4. Story – User Identity Lifecycle
Good
Mail
Sports
Flickr
Alerts
Sign-in
PC
Mobile
User Profile
Sign-up
Tablet
TV
Recovery
Bad
Mail
Frontpage
Sports
Flickr
Finance
Abuse
Spam
4
6. Architecture
User / Partner access points
PC
Web HTML
Mobile
Web HTML
Other Services
Mobile/PC
Apps
Metrics
Customer
Care App
Services / Libraries
CAPTCHA
Registration
Login
Acct Recovery
Reg Abuse
OpenID /
OAuth
Acct Mgmt
Anti-Phishing
Identity Mgmt
Log Collection
& Analysis
Acct State
Changer
Social Dir
Cred Store
Data Stores
UDB
Sherpa
GRID
6
27. Story – Abusive Sign-ups by Bots
1
3.0M daily sign-ups highest (Oct 2012)
2
1.6M daily sign-ups lowest (Feb 2013)
3
7X ($15 to $100) price increase per 1,000 accts (Jan 2013)
4
2.3M2 new Mail users per month remain 1 year later (6% ret. )
a
5
80K3 viable long-term users out of 1.6M daily new accts
“cat & mouse” tactics against abusive bots
a
Filter varying abusive signals and change anti-bot challenges
b
Verify mobile # based on “abuse score”
27
28. Sign-up Abuse Detection
90% of registration attempts see varying levels of anti-bot challenges"
Good
5%
Browser
• Browser type and version
• Plug-ins
• Window size
User
• Time spent on page
• Error rate
• CAPTCHA solve time
System
• IP address reputation
• Connection latency, bandwidth
• CPU speed
Reg Abuse
Score System"
95%
Bad
28
30. Price of Y! Account up 7X ($15 to $100)
Real-time abuse scoring
makes it more costly for
abusers to create Y! accts
Price increased from $15
to $100 per 1,000 Y!
accounts
30
31. Mail Account Count Monthly
Millions
Only 6% of Mail sign-ups remained active after 12 months
50
45
40
201112
YUID Count
35
201111
201110
30
201109
201108
25
201107
20
201106
201105
15
201104
10
201103
201102
5
201101
0
Usage Month
31
32. Mail Account Retention Over Time
Mail User Retention Over Time
120.0%
100.0%
100.0%
80.0%
60.0%
40.0%
18.5%
20.0%
12.1%
10.1%
8.9%
8.0%
7.5%
7.1%
6.8%
6.5%
6.5%
6.7%
6.2%
5.2%
M5
M6
M7
M8
M9
M10
M11
M12
M13
M14
0.0%
M1
M2
M3
M4
32
34. Summary – ID Reclamation
— Goal: reclaim inactive IDs @sign-up (Aug 7)
— 1.5 billion inactive IDs based on 12-month inactivity
— 2 joint solutions
— Increase daily inactive acct deletion (4M to 25+M)
— On Demand Account Reclamation (ODAR) @sign-up
— Action items
— Develop ODAR @Sign-Up
— Qualify “inactive or not” YID
— Give inactive YIDs to “legit” but not “bot” registration
— Support properties to handle ASC2 notifications
— Property to use GUID- or YUID-based data indexing
— Work with Mail, Mktg, PR, CRM, Legal/Policy on service
announcement & campaigns
34
35. ID Reclamation @Sign-up
Choose
‘joe1’
Choose
new ID
ID
exists?
yes
Got
‘joe1’
Create ‘joe1’ ID
(GUID2)
no
Reclaim
‘joe1’
Add
‘GUID2’
Properties
no
Delete
inactive ID
‘joe1’ (GUID1)
ID
inactive?
Remove
‘GUID1’
yes
yes
Abuse?
