Yandex.Key generates one-time passwords (OTP) to provide a more secure login to Yandex, Facebook, Google, GitHub, Dropbox, VKontakte and other services that support two-factor authentication (2FA). To log into Yandex services, you only need the one-time password created by the Key, for others - a one-time password and your usual one. - A few numbers or a fingerprint You don't need to come up with complex passwords to reliably protect your Yandex login. It is enough to remember from 4 to 16 digits - using them Yandex.Key will give you a unique one-time password with a validity period of less than a minute. If you don't want to enter your PIN, enable Touch ID in the Key settings and use your fingerprint. - Data protection Yandex.Key additionally protects your account from hacking and theft of personal information: only you will receive one-time passwords on your mobile device. - Simple connection You can add accounts to the application manually - by reprinting the data from the website of the service that you connect, or automatically - by reading the QR code from there. - Work offline To add accounts to the application and create one-time passwords, Yandex.Key does not need the Internet. You don't even need SMS to get passwords. - Additional features The key can create six-digit and eight-digit passwords - depending on the requirements of the service. In addition, the Key supports different periods for updating one-time passwords, not only 30 seconds (it depends on the service used). - Security standards Yandex.Key is suitable for two-factor (or two-step) authentication on all services that support RFC-6238 and RFC-4226 security standards (except those that work only with SMS). - Backup In case something happens to your device, you can create a backup copy of the Key data on the Yandex server. It's safe: each copy is encrypted with a password known only to its owner. Read more on the help page - https://ya.cc/2fa
Screenshots
Reviews
Great app
I have been using it for a long time, since 5s. Now I don't see any problems on the Xs. I don't understand the feedback about the lack of adaptation. From old to new phone too, everything is well tolerated.
Regular level updates
As many people write: more than half of 2019 has passed, and there is still no adaptation for X, XS, XR. And the guys are in no hurry to update, why? There are no alternatives, you still have to use what you have. But the lack of FaceID support is of course a wild disregard for users. Only unsubscribe "updates are planned sometime, but we don't know when." The functionality is good and the service is terrible
Decent functionality, terrible UI / UX
Who even came up with this carousel with accounts ... When there is no icon, two accounts cannot be distinguished, and it is uncomfortable to twist back and forth.
ChSV goes off scale
From Yuyuygyffhdsgbfddes
Maybe Yandex should someday understand that people who put 2FA on their accounts are people who are rather concerned about the security of their data, and they are not ready to just take and give their phone number. Ironically, although the application itself can be used for third-party services (ATP to Yandex for a detailed explanation), its use is impractical for Yandex.
Does not work
By wrghbqjwjqjqnqtktqjtj
iPhone X
Why is there no adaptation for iPhone X ??
Does not work
Does not work! I enter the issued password, but the site does not accept it! Once 200 entered it is useless. If you don’t know how to do two-factor authentication, then don’t meddle!
At the bottom
The application has not been updated for 2 years. They scored on him. There is no face id. Not optimized for notch screens. The interface does not change. In short, Yandex scored.
Useless
The application works separately, the Yandex-money application works separately. Yandex-money does not work with this application: neither with a PIN-code (entered correctly), not with a fingerprint. Time synchronized - the result is not corrected. He took it down as useless.
Not bad
From Gordon Krants
A good application, but the horizontal arrangement is extremely inconvenient: (I would like in future updates to see a vertical column with services and the ability to select an icon for each, otherwise it is hard to search required code when you have several accounts on one service
QR code cannot be read
From Amir Gatin
I could not install the code on the iPhone 6. Doesn't read!
Does not work!!!
Doesn't enter either by QR code or one-time password! This is a scribe !!!
Generates the wrong
Incorrect one-time password! I did not change the time on the device all the time
Not convenient to use
Insanely awkward hu ...
Account
Hello, I had a not very convenient situation ... I changed my phone but did not make a backup, and as a result, I lost all the access codes that were in the application, I spent a lot of time to restore everything ... well, that's what I mean) do so that you can create an account and that everything is automatically saved ... after all, it is terribly inconvenient after adding a new password to make a backup to drive your phone, etc ...
Why yours?
From 79522370021784380H
Why come up with another app when you have Authy? It bothers me that on the PC it is necessary to set ~ 4 launchers in default, so also on the phone ~ 4 software for 2fa. Not convenient, even if the key is not 6 digits, but 2fa is 2fa, and not an entrance without a password. It's easier for me to insert 6-8 numbers than to enter a set of letters
Couldn't sign in to my account
Technical support helped
Face ID? No, have not heard
No Face ID support. The application is stretched, as if it was made for the fourth iPhone. Yandex, is it really you?
Icons
From another username sc
I feel an acute shortage of icons for different services. You have made icons for the most popular ones, but unfortunately the application does not know about many other services. For example about mega, discord, EA origin, Ubisoft Uplay and that's just what I remembered right off the bat.
Disgusting
Why make this app a must and not stick with it? Where is the support for iPhone x and higher? The application opens to the floor of the screen ... 2 years have passed since I retired from Yandex for this reason. I thought it was a normal company, but in fact the galley is full.
Support ended
Update even for new devices
Didn't wait
We have not updated the application for new devices.
Adaptation
From luck5
Please adapt the application for XR
Does not function correctly
From Castor888
After installing the application and two-factor authentication, when entering the pincode, it gives an error that the pincode is incorrect
Update
From NIKOLAI
I don’t understand how it was possible to make such a cool and advanced application in every sense, and then take it and abandon it. There is still no adaptation for the iPhone X! How can you keep such an important application for 2 years without updates?
Don't wait for updates
There are no updates for a year .. There is no support for the iPhone XR, XS. There is no support for Touch ID .. They cannot say when the update will be .. Yandex 🤦♂️
Terrible
From JinMariachi
I set it up on android, everything is ok, I'm trying to do it on an iPhone, it doesn't work, re-logging on an android, also stopped working! I'm trying to restore, I entered everything, entered the code from the phone, no, it's not enough anyway and use the browser on which you work more often .. can you still provide fingerprints? So much crap to just log in to fucking Yandex music. Seriously, it's easier to create new accounts every time than trying to regain access. If you cannot do it normally, then do not
Update already at last
Looks disgusting on iPhone X.
Ergonomics did not like
I read your article on Habré. Well done. But why is the interface and everything connected with it so awful with such a mind and approach? Designed by people with prevailing technical skills. 8 beeches together - also from the same series. Have the developers / designers themselves ever used this 2fa? Of course, memorizing 2x3 is easier. And 8 characters together is just tin.
-
From AndiZhdanov
Works disgusting, do something
Horror!! There were a bunch of keys tied. BACKAP made.
And after changing the phone, I restore it from the backup and write, there is nothing !! How is it? Disgusting !!
thanks
Cool application, but I wanted to be able to change the view of the list of accounts. When there are really many of them, the current view is not convenient. Please make a list !!)
Turbidity
From Anton Grigoriev
Difficult, especially changing your phone. Not adapted to the floor of modern screens.
Update needed!
Sometimes crashes at startup. Please update the support app latest version iOS and dark theme !!
The app is super!
From George Efron
Much more convenient than a google app, but 4 stars for lack iPhone support XS Max.
Attention. Applications developed in Yandex require a one-time password - even correctly created application passwords will not work.
- Login with QR code
- Transferring Yandex.Key
- Master password
- How one-time passwords depend on the exact time
Login to the Yandex service or application
You can enter a one-time password in any form of authorization on Yandex or in applications developed by Yandex.
Note.
One-time password must be entered in time while it is displayed in the application. If there is too little time left before the update, just wait for a new password.
To get a one-time password, launch Yandex.Key and enter the pin code that you set when setting up two-factor authentication. The app will start generating passwords every 30 seconds.
Yandex.Key does not verify the PIN code you entered and generates one-time passwords, even if you entered your PIN code incorrectly. In this case, the created passwords also turn out to be incorrect and you will not be able to log in with them. To enter the correct PIN code, you just need to exit the application and start it again.
Login with QR code
Some services (for example, the Yandex home page, Passport and Mail) allow you to log into Yandex by simply pointing the camera at the QR code. In this case, your mobile device must be connected to the Internet so that Yandex.Key can contact the authorization server.
Click on the QR code icon in your browser.
If there is no such icon in the login form, then on this service you can only log in with a password. In this case, you can log in using the QR code in Passport, and then go to the desired service.
Enter the pin code in Yandex.Key and click Sign in with QR code.
Point your device's camera at the QR code displayed in the browser.
Yandex.Key recognizes the QR code and sends your username and one-time password to Yandex.Passport. If they pass the test, you will be automatically logged into your browser. If the transmitted password turns out to be incorrect (for example, due to the fact that you entered the PIN code incorrectly in Yandex.Key), the browser will display a standard message about an incorrect password.
