I got an e-mail on one of my e-mail accounts this morning. Interestingly I only got it on one of our accounts, not the other three accounts that my wife and I have.
At first I thought it was phishing, but it appears that people who use certain e-mail clients (like Outlook) will have to reconfigure those clients for a "new password" (app password). Webmail doesn't appear to require the change.
The e-mail states:
Important: You must update your Rogers email account settings.
Protecting your data is as important to us as it is to you. Rogers is making several security upgrades and implementing a new authentication system to further protect you and your data.
Rogers requires you to update your email settings to continue using your email account.
It only takes a few minutes of your time to ensure you have uninterrupted access to your email.
There is a link as follows indicating the people who need to do this, as well as instructions on how to do it:
Please excuse me if this is discussed elsewhere. I did try searching and didn't find a thread on this specific topic.
I inquired with Rogers about when the personal password would cease to work with email clients and when we would HAVE to switch to using App passwords.
This is what I got in response:
There hasn't been a final date set out.
If there is one in the future, it will be communicated in email but for now, there is no hard date set.
Yes, I agree you keep your original password and use it to log into Rogers/Yahoo portal, your Rogers account and your webmail. Once that password is compromised then like you I assume that your app passwords can be compromised.
So somewhere down the road on some unknown date, people who are unaware of this change, or can't figure it out will be scurring to deal with it.
I had concluded it wasn't in place yet because out of curiousity I went to a real old school email client - Pegasus - and was able to set up both POP and IMAP
And I agree, about the only thing this creates is a strong password from what I can tell, unless, it is also registering the app or device with the server and does things like a new access to Google does where it says you have logged onto a new device or app, Outlook online does this too, Facebook as well, and all those three also use 2 level authorization if you choose to.
It appears that the Yahoo current model permits for 2 level authorization, and the ability to opt out of all of this model if desired, so why oh why are they going down their own direction. Any of us can create strong random passwords from the Internet, or with password programs. I don't get it.
I see nothing stronger in security here, except for maybe providing some unspoken device detection, and strong passwords. And forget about ever setting it to not remember password using this model, so given this, they should also be strongly advising us to put lock codes on our devices. Some of these older apps allow you to show the password, so some who picks your device up while still unlocked, could just go in and grab the password.
Shake my head one more time.
So back to moving all my wife's email contacts from Yahoo and completing my own and saying bye bye to this insanity.
In my continued playing with this silliness.
I created a passkey, put it into my IMAP and it worked.
I then changed it back to my original password - it worked.
So guess mostly likely the information that at some point, it will just stop accepting old apps without the device app will happen.
Better have a lot of support on that day and days afterwards.
I did confirm though that although I could still receive POP on Pegasus, it wouldn't send smtp on the account. Go figure.
I think I am done with this testing
Appears that at the moment, it makes no difference whether we use the pass key or not.
Somewhere down the line we will probably be forced to. That is when the fun will begin for real for many people.
I have never received an email about this, yet it seems some have - wonder how they plan to notify everybody?
As I mentioned, I will continue to get everything off yahoo rogers email, shut them all down and not worry about this. I have nothing more to say on this one. I will watch what people learn. It is not an issue really for me, since my current apps are on the list of ok ones, and on PC, I go to my web mail generally, I will probably not be effected, just like to test changes so I can possibly help, but this one is really beyond me and I will see what happens when they fully implement. I use my Mail for Windows 10 from the windows store to archive copies of important email on my computer and its backup system.
Good luck everyone and let us know how it goes.
Could a moderator please check with Rogers staff and confirm that this is delayed, adjust the blog post to reflect what the answer may be.
This is going to be a disaster. Most people cannot identify what email client they use. A significant number of those don't even know they have an email password, let alone what it is. Someone set it up for them years ago, it's always worked, and they have no clue about anything.
And Rogers bright idea is to send a sketchy-looking email expecting people to do this on their own?
Poorly done, Rogers. Poorly done.
Just dump Yahoo and move us to Microsoft already.
1. How is this not spam/phishing? The email I received today came from: firstname.lastname@example.org
2. The link in the email is: http://email.rogers.com/a/hBZEjvmB7RUsMB9bf2BCW5Iod8z/emailen
Looks illegitimate to me!!!
1. I get legitimate e-mails from this address at Rogers all the time regarding changes to my account - like changes to cable packages, cellphone offers, etc.
2. The link is different for everyone, however, it takes you to the following legitimate Rogers Support Page:
The other links in the e-mail regarding MyRogers, Support and Community Forums are also legit.
When you click on one of the (blue) links (like Member Centre or Webmail) in the support page with all the instructions, it takes you to an https (secure) connection.
