Yahoo! Is taking a new tack in authentication with the implementation of on-demand passwords, which are texted to a mobile phone when a user needs them.
Yahoo! subscribers in the US can opt into the scheme via their security settings page in the account information section. Once a mobile phone is added to the account, a one-time password will be sent every time a login is required.
It’s sort of like two-factor authentication—without the first factor involved.
“We’ve all been there…you’re logging into your email and you panic because you’ve forgotten your password,” said Chris Stoner, Yahoo! director of product management, in a blog. “After racking your brain for what feels like hours, it finally comes to you. Phew! Today, we’re hoping to make that process less anxiety-inducing…You no longer have to memorize a difficult password to sign in to your account—what a relief!”
But not everyone agrees that the method boosts safety. Tim Erlin, director of product management and a security and IT risk strategist for Tripwire, pointed out that the method simply directs hackers’ efforts to intercepting text messages.
“While Yahoo is lifting the burden of remembering a password, they are maintaining a single target for compromise: your SMS messages,” he noted in an email. “Malware on your phone could be used to grab those SMS messages, and then have full access to your account. On-demand passwords are also mutually exclusive with Yahoo’s two-step verification, so enabling them forces users to effectively downgrade security on their account.”
TK Keanini, CTO of Lancope, told Infosecurity that he agreed that users will need to pay more attention to mobile security.
“While only leveraging a single factor (something you have—your phone), the security of the system will depend on how secure that device remains over time,” he said. “We will see a major shift by the attacker to target malware on these mobile platforms because of their larger role in the overall security of the individual. It is also important these days to ensure that the mobile account is secure because you don't want attackers changing features like call forwarding and other features that can put them in the middle of this communication stream.”
Nonetheless, he applauded Yahoo! for thinking creatively.
“We need more innovation like this with authentication,” he said. “Passwords are just pieces of information and in all these strategies, we want to make it useful for the shortest amount of time but not be an administrative burden. Yahoo! knows that the most personal device on a person these days is their mobile phone. And let’s not stop here, let’s keep innovating even more techniques to raise the cost to our attackers.”