Petition to require Yahoo! to periodically remove MultiFactor Authentication phone numbers from email accounts.

Petition Summary and background:

This petition calls for what we consider to be a vital change to be made to the implementation of cellphone-based MultiFactor Authentication used by Yahoo! in their email authentication service.

As is commonly known, phone numbers are recycled after their allotted usage. This means that when a user's phone enters recycling, their authentication number is recycled back into use.

This presents a significant security flaw. When a user's phone enters recycling, their authentication number is recycled back into use.

Since Yahoo! does not require a user to know an email address to recover an account but only a phone number, this presents a significant security flaw.

The new buyer of an old phone number can login to Yahoo! mail, type the phone number and access the email of the previous number owner without knowing the email address. Requiring him to type the email address would solve the problem.

Action petitioned for:

We, the undersigned, are concerned citizens who urge the CEO of Yahoo! to act now to submit MultiFactor Authentication phone numbers to regular testing and pruning, and requiring people who use phone verification key to enter the email address so that there is no collision and the previous owner of the number’s email does not become accessed by someone else.

As an alternative, Yahoo! could deactivate all email accounts which have been inactive for 12 months, and not only some accounts. That would ensure that the buyer of an old phone number would not be able to gain access to the previous phone number owner's email without knowing the email address.

Signed: