definitely not a lawyer, but I just read that TOS and I had a different takeaway on it than you did. The way I interpret it is just for the "use of OAuth" (and OpenID, but that's irrelevant). My interpretation of it is that it doesn't have anything to do with email specifically (that would be in a different TOS, and I'm guessing you've already accepted that; and I'm not suggesting that there definitively is a TOS that states we've given away all our rights, but I do recall there being a new TOS we had to accept when Oath [not be be confused with OAuth] took things over [which was after the breaches were public]). For example, if you download some rogue app and you enter your Yahoo login information into it in the guise of OAuth, then Yahoo is saying that you can't blame Yahoo.

Again, that's just my interpretation of it.

In my opinion, they have you either way -- if your account becomes compromised and you're using a regular old password, then they can say, "we gave you a more secure method to access our services, it's not our fault you didn't use it."

Godiva wrote:
Fri Oct 25, 2019 12:23 pm
BTW, your explanation for why they have you name the Secure Mail Key doesn't apply to AT&T/Yahoo, because they only allow you to have one Key for each email address. So if you are using different programs/devices to access that same address, they all have to use the same Secure Mail Key.
#-o Yeah, that does beg the question!

I looked into it for standard Yahoo, and they do allow you to create multiple keys (they're just called "app passwords" in Yahoo):
https://login.yahoo.com/account/security

Post Reply