Login with a Yandex account to a third-party application or website
Applications or sites that need access to your data on Yandex sometimes require you to enter a password to log into your account. In such cases, one-time passwords will not work - you need to create a separate application password for each such application.
Attention. Only one-time passwords work in Yandex applications and services. Even if you create an application password, for example, for Yandex.Disk, you will not be able to log in with it.
Transferring Yandex.Key
You can transfer the generation of one-time passwords to another device, or configure Yandex.Key on several devices at the same time. To do this, open the Access Control page and click Replacing the device.
Several accounts in Yandex.Key
The same Yandex.Key can be used for multiple accounts with one-time passwords. To add another account to the application, when setting up one-time passwords in step 3, click the icon in the application. In addition, you can add password generation to Yandex.Key for other services that support such two-factor authentication. Instructions for the most popular services are given on the page about creating verification codes not for Yandex.
To remove the binding of an account to Yandex.Key, press and hold the corresponding portrait in the application until a cross appears to the right of it. When you click on the cross, the linking of your account to Yandex.Key will be removed.
Attention. If you delete an account for which one-time passwords are enabled, you will not be able to receive a one-time password to log into Yandex. In this case, it will be necessary to restore access.
Fingerprint instead of pin code
You can use your fingerprint instead of a pin code on the following devices:
smartphones under Android 6.0 and a fingerprint scanner;
iPhone from 5s;
iPad starting from Air models 2.
Note.
On smartphones and tablets with iOS, the fingerprint can be bypassed by entering the device password. To protect against this, turn on the master password or change the password to a more complex one: open the Settings app and select Touch ID & Password.
To use enable fingerprint verification:
Master password
To further protect your one-time passwords, create a master password: → Master password.
With a master password, you can:
make it possible to enter only the Yandex.Key master password instead of the fingerprint, and not the device lock code;
Yandex.Key data backup
You can create a backup copy of the Key data on the Yandex server in order to be able to restore it if you have lost your phone or tablet with the application. The data of all accounts added to the Key at the time of the copy creation is copied to the server. You cannot create more than one backup copy, each subsequent copy of data for a specific phone number replaces the previous one.
To get data from a backup, you need:
have access to the phone number that you specified when creating it;
remember the password you set to encrypt the backup.
Attention. Backup copy contains only the logins and secrets required to generate one-time passwords. You must remember the PIN code that you set when you enabled one-time passwords on Yandex.
It is not yet possible to delete a backup from the Yandex server. It will be removed automatically if you do not use it within a year after its creation.
Making a backup
Select item Create a backup in the application settings.
Enter the phone number to which the backup will be linked (for example, "71234567890" "380123456789") and click Next.
Yandex will send a confirmation code to the entered phone number. Once you receive the code, enter it in the app.
Create a password to encrypt the backup of your data. This password cannot be recovered, so make sure you don’t forget or lose it.
Enter your password twice and click Finish. Yandex.Key will encrypt the backup, send it to the Yandex server, and notify about it.
The question of how to get a Yandex Money emergency code without SMS arises among users in situations that are usually called force majeure. If you have lost a password that you regularly used, for some reason you do not receive an SMS with a one-time cipher, do not find a plate with a set of code symbols, do not worry about this. It is for such cases that the service has provided an emergency option. You will be able to request Yandex Money emergency codes and complete the payment operation.
Money.yandex.ru passwords for all occasions
Not all users of the service know how wide its possibilities are related to the circulation of money. In order to use Yandex financial services, the following types of passwords are provided:
- incoming to SMS;
- QR codes relevant to applications;
- character sets used in emergency situations.
We will consider the latter in more detail. Do not confuse them with the usual numbers that you expect in SMS to complete the transfer of funds. They have a slightly different property than the currently fashionable QR passwords that can be scanned by the device's camera.
What you need to know about emergency codes
So, what are emergency codes in Yandex Money, how to get them, and why are they needed? The situation when you want to urgently withdraw part of the funds from the wallet, filled in all the necessary fields, but cannot complete the process, since SMS does not come, is familiar to everyone. Most often this happens in roaming. Another variant of the problem is a dead phone in which the application is installed. In both cases, if there were no emergency code, users would not be able to make a payment operation on Yandex Money. Ciphers of this type differ from QR and act in the same way as regular one-time character sets. Whatever operation you perform, they will help you and allow you to complete it.
Instructions for obtaining an emergency code
Everyone knows how to get a standard cipher or QR to arrive. You can also simply order an emergency set of symbols. Its difference is only in the initial reasons for the request, related to the fact that the user cannot withdraw the amount due to the impossibility of entering the requested numbers in the last window.
If you find yourself in a similar situation, the algorithm of your actions should be as follows:
- Find the link "Get Emergency Code".
- Enter the password (one-time).
- Print out the code sheet.
Attention: even if your computer has a modern protection system against viruses and intrusions of unauthorized persons, in no case do not save codes in its memory. After printing, immediately delete the file.
Some users are sure that the received ciphers should be used in a clear sequence. In fact, you can choose them as you like.
It happens that the resulting page is accidentally closed or lost. It's OK. Exactly as described above, request new codes. If unauthorized persons suddenly took possession of a sheet with ciphers in order to protect money, order new codes without delay. Once you do this, the old character sets will become invalid and useless. The Yandex Money security service does everything to protect customer funds. The task of the latter is to be vigilant and help her accomplish this difficult task.
You cannot meet a person on the Internet who has not heard about QR codes at least by the edge of his ear. With the increased popularity of the network in recent decades, users needed to transfer data among themselves different ways... QR codes are just the "carrier" of information that the user has encrypted there. But the question is different - how to decipher such codes and get what is in them?
If earlier the user had to search special applications that help decrypt the QR code, now nothing is required except for an Internet connection. Below we will look at 3 ways to scan and decode QR codes online.
Method 1: IMGonline
This site is one big source that has everything for interacting with images: processing, resizing, and so on. And, of course, there is an image processor with QR codes of interest to us, which allows us to change the image for recognition as we please.
To scan an image of interest, follow these steps:
Method 2: Decode it!
Unlike the previous site, this one is completely based on helping users on the web to decrypt a huge amount of data, from ASCII characters to MD5 files. It has a rather minimalistic design that allows it to be used with mobile devices, but it lacks any other functions to help decrypt QR codes.
To decrypt the QR code on this site, you will need to do the following:
Method 3: Foxtools
In terms of the number of functions and capabilities, the online service Foxtools is very similar to the previous site, but it also has its own advantages. For example, this resource allows you to read QR codes from a link to images, and therefore it makes no sense to save them to your computer, which is very convenient.
To read the QR code in this online service, you need to do the following:
The above online services have a number of positive features, but they also have drawbacks. Each of the methods is good in its own way, but they are unlikely to be able to complement each other, only if you use sites with different devices and for a variety of purposes.
A rare post on the Yandex blog, and especially one related to security, did without mentioning two-factor authentication. We thought for a long time how to properly strengthen the protection of user accounts, and even so that he could use it without all the inconveniences that include the most common implementations today. And they, alas, are inconvenient. According to some reports, on many large sites, the proportion of users who have included additional funds authentication does not exceed 0.1%.
This seems to be because the common two-factor authentication scheme is too complex and inconvenient. We tried to come up with a way that would be more convenient without losing the level of protection, and today we present it in beta version.
Hopefully it will become more widespread. For our part, we are ready to work on its improvement and subsequent standardization.
After enabling two-factor authentication in Passport, you will need to install the Yandex.Key application in the App Store or Google Play. In the authorization form on home page Yandex, QR codes appeared in Mail and Passport. To enter account you need to read the QR code through the application - and that's it. If you cannot read the QR code, for example, the smartphone camera does not work or there is no Internet access, the application will create a one-time password that will be valid for only 30 seconds.
I'll tell you why we decided not to use such "standard" mechanisms as RFC 6238 or RFC 4226. How do common two-factor authentication schemes work? They are two-stage. The first stage is the usual username and password authentication. If it is successful, the site checks whether it "likes" this user session or not. And, if you don't like it, it asks the user to “re-authenticate”. There are two common methods of "pre-authentication": sending an SMS to the phone number associated with the account and generating a second password on a smartphone. Basically, TOTP according to RFC 6238 is used to generate the second password. If the user entered the second password correctly, the session is considered fully authenticated, and if not, then the session also loses its "preliminary" authentication.
Both ways ─ sending SMS and password generation is proof of ownership of the phone and is therefore a factor of availability. The password entered in the first step is a knowledge factor. Therefore, this authentication scheme is not only two-step, but also two-factor.