no
Notify property
of inactive ID
‘joe1’ (GUID1)
delete
ASC1
existing functions on Reg
new functions on Reg
35
36. To Dos – Membership
Dates
Actions
4/17
Email properties of “To Dos”
5/15
Tech Talks on Handling YID vs. GUID
5/31
Identify inactive accounts
• Migrate from YID- to GUID-based indexing for property data store
• Adopt Membership ASC listening client
• Accts not login in the past 12 months
• Email forwarding treated as “inactive” (premium - $19.99 / yr)
• Update existing “inactive accts” criteria (excl. ‘it’ INTL; Hotjobs)
6/15
Develop “On Demand Account Reclamation”
• API to check “inactive or not” YID for ID selection / suggest
• Anti-abuse to NOT give eligible inactive accts to bot registration
• Test end-to-end flows with selected properties (Mail)
8/7
Open “ODAR” registration to public
36
37. To Dos – Properties
Dates
Actions
5/31
Index data based on GUID or YUID (not YID)
• User data belonging to old YID ‘joe1’ (GUID1) should not be
accessible / linked to the new YID ‘joe1’ (GUID2)
Continue
doing
Handle existing ASC notifications
• Anonymize the deleted YID data – i.e. mask the YID if
exposed
• Remove unneeded data for the deleted YID – i.e., Y! Mail data
37
38. Account Segmentation
All (UDB)
3,154
Yahoo!
2,994
Partner
160
65 AT&T
Non-paid
2,617
64 Nokia
Premium1
377
15 BT
7 SKY
3.5 Rogers
Active
957
Inactive
1,5443
3 VZ
531 Profile
1 TNZ
30 Flickr
1 Frontier
7 Sports
0 MTS
To be del2
113
4 Taobao
4 Locdrop
855 no flag
38
40. “Fun” ID Facts
1
~334M1 (93%) @yahoo.com IDs
2
~18M (5%) @ymail.com IDs
3
~3.5M (1%) @rocketmail.com IDs
4
275M of 514M3 (53%) IDs (login last 180 days) have email
address (16% verified; 37% un-verified)
5
80M of 355M4 (21%) IDs (login last 90 days) have mobile
phone
40
41. Child Account COPPA Compliance
Parent
Email
parent consent
or close acct
Kid Reg w/
new consent
Kid Email
Kid Login
parent consent
or close acct
Parent Login
parent
consent
Parent COPPA
Consent or Close
Acct
download data
Kid Trap
close acct
before 7/1
consent
Confirmation
Data Download
Membership to-dos
Legal / Care to-do
41
45. KPIs: Facebook / Google Sign-in
Features
All (000)
Flickr (000)
Mobile (000)
1,056 (100%)1
96 (100%)
216 (100%)
UU returns from FB/G auth
493 (47%)
79 (82%)
82 (38%)
Existing UU signs in
345 (33%)
66 (69%)
43 (20%)
New UU lands on Mini Reg or Acct Bind
148 (14%)
13 (14%)
38 (18%)
New UU lands on Mini Reg
69 (6.5%)
11 (11.4%)
15 (7%)
New UU completes Mini Reg
47 (4.4%)
8 (8.4%)
12 (5.4%)
New UU lands on Acct Bind
79 (7.5%)
2 (2.1%)
23 (10.7%)
New UU completes Acct Bind
20 (1.9%)
0.7 (0.7%)
6 (3%)
UU clicks FB/G login CTA
1. (x%) represents the % of 100 users started remaining at each sequential step
45
46. Flickr App’s FB/Google Sign-in
FB / G
Login & Perms
New or
Return?
3PA API
Returning Users
New Users
Binding
Mini
Reg or
Bind?
Mini Reg
Mini Reg (BE)
Create new
hidden ID via
API
3PA API Update
New Users
Signed In
46
47. UX - FB / Google User Migration
FB / G
sign-in
CTA
#1
Migration
Interstitial –
“Return” vs
“New” User
CTAs
#2
#3a – New User
“Sign-up”
“New” user
Current Reg
#3b – New User
“Sign-in”
Return user
FB / G login
Current Login
New user
return
user?
Return user
bound to
“full” or
“hidden”
YID?
#3c – Return User
hidden YID
Mail
FP
Sports
Flickr
“YID Upgrade”
choose YID + pwd
#3d – Return User
“Sign in with YID”
or
full YID
‘skip for now’ (3 allowed)
47
49. No One is Un-Hackable
1
Twitter – 250,000 accts (Feb ‘13)
2
NY Times, Wall St. J, Washington Post –
reporters / employees ( Feb ‘13)
3
LinkedIn – 6,500,000 accts (Jun ‘12)
4
FB, Apple, MSFT – employee laptops hacked via
“water hole” phishing @iphonedevsdk.com (Feb ‘13)