3. My wife got her notice this morning and some other people have reported receiving similar notices. It looks like this is being rolled out slowly. I haven't bothered to make the recommended changes yet to see where this thread goes first. If you haven't received the e-mail and may be affected, you may wish to check your spam folder on your e-mail client or the spam folder in webmail in case it's there.
The support page explains who will be affected and not everyone is.
Thanks! I realize now that it is legit after going to rogers.com/email and seeing all the posts. I'm just extremely suspicious and never click on links I'm not sure about.
Thanks! I realize now that it is legit after going to rogers.com/email and seeing all the posts. I'm just extremely suspicious and never click on links I'm not sure about.
And that is a good policy. I was suspicious like you as evidenced by the phishing comment in post 1 of this thread, but I did further research as you did.
From my little bit of understanding, it's the program or application manufacturers that are moving to OAuth and that Rogers/Yahoo is just trying to keep up with the changes. I may be wrong but that was what was told to me.
Brian: That might be what Rogers/Yahoo says but programs such as Windows Live Mail are no longer supported by Microsoft. So it is highly unlikely that M$ is moving to OAuth on an unsupported product.
Rogers obviously does not want customer feedback This is a communication fiasco on their part - poorly communicatd, no timeframe given, confusing inf about SSL updates. They need tto reissue their communication with full information rather than leaving it to the customer to figure out. Apparently once all is done you can revert to whatever password you'd like.
Am I the only person who had the following probem trying to create an App Password?
After logging on to my Rogers webmail, when I click on my "Account Info", it takes me to the following "rogersmembercentre" webpage: https://rogersmembercentre.com/rmcapp/remc.html#/signin
This takes me to a Welcome page that states:
"A new and easy way to manage your Rogers email account. Please login with your @rogers.com or @nl.rogers.com email address and password." When I sign in on this Welcome page with my Rogers Email and Password, I get the message, "We are sorry but the system is not available"
Another change I found
Yahoo settings are no longer available for Rogers/Yahoo email
If you go to email settings, if you want to work with your primary and secondary accounts, you will need to click on your Name and then click on account info
Where it will take you to the new Rogers member page where you can work with your primary and secondary accounts. You can add or delete accounts from the Manage email accounts section.
Depending upon which one of your emails you logged into, you will be able to do a limited set of tasks under account information.
This includes changing your personal information (first and last name and language)
Change your password
Set alternate contact information (a second email say from Google or whatever), plus your phone number (should be a mobile as it is used to send you texts) and is critical for the "authorized passwords" for devices as you will may need to have verification messages sent to one or the other.
Clarification on SSL
In the earlier posts, it refers to a post from 2014 where it described how to set SSL on, although it uses the old pop.broadband.rogers.com and smtp.broadband.rogers.com and imap.broadband.rogers.com
and the related port numbers.
I am unsure why the posts from Rogers are talking about these, as the SSL has been required since 2014. There was an issue with expired security certificates earlier this year, that people had to deal with and the only place where this whole discussion comes into play is if you are setting up one of the "older" or unsuported email clients.
The requirement for the full user name as your email address email@example.com is also not new - Yahoo began requiring this earlier this year as well, as the same user name may exist with another provider using Yahoo services and so therefore, must have the domain address included.
Again, this is relevant only to new installs of email, and as far as I am aware, we all had to deal with these two issues earlier.
The PassKey Model
Interestingly, it seems that Rogers is using a slightly different verification process than if you set up a new yahoo account.
It looks more like a one time 2 stage authorization process, which probably is facilitating a one time setup of what has been described earlier as OAuth or Open Security authorization. There were risks in the early versions of scraping the masked password or passkey, but that is supposed to have been resolved in the latest version 2.
I funny one is what security experts are commenting about which is the new name for Yahoo and AOL, Oath, which they descirbe as a variation to the security protocal of OAuth, which they describe as laughable given the security holes that both companies have experienced. Probably not a great choice of name for people who are in the know. They continue to be a joke and their history persists with the new name chosen by Verizon.
Rogers has chosen to have their own web access, where you can neither turn off the PassKey or turn off or turn on 2 step authorization, so it would appear that there is no way but to do it the way they have presented it.
So yes, Rogers does have a roll in this design - they have chosen to taken a different approach than Yahoo.
Yahoo's use of the Pass Key sends an approval to another device, and it must be a cell phone (don't ask me what you would do if you don't have SMS - and before anyone says who doesn't, some people don't use text and wouldn't know what to do with it anyway - like my inlaws and others I know - they are just not interested. Thre cell phone is merely an emergency calling device).
But with the model from Yahoo, they will occasionally send you a new authorization for your to approve.
The details on how to handle the setup for olde email clients is at http://communityforums.rogers.com/t5/How-To-Videos-Knowledge-Articles/How-To-Updating-your-Rogers-Ya...