What seemed to us problematic in this scheme?
Let's start with the fact that the average user's computer cannot always be called a model of security: here and shutdown Windows updates, and a pirated copy of an antivirus without modern signatures, and software of dubious origin ─ all this does not increase the level of protection. In our opinion, compromising a user's computer is the most widespread method of "hijacking" accounts (and recently there was one more confirmation of this), and I want to protect myself from it first of all. In the case of two-step authentication, if we assume that the user's computer is compromised, entering a password on it compromises the password itself, which is the first factor. This means that the attacker only needs to select the second factor. In the case of common RFC 6238 implementations, the second factor is 6 decimal digits (and the maximum stipulated by the specification is 8 digits). According to the bruteforce calculator for OTP, in three days an attacker is able to pick up the second factor if he somehow knows the first one. It is not clear what the service can counter this attack without disrupting the normal user experience. The only possible proof of work is captcha, which, in our opinion, is the last resort.The second problem is the lack of transparency in the service's judgment about the quality of the user session and making a decision on the need for "pre-authentication". Even worse, the service is not interested in making this process transparent, because security by obscurity actually works here. If the attacker knows, on the basis of which the service makes a decision about the legitimacy of the session, he can try to forge this data. From general considerations, we can conclude that the judgment is made on the basis of the user's authentication history, taking into account the IP address (and the number derived from it autonomous system that identifies the provider and the location based on the geodatabase) and browser data, such as the title User Agent and a set of cookies, flash lso and html local storage. This means that if an attacker controls a user's computer, then he has the ability not only to steal all the necessary data, but also to use the victim's IP address. Moreover, if the decision is made on the basis of ASN, then any authentication from the public Wi-Fi in the coffee shop can lead to "poisoning" in terms of security (and whitewashing in terms of service) of the provider of this coffee shop and, for example, whitewashing all coffee shops in the city. ... We talked about the work of the anomaly detection system, and it could be applied, but the time between the first and second stages of authentication may not be enough for a confident judgment about the anomaly. In addition, this same argument destroys the idea of "trusted" computers: an attacker can steal any information that affects the trust judgment.
Finally, two-step authentication is simply inconvenient: our usability studies show that nothing annoys users as much as an intermediate screen, additional button presses and other "unimportant" actions from his point of view.
Based on this, we decided that the authentication should be one-step and the password space should be much larger than it is possible to do in the framework of "pure" RFC 6238.
At the same time, we wanted to keep the two-factor authentication as much as possible.
Multifactoriality in authentication is determined by assigning authentication elements (in fact, they are called factors) into one of three categories:
- Knowledge factors (these are traditional passwords, pin codes and everything that looks like them);
- Ownership factors (in the used OTP schemes, as a rule, this is a smartphone, but it can also be a hardware token);
- Biometric factors (fingerprint is the most common now, although someone will remember the episode with the hero of Wesley Snipes in the movie Demolition Man).
Development of our system
When we started tackling the problem of two-factor authentication (the first pages of the corporate wiki on this issue date back to 2012, but it was discussed behind the scenes before), the first idea was to take standard methods authentication and apply them with us. We understood that we cannot expect millions of our users to buy a hardware token, so this option was postponed for some exotic cases (although we do not completely abandon it, perhaps we will be able to come up with something interesting). The method with SMS could not be massive either: this is a very unreliable delivery method (at the most crucial moment, SMS may be delayed or not received at all), and sending SMS costs money (and operators began to increase their price). We decided that the use of SMS is the lot of banks and other low-tech companies, and we want to offer our users something more convenient. In general, the choice was not great: to use the smartphone and the program in it as the second factor.This form of one-step authentication is widespread: the user remembers the pin code (first factor), has a hardware or software (in a smartphone) token that generates OTP (second factor). In the password input field, he enters the pin code and the current OTP value.
In our opinion, main drawback This scheme is the same as for two-step authentication: if we consider that the user's desktop is compromised, then a single PIN-code entry leads to its disclosure and the attacker only needs to select the second factor.
We decided to go the other way: the password is entirely generated from the secret, but only part of the secret is stored in the smartphone, and part is entered by the user every time the password is generated. Thus, the smartphone itself is a factor of ownership, and the password remains in the user's head and is a factor of knowledge.
The Nonce can be either a counter or the current time. We decided to choose the current time, this allows us not to be afraid of desynchronization in case someone generates too many passwords and increases the counter.