5
Facebook, GMail, Hotmail, Yahoo! – frequent
user reports & anecdotes
49
Yahoo! Confidential and Proprietary
49
50. Hacking & Spam – How?
Steal
cookies or
passwords"
Got"
them"
Biggest “Hole”
No 2LC for
non-web apps
Spam"
XSS
(cookie)
Apps Login
Malware
(pwd)
Hacker
Mass Breach
(pwd)
Brute Force
(pwd)
Phishing
(pwd)
Mobile / PC
Web Login
Mail POP/
IMAP/SMTP
Smaller “hole”
needs to be
plugged too
My friends
complain
spam from
me? "
50
51. Story – ID Hacking
1
Stolen ID & password (bigger issue)
a
b
2
Vast % of accts hacked via stolen password - malware,
third-party compromise, brute force, phishing
Close loop holes – login API & Mail POP/IMAP/SMTP
Stolen login cookies (uncommon)
a
XSS exploits receive media attention but contribute to a
smaller % of accounts hacked
b
Prevent cookies stolen via XSS by issuing “httponly” login
cookies (T & F)
51
52. Account Hacking (Q1
Q2-Q4 2013)
Stolen password (bigger issue)
• 423K1 acct traps set daily
for password reset
• Web login is protected by
2nd login challenge
• Login API (incl. mobile) is
the “loophole” where
hackers are coming in
• Login cha. API + mobile – 4/30 & 5/15
• Mail POP/IMAP/SMTP - 5/27
• Trap for partner hacked accts - Apr
• Bcrypt encryption – Jul
• App specific password - Sep
• 2-factor auth mobile app – Nov
• Real-time “ML” detection – Nov
Stolen cookie (smaller issue)
• XSS exploits receives media
attention but results in smaller
% of accts compromised
• httponly flag in T / F cookies - 3/25
52
54. # of Identified Hacked IDs
1800000
1600000
1.7M+ compromised by
“Russian” hack
1400000
1200000
1000000
Mail anti-spam
detection update
caught more
800000
600000
400000
200000
0
54
55. Avg Monthly Traps for Hacked IDs
All trapped
450,000
400,000
350,000
300,000
250,000
All trapped
200,000
150,000
100,000
50,000
Jun
Jul
Aug
Sep
Oct
Nov
Dec
Jan
Feb
Mar
Cleared Rate
90%
80%
70%
60%
50%
40%
30%
20%
10%
0%
Cleared Rate
Jun
Jul
Aug
Sep
Oct
Nov
Dec
Jan
Feb
Mar
55
77. Goals & Decisions Needed
Roadmap Goals
GA
Decisions Needed
Single Sign On (SSO)
- Sign-In, Sign-Up, Acct Recovery, APIs
Jun þ
§ YID Reclamation Launch
Aug
§ Simplify Sign-Up
Aug § Mobile Sign-Up
§ YID Only Sign-In
Nov § FB/Google EOL
§ Sign-Up Abuse Mitigation
May
Mobile 2nd Sign-In Challenge
May § Launch approval
COPPA Compliance
BCrypt Rollout
§ Confirm current
decisions
§ Birth date/gender
§ 1 or N accts per mobile
#
Jul þ
Jun þ
77
78. ID Reclamation
Goal
Reclaim inactive IDs @Sign-Up on Jul 1
What?
§ 3.1B accounts in UDB (as of 5/7)
§ 1.5B inactive accounts eligible for ID reclamation
§ Inactivity period reduced from 18 to 12 mos
§ Daily deletion from 10M to 50M starting 7/1
§ Mail forwarding treated as “inactive” (non-US only)
§ Mail forwarding in US available in Mail Plus ($19.99/yr)
Confirm
#1
§ Send PSA1 to account’s alternate email address (no mobile SMS)
Confirm
#2
§ Send PSA to 6 INTLs only – US, CA, AU, NZ, SG, IN
Confirm
#3
§ Accounts excluded from inactive deletion
Confirm
#4
§ Continue daily deletion @10M and then to @50M starting Jul 1
§ User reading PSA in Y! Mail would mean account is active
§ Per policy, notify impacted INTLs where Mail publicizes deletion policy of
“6 mos + 2 mos add’l for each year acct held” (i.e. >3-year old accts)
§ Exclude broadband accounts (160M)
§ Exclude paid accounts – Flickr Pro, Mail Plus, Small Biz, Commerce
(377M)
§ Exclude Flickr (30M)
78
79. Simplify Sign-up
Options
#1 Collect @Sign-In Trap #2 Collect @Sign-Up
What?
