I found that it is pretty easy to bypass 2-factor auth on Yahoo services. With 2-factor enabled, and access to the user’s passwords, there is a way to take over an account without 2-factor ever being contacted. This behavior is as designed, but I think the process could use some improvement.
On Yahoo’s help site it says “If someone other than yourself tries to access your account, even if they guess your password, they still wouldn’t be able to get in without using two-step verification.” – https://help.yahoo.com/kb/two-step-verification-sln5013.html
This statement is true if someone gains access to your Yahoo password, but completely untrue if they gain access to your backup email password.
The backup email address on file is the weak link to Yahoo 2-factor authentication.
If an attacker can gain access to the backup email on file, the attacker can take over a Yahoo account without the 2-factor ever being contacted.
I disclosed this to Yahoo 1 year ago through Hacker One. My suggestion was to contact 2-factor auth after clicking the password reset email.
How is this performed?
If an attacker gains access to a victim’s passwords, they can determine from the Yahoo lost password page what the backup email address is. Yahoo helps the attacker do this by partially revealing the backup email address on that page.
The attacker logs into the backup email on file. Then the attacker initiates a password reset to the backup email on file. An email arrives in the backup email account. The attacker clicks that link, changes the user’s Yahoo password, and gets full access into the Yahoo account without 2-factor ever being contacted!
How to prevent this?
The solution here is to make sure the backup email you have on file also has it’s own 2-factor authentication to prevent it from being compromised.