Last month Yahoo announced that they will reset accounts that were inactive for more than a year, so that they could free up usernames for new users to pick up. The company has started the ball rolling. Last Monday, all dormant Yahoo accounts were reset. Immediately after, the company opened up a wish list allowing users to request username they’d like to own, before actually letting people get hold of these names. Users can request up to 5 usernames, in order of preference. If the first choice isn’t available, Yahoo will try one of the backups. Then in mid-August, users who filled the wish list will get an email letting them know which of their picks is available, with a link to claim it within 48 hours.
You may remember, when the decision to reset accounts and make registered usernames once again available to the public was announced, I expressed concern over the issue of privacy and security. Yahoo attempts to minimize the damage by providing a way for e-commerce and social networking sites to identify whether the user is the new owner of a Yahoo username, or the previous owner.
Yahoo seeks to do this by allowing sites to “ask” for a new type of validation when sending an email to a specific Yahoo! user. The field, which can be requested via an email’s header is called “Require-Recipient-Valid-Since.”
If a Facebook user with a Yahoo! email account submits a request to reset their password, Facebook would add the Require-Recipient-Valid-Since header to the reset email, and the new header would signal to Yahoo! to check the age of the account before delivering the mail. Facebook users typically confirm their email when they sign up for the service or add new emails to their account, and if the “last confirmed” date that Facebook specifies in the Require-Recipient-Valid-Since header is before the date of the new Yahoo! username ownership, then the email will not be delivered and will instead bounce back to Facebook, who will then contact the user by other means.
Facebook will implement the new authentication method, so new owners of an old Yahoo username can’t possibly log into the previous owner’s Facebook account. Yahoo intends to partner with more sites so that they could adopt the new authentication method.