§ Simplify Reg - collect birth
date, gender, name @Sign-in
N days or Y logins later
§ Collect birth date, gender, name
@Sign-Up (Mobile & PC)
Pros
§ Sign-Up simplified (fewer
fields)
§ Immediate usage – ad target,
personalization, UH(name),
Flickr(bd/name), TW
eCommerce (bd/name/gender)
§ Wide user acceptance
§ COPPA1 upfront & simplified
Cons
§ Login hurdle / user
annoyance
§ Properties2 need own asking
§ Users <13 special handling
§ Potential user drop-off
To-Dos
§ New Supp Reg trap
§ Mobile Sign-Up re-work
79
80. YID Only Sign-in
Goal
Migrate FB/Google Users to Y! ID Paths
What?
§ Direct return users to (1) “Pick a Y! ID/pwd” or (2)
“Sign in with Y! ID”
§ Direct new users to (1) Y! Sign-up or (2) Y! Sign-in
§ Remove FB/Google sign-in CTAs from Sign-Up &
Sign-In
To-Dos
§ Launch migration paths on Jul 1
§ Work with properties (Homerun, GrandSlam) to
update in-property “Sign in FB” messaging / CTA
§ Work with Mktg / PR for broader messaging
§ EOL “Sign in FB/Google” CTAs
Confirmation
§ Start Jul 1
§ EOL
§ Oct 31 (4 months)
80
81. Migration of @ymail Domain
Options
#1 Migration Optional
#2 Migration Mandatory
What?
§ Continual support for
existing @ymail,
@rocketmail, @y7mail,
@kimo users
§ Migration to @yahoo.com1
optional
§ Migration to @yahoo.com1
mandatory
§ User owns existing & new
domains for X months
§ EOL “legacy” domains after
X
Pros
§ Users have choice
§ 1 single ID namespace
§ Standard @yahoo brand
Cons
§ Support for “legacy”
domains
§ User attrition
§ Negative user sentiments
To-Dos
§ Build migration flows
§ Multi-address support
§ Build migration flows
§ Multi-address support
§ EOL announcement
Status
§ Migration pending Mail’s assessment & LOE scope
§ 13M @ymail & 5.1M @rocketmail monthly active users
(Apr)
81
82. Migration Plan - @ymail Domain
— 600K DAUs represent 0.6% of 103M Mail DAUs
— $3M / year at stake since each DAU is worth $5
— Current UX proposal
— If same ID@yahoo.com available, auto provision ID to user
— If same ID@yahoo.com unavailable, prompt user for new ID
— Support @yahoo.com & @ymail.com for 6 months
Users
ymail
rocketmail
total
467,959
151,053
619,012
Active last 30
days
13,144,615
5,132,821
18,277,436
All active accts
61,252,203
37,339,610
98,591,813
Active daily
82
83. Sign-up Anti-Abuse via Mobile #
Options
#1 “1-to-1” Link
#2 “1-to-N” Link
What?
§ Allow same mobile # to be § Allow same mobile # to
linked to 1 account
be linked to N accounts
§ N = 3 (recommended)
Pros
§ Reduce abusive
registration
§ Enforce 1 acct per user
identity policy (Facebook)
§ Identify same person
owning multiple accounts
§ Support multi-accts
(Google)
Cons
§ Prohibit multi-account
policy
§ Proliferate YIDs in
@yahoo.com namespace
To-Dos
§ UX enforced
§ Legal/policy update to
align
§ SAME
83
84. Mobile 2nd Login Challenge
Goal
2nd Login Challenge (2LC) on mobile web
What?
§ By default, sign-in from new device AND new country
will require user to answer a security question or
verify via the mobile phone or alt email on account
§ If user opted in feature, challenge would trigger when
sign-in from new device alone
To-Dos
§ 04/29 Login API supports 2LC
§ 05/09 Mail IMAP/POP/SMTP auth migrates to Login
API
§ 05/15 2LC on mobile web login
§ 05/30 2LC in Accts SDK (native UX)
§ 05/30+ MEP drives Accts SDK across Daily Dozen
apps
§ Q3 – drive non-Y! apps (IMAP/POP clients) to handle
new API response or accept app-specific pwd
Confirmation § 05/15 launch on Y! mobile web login (non-native)
§ Iterate on mobile web UI to align with native 2LC UI
84
85. BCrypt Password Encryption
Goal
Deploy BCrypt hash for account password (Phase 1)
What?