So, we have a smartphone program where the user enters his part of the secret, it is mixed with the stored part, the result is used as the HMAC key, which signs the current time, rounded to 30 seconds. The HMAC output is made human readable, and voila - here's the one-time password!
As mentioned, RFC 4226 suggests truncating the HMAC output to a maximum of 8 decimal digits. We decided that a password of this size is unsuitable for one-step authentication and should be increased. At the same time, we wanted to preserve ease of use (after all, recall, I want to make such a system that ordinary people will use, and not just security geeks), so as a compromise in current version system we have chosen to truncate to 8 characters of the Latin alphabet. It seems that 26 ^ 8 passwords valid for 30 seconds is quite acceptable, but if the security margin does not suit us (or valuable tips on how to improve this scheme appear on Habré), we will expand, for example, to 10 characters.
Learn more about the strength of such passwords
Indeed, for case-insensitive Latin letters, the number of options per sign is 26, for upper and lower case Latin letters plus numbers, the number of options is 26 + 26 + 10 = 62. Then log 62 (26 10) ≈ 7.9 that is, a password of 10 random small Latin letters is almost as strong as a password of 8 random upper and lower Latin letters or numbers. This is definitely enough for 30 seconds. If we talk about an 8-character password made of Latin letters, then its strength is log 62 (26 8) ≈ 6.3, that is, a little more than a 6-character password made of large, small letters and numbers. We think this is still acceptable for a window of 30 seconds.Magic, passwordlessness, applications and the way forward
In general, we could have stopped at this, but we wanted to make the system even more convenient. When a person has a smartphone in his hand, he doesn't want to enter the password from the keyboard!
Therefore, we started work on the "magic login". With this authentication method, the user launches the application on the smartphone, enters his PIN code into it and scans the QR code on his computer screen. If the PIN code is entered correctly, the page in the browser is reloaded and the user is authenticated. Magic!
How does it work?
The session number is hardcoded into the QR code, and when the application scans it, this number is transmitted to the server along with the password and username generated in the usual way. This is not difficult, because the smartphone is almost always online. In the layout of the page showing the QR code, JavaScript is running, waiting from the server side for a response to verify the password with the given session. If the server responds that the password is correct, a session cookie is set along with the response, and the user is considered authenticated.It got better, but even here we decided not to stop. Starting with the iPhone 5S in phones and Apple tablets the TouchID fingerprint scanner appeared, and in iOS version 8 work with him is available and third-party applications... In fact, the application does not get access to the fingerprint, but if the fingerprint is correct, then an additional Keychain section becomes available to the application. We took advantage of this. The second part of the secret is placed in the TouchID-protected Keychain entry, the one that the user entered from the keyboard in the previous script. When unlocking the Keychain, the two parts of the secret are mixed, and then the process works as described above.
But the user has become incredibly convenient: he opens the application, puts his finger on, scans the QR code on the screen and is authenticated in the browser on the computer! So we replaced the knowledge factor with a biometric one and, from the user's point of view, completely abandoned passwords. We are sure that ordinary people will find such a scheme much more convenient than manual input two passwords.
It is possible to debate how formally two-factor such authentication is, but in fact, to successfully pass it, you still need to have a phone and have the correct fingerprint, so we believe that we have completely managed to abandon the knowledge factor, replacing it with biometrics. We understand that we rely on ARM TrustZone security at the heart of the iOS Secure Enclave and believe that currently this subsystem can be considered trusted within our threat model. Of course, we are aware of the problems of biometric authentication: a fingerprint is not a password and cannot be replaced in case of compromise. But, on the other hand, everyone knows that security is inversely proportional to convenience, and the user himself has the right to choose an acceptable ratio of one to the other.
Let me remind you that this is still beta. Now, when you enable two-factor authentication, we temporarily disable password synchronization in Yandex Browser. This is due to the way the encryption of the password database is arranged. We are already coming up with a convenient way to authenticate the Browser in the case of 2FA. All other Yandex functionality works as before.
Here's what we got. It seems to have worked out well, but it's up to you to judge. We will be glad to hear feedback and recommendations, and we ourselves will continue to work on improving the security of our services: now, along with CSP, encryption of mail transport and everything else, we have two-factor authentication. Keep in mind that authentication services and OTP generation applications are critical and therefore double the Bug Bounty bonus for bugs found in them.
Tags: Add Tags