But important missing information:
For some products like Outlook 2013 and 2016, there is a box under the remember password named -
The yahoo model for setup requires the box “Require logon using Secure Password Authentication (SPA)” to be checked as that is what makes the authentication process work with their 3rd party authentatication server.
I wonder if Rogers has turned this off, although if it is, then they are only using what is really a two stage one time authorization with this password that is created in the member centre, not OAuth.
Could @RogersRoland please check on this requirement of the SPA box as Yahoo requires it in their implementation.
To complete, I will still say, this is yet another example of poor communication and implementation with Rogers technical changes related to security certifcates - this is not the first time we have run into security certificate issues with Rogers website applications and related protocols in the last couple of years - online home voicemail, and one number come to mind immediately, but there have been others.
In addition, I still say "why has Rogers stayed with yahoo for so long?" It is not trusted by the industry in general, and maybe it will be better with Verizon.
As a final note, this will all be relatively easy with modern phones and their account setups, as long as you use the automated set up for Yahoo.
This notice got rolled out too soon as the member centre didn't go live until today, and then required me to go through another learning curve.
And by the way, why when we were told months ago that POP would no longer work, did it work when I set it up on an old Pegasus email client (from about 2004)?
Just one more mystery of Yahoo, its security models and subsequently the impact on the providers like Rogers, and most importantly on us.
There is certainly going to be a learning curve for those that have stayed with their older email clients, and even newer ones like outlook 2016 which is not exactly old.
The model is primarily designed for using web mail with clients that have been designed for modern phones, with what seems to be workarounds for older clients.
Ahh well, the challenge goes on.
I will leave it to others to write up and test the new model once they turn it on - whenever that will be.
Oh, and I just got my email today - does look just like a phising email, that every major company no longer uses as a way to communicate. Why does Rogers continue to ignore its own advise around watching for phising.
Why not on MyRogers, or our bill, or a phone blitz, (although that may be perceived as phising too). Or why not Connected Rogers, or a pinned post on Facebook. Wonder if Twitter has posted this knowledge too?
Yes, definitely a communication mess for sure - common Rogers, get your act together, please.
Think that we will all have to wait for this to roll out. Personally I think I would follow the steps provided. I have tested it on old software with the settings and the pass key and it worked but I was able to use regular password to.
This thing is such a mess I can't confidently explain any of this or even guess what is the best route until they turn it all on.
I wonder how well they have tested all this stuff. Testing has been a real sour point for me the last few years.
Will comment if I find any thing that clarifies all this.
Only outstanding question is the accuracy authorization second on outlook 2013 and 2016. I don't have either so can't test and we won't know for sure until someone tests and if not live may not matter.
Yahoo and Rogers. Ugh.
My suggestion. Set up a Google or Outlook account and forward your mail there and set return address and gradually get off Rogers email. Then eventually just shut the yahoo accounts down.
Have been trying to figure out how to update my Rogers/Yahoo password on the Android Outlook APP. Intruction say to sign into account, change password and then re-synch phone. Great, which new password? Instructions say one is needed for each device used to access Rogers/Yahoo mail to I've generated one for my PC and one fr my phone. NONE OF THIS MAKES ANY SENSE. I'm afraid of losing access to critical emails. Anyone have an answer???
-Step Verification on Rogers Yahoo Mail does not work
I'm looking for multifactor verification for my rogers yahoo account. I saw this post here: http://communityforums.rogers.com/t5/Internet/2-Step-Verification-on-Rogers-Yahoo-Mail/m-p/356063#M3...
Unfortunately, even though it says your phone number is verified and authentication is enabled, it actually doesn't work and there is no 2nd authentication. I feel like this is a bigger security issue since it can lull people in a false sense of security since it claims it is enabled. I have logged into my email from multiple computers on different networks without ever being prompted for 2 factor authentication.
Am I correct that the change boils down to this:
YAHOO web mail & 'recent' iOS - nothing to do
Outlook... my current reasonably secure password that I can remember gets replaced by an impossible to remember ultra-long password that I will now have to store on the computer (I NEVER store passwords on the computer!).
And we now need a sep impossible to remember password for each device / account combo?
It doesn't surprise me that it would not be working.
The way things are set up by going to what used to be our account options in Yahoo, is now the new membership page, and there is no way to access 2 step authorization to turn it on or off, so I have to wonder if that link is even going anywhere anymore, or maybe it is put in and then it would have to be turned on.
No one from Rogers yet has been coming forward to say whether two step verfication is still available or not.
And how you would change the phone number on your mobile, it would appear to be impossible as you can't get to it via member account settings anymore.
I am staying away from trying anything until this mess is cleared up.