• UDB access control to ‘PW/PWI’ key for properties (5/15)
• Mail migrates from RegAuth to Login API (5/10)
To-‐Dos
Apr
• 4/23 to 06/12 (Phase 1) – 150K accounts testing for BCrypt &
MD5 and then remove MD5
May
• 05/15 – Tools for BCrypt monitoring and reports
Jun
• 06/17 to 07/31 (Phase 2) – 100% users on BCrypt and then
remove MD5
Status
• þ On track
• Driving properties to migrate to new UDB access control of ‘PW/
PWI’ keys by 5/22 (don’t impact Membership timeline) 5/15
• Jay re-iterated to L2 (email) to comply by 5/15
85
86. Mobilize Membership UX
Goal
Implement Single Sign On (SSO) for Membership by Jun 30
What?
•
•
•
•
To-‐Dos
Apr
• 04/22 GA Acct Recovery web UX in Acct SDK (Homerun), Mail iOS
• 04/26 GA Flickr Forgot ID web UX
May
• 05/07 TBD GA Sign-Up web UX (GA deferred pending “birth date/
gender”)
• 05/08 Reg API integration ready for MEP implementation
• 05/17 Acct Recovery API integration ready for MEP
implementation
• Late May GA Reg API for mobile Reg (native)
Jun
• Early
Jun
GA
Acct
Recovery
API
for
mobile
Acct
Recovery
(na<ve)
Status
•
•
•
•
New
Acct
Recovery
&
Flickr
Forgot
ID
web
UX
New Sign-Up web UX
New Sign-Up API for native UX implementation
New
Acct
Recovery
API
for
na<ve
UX
implementa<on
þ On track
5/10
–
final
design
review
of
Sign-‐Up
&
Acct
Recovery
with
Adam
5/15 – final product review of Sign-Up & Acct Recovery with Adam
5/17
–
GA
before
Flickr’s
5/20
launch
86
87. Next Steps
— Simplify Sign-Up
—
—
—
—
Collect birth date & gender @Sign-Up vs. @Sign-in trap
Enforce 1 mobile # linking to 1 vs. N account(s)
Require SMS verification on mobile Sign-Up
Set GA for mobile Sign-Up (5/7 was internal GA)
— Yahoo! ID Reclamation on 7/1
— Set FB/Google Sign-In EOL Oct 31
— 2nd Login Challenge UX on mobile web browser
— Launch on 5/15
— Align web UI with native UI pending final design by MEP
— Drive native apps to adopt/deploy 2LC integration
87
89. SSO (1 of 2)
Goal (L2)
Implement Single Sign On (SSO) for Membership by Jun
30
Goals
(L3
&
L4)
• Deliver
Login
API
and
Creden<al
Mgmt
by
4/30
Owners
• Membership
(MBR):
Shouvick,
Andy
W
• Mobile
&
Emerging
Products
(MEP):
Kirk
L,
Gautam
G
Stakeholders
• MEP,
Daily
Dozen
Apps
Dependencies
• MEP
to
drive
its
Acct
SDK
adop<on
by
22
Daily
Dozen
apps
(11
iOS
/
11
Android)
Milestones
Apr
• 04/29
GA
(int1)
Login
API
for
SSO,
2nd
Login
Challenge
(2LC),
Supp
Reg,
an<-‐bot
May
• 05/30: MEP Acct SDK to enable 2LC UX using MBR API
Jun
• early-‐Jun:
MEP
Acct
SDK
to
enable
SSO
UX
using
MBR
API
Status
• MEP
implemen<ng
2LC
using
new
Login
API
• MEP committed Jun GA to deliver first 2LC & then SSO in its Acct SDK
Challenges
• MEP
to
define/drive
Acct
SDK
rollout aggressively for “Daily
Dozen”
apps
since
only
1
(Homerun)
of
22
apps
has
adopted
Acct
SDK
on
4/22.
Mail,
Sports,
Fantasy,
Flickr
next.
89
90. SSO (2 of 2)
Goal (L2)
Implement Single Sign On (SSO) for Membership by Jun 30
Goals
(L3
&
L4)
• Deliver
Acct
Recovery
&
Flickr
Forgot
ID
web
UX
in
Apr
&
API
in
Jun
• Deliver
Sign-‐Up
web
UX
&
API
in
May
Owners
• MBR:
Shouvick,
Andy
W;
MEP:
Kirk
Lieb,
Gautam
G
Stakeholders
• MEP,
Daily
Dozen
Apps
Dependencies
• MEP to drive its Acct SDK adoption by 22 Daily Dozen apps (11 iOS / 11 Android)
Milestones
Apr
• 04/22 GA Acct Recovery web UX in Acct SDK (Homerun), Mail iOS
• 04/26 GA Flickr Forgot ID web UX
May
• 05/07 GA (internal) Sign-Up web UX
• 05/08 Reg API integration ready for MEP; GA in late May
• 05/17 Acct Recovery API integration ready for MEP
Jun
• Early
Jun
-‐
Acct
Recovery
API
GA
Status
• Mobile
Sign-‐Up
public
GA
based
on
MEP’s
Acct
SDK
update
by
Homerun
• Will
need
to
collect
birth
date/gender
@Sign-‐Up
or
@Supp
Reg
trap
(MM
review
5/8)
• Asking
MEP
to
commit
GA
for
na<ve
Sign-‐Up
&
Acct
Recovery
UX
deliverables
(Fri
5/3)
Challenges
• Mobile Sign-Up web UX launch date TBD pending e-staff decision on DoB/gender
collection (Wed 5/8)
90
91. ID Reclamation
Goal (L2)
Reclaim inactive IDs on Registration Launch on Jul 1
Goals
(L3
&
L4)
• Identify eligible inactive accounts by 5/15
• Develop “On Demand Account Reclamation” on Reg by 7/1
Owners
• Membership:
Shouvick,
Andy
Wu
• SWAT:
PMM
(Rohit
&
Huong);
PR
(DJ
&
Kate);
Care
(Kieran);
Policy
(Sarah);
CRM
(Carolyn,
Kurt);
Mail
(Lovlesh)
Stakeholders
• All properties (Mail), UDB, Mktg, PR, Care, Policy, CRM
Dependencies
• Properties to use GUID/YUID based data indexing (NO YID based indexing)
Milestones
Apr
• Notify properties to use GUID/YUID based data indexing (to-date: no property impact)
May
• 05/03 daily account deletion increase from 4M to 15M (goal: 50M daily)
• 05/08 final inactive accounts crawl (12-months of inactivity, no email forwarding)
Jun
• 05/31 “On Demand Acct Reclamation” @Sign-Up ready for internal E2E testing
• 06/03 – 06/14 Email announcement to inactive accounts to “retain or lose” their YIDs
• 06/03 – 06/30 PR & Mktg phase 1 (yodel blog, media outreach)
Status
• Mktg/PR/Mail/Legal/Policy/CRM/Membership drafting service email, Mail account
deactivation policy update, PR campaign phase 1
• ODAR @Sign-Up development in-progress
Challenges
• þ On track as of Thu 5/2 SWAT team meeting
91
92. Simplify Sign-up
Goal
Simplify Registration (PC) with collection of 5 user data
Goals
(L3
&
L4)
• Simplify Reg with 5 user data collection – ID, pwd, mobile phone, Facebook, Twitter IDs
• Abuse mitigation
Owners
• Membership:
Shouvick,
Andy
Wu
Stakeholders
• Properties, Data/Insights, Ad Targeting, Marketing, Legal, Policy
Dependencies
• e-staff to evaluate the impacts of not collecting birth date and gender
Milestones
Apr
• PRD, UI mocks, Eng design & scope
• 5/2 GA remove @ymail, @rocketmail, @kimo (TW) & @y7mail (AU) email domains
May
• Development of simplified Reg
Jun
• Bucket test collection of Facebook ID as “required” vs. “optional”
• 6/30 launch simplified Reg flow
Status
• UX design & Eng design in-progress
Challenges
• Team to decide collecting birth date/gender @Sign-Up vs. @Sign-in trap wrt to (1) Ad
Targeting, (2) Analytics Reporting & Segmentation, (3) Personalization, (4) COPPA
Compliance
92
93. Migrate FB / Google Users to YID
Goal
Support YID only auth – migrate FB/Google account users to YID
Goals
(L3
&
L4)
• Develop PC and mobile migration flows for new & existing FB/Google auth’d users
Owners
• Membership:
Shouvick,
Andy
Wu
Stakeholders
• Homerun, Grand Slam, Flickr, MEP all current 3PA consuming properties
,
Dependencies
• Properties (Homerun, Grand Slam, Flickr) to update their own hosted FB/Google sign-in
CTAs (incl. contextual messaging to align with Membership’s migration flow) & remove
their own hosted FB/Google sign-in CTA at the end of the migration period (Oct 2013)
Milestones
Apr
• PRD, Eng scope
May
• UI mocks, Eng development
Jun
• 6/30 launch FB/Google migration flows
Nov
• EOL FB/Google sign-in
Status
• Advised Flickr on their 5/20 Android launch – route new FB/G users to Reg/Login while
continue signing in returning FB/G users until MBR migration available
• Provide 3PA & YID Upgrade APIs for native app migration
Challenges
• þ On track
93
94. Mobile 2nd Login Challenge
Goal (L2)
Provide 2nd Login Challenge API and UX across Y! apps
Goals
(L3
&
L4)
• Provide 2nd Login Challenge (2LC) API by 4/30
• Deliver 2nd Login Challenge (2LC) mobile web UX by 5/15
Owners
• MBR:
Shouvick,
Andy
W
• MEP: Kirk L, Gautam G; Mail: Shiv Shankar; Messenger: John Dunning
Stakeholders
• MEP Mail IMAP/POP Login API partners (Y! Messenger, RIM)
,
,
Dependencies
• MEP/mobile apps, Mail IMAP/POP client apps to integrate 2LC API or mobile web UX
,
Milestones
Apr
• 04/29 GA (internal1) Login API to support 2nd login challenge
May
• 05/09 Mail IMAP/POP/SMTP authentication migrate to Login API
• 05/15 GA mobile 2nd Login Challenge web UX
• 05/24 GA MEP Acct SDK to enable 2LC UX (native) using MBR Login API
Jun
• Drive adoption & rollout of 2LC across Y! apps (MEP IMAP/POP Messenger)
,
,
Status
• Working with MEP Mail, & Messenger teams to integrate 2LC within their apps
,
• MEP committed late May GA on 2LC within its Acct SDK
Challenges
• MEP to drive Daily Dozen apps to deploy MEP‘s Acct SDK with 2LC feature (60%
Android & 50% iOS)
• Mail IMAP/POP & Messenger to commit GA dates on adopting/deploying 2LC
94
95. COPPA Compliance
Goal
Enforce new COPPA compliance by Jul 1
Goals
(L3
&
L4)
• Develop COPPA Compliance - child instruction and parental consent trap
pages
Owners
• MBR:
Shouvick,
Andy
W
• Trust/Safety:
Leslie
Dunlap,
Megan
Cris<na
Stakeholders
• Trust/Safety (Leslie D, Megan C), Care, Legal, Privacy
Dependencies
• Trust/Safety to provide child trap instruction, COPPA consent &
confirmation text
• Trust/Safety (with Care) to provide “Data Download” online help page
Milestones
Apr
• 04/29 PRD & plan
May
• 05/15 Trust/Safety to email children & parents wrt the new COPPA
Compliance
Jun
• 05/31 GA child trap and parental COPPA consent pages
Status
• Dev in-progress
• UED design pending
Challenges
• þ On track -- Note 5/31 GA deadline is extremely aggressive
95
96. Bcrypt Password Encryption
Goal (L2)
Deploy Phase 1 of Project Fuku (Bcrypt) for Account Password
Goals
(L3
&
L4)
• Complete BCrypt functionality on Reg, Login, Acct Recovery services
• Deploy Phase 1 rollout across Yahoo! properties
Owners
• Membership:
Shouvick,
Ram
Kordale
Stakeholders
• UDB, Mail, AMT, PSI, and other properties
Dependencies
• UDB to manage access rights to ‘PW/PWI’ key for properties (target GA: 5/15)
• Mail to migrate from RegAuth to Login API (target GA: 5/10) – on track
Milestones
Apr
• 4/23 to 06/12 (Phase 1) – selected users for BCrypt & MD5 and then remove MD5
May
• 05/15 – Tools for BCrypt monitoring and reports
Jun
• 06/17 to 07/31 (Phase 2) – 100% users on BCrypt and then remove MD5
Status
• Phase 1 WIP - deployed 150K accts to Bcrypt and MD5
• Monitoring and reports scripts deployed - getting daily stats and reports
• Mail asking token login API to ignore SHF trapped accts for IMAP/POP clients
Challenges
• þ On track -- Driving properties to migrate to new UDB access rights (of ‘PW/PWI’
keys) by 5/15 is “yellow” – Jay re-iterated to L2 (email) to comply by 5/15.
96
