Passwords have problems.
They need to be long and/or complex, people make up really bad ones (think pets’ names), recording and storing them incorrectly can cause problems, they’re often very easily cracked, and they get reused even though they really should be unique.
Two-factor authentication (2FA) doesn’t take away the pain of having to cook up a strong password, but at least it requires us to prove we are who we say we are in two different ways before we can log in or use a service, be it with a code sent via text message, one generated by an app like Google Authenticator, a PIN for our bank accounts or the like.
Yahoo’s trying a new approach. Basically, it’s guillotining 2FA and discarding the step of having to have a primary password to begin with.
Rather, its “on demand” passwords are going to rely solely on the second half of 2FA: namely, the one-use code sent to a mobile phone. Users will have to call up one of the codes every time they access Yahoo Mail.
Chris Stoner, Yahoo’s Director of Product Management, said that on-demand passwords should lift the onus of unique password creation and storage right off our shoulders:
We’ve all been there... you’re logging into your email and you panic because you’ve forgotten your password. After racking your brain for what feels like hours, it finally comes to you. Phew!
Today, we’re hoping to make that process less anxiety-inducing by introducing on-demand passwords, which are texted to your mobile phone when you need them. You no longer have to memorize a difficult password to sign in to your account - what a relief!
You can think of it more or less as one-step authentication.
When users who’ve opted for on-demand passwords sign in, they’ll see a “send my password” button instead of a traditional password text box.
The new, optional sign-in has been available since Sunday for US users.
As many have pointed out, that “what a relief” Stoner envisioned is going to turn into less tranquil and far less printable words when Yahoo users lose their phone.
Yahoo does have recovery methods, enabling users to use other email accounts to regain access to their Yahoo accounts.
But while that should help in the event of a phone getting misplaced, it’s not going to help once that phone gets found, by a thief or somebody with bad intentions.
As it is, the phones don’t need to be unlocked for a thief/finder to see the on-demand codes come in, as they display at the top of screens. The only other thing a thief needs to get in to a Yahoo account is the phone owner’s account name.
That’s where Yahoo’s 2SV looks a whole lot safer. Back to the primary password and the second factor delivered via SMS, and a thief or phone finder still has to have not only the phone but also the account’s primary password.
But wait, there’s more!
Yahoo Mail doesn’t have a sterling reputation for security, but it’s been trying to turn that around in the past few years, by, for example, making SSL encryption the default for webmail, and by enabling HTTPS by default.
The next step in the evolution of Yahoo’s security standards, in addition to its new “on demand” passwords, is an end-to-end (e2e) encryption system.
Yahoo unveiled a working version of the system at South by Southwest (SXSW) on Sunday.
The company said in a post that at this point, it’s looking for input from the security industry on the work it’s done so far, and it’s aiming to get an e2e tool out for all users by the end of the year.
Here’s a video Yahoo showed at SXSW that shows what its “common sense solution to encryption” will look like in Yahoo Mail with a Chrome extension, comparing its method to the more traditional, more difficult to use PGP encryption using GPGTools.
Yahoo released the code for the Yahoo-specific e2e encryption extension on GitHub.
The Chrome extension from Google, called End-to-End, is in alpha stage.
Yahoo CIO Alex Stamos says that now’s the time for e2e, particularly given users’ increased awareness of privacy threats:
Just a few years ago, e2e encryption was not widely discussed, nor widely understood. Today, our users are much more conscious of the need to stay secure online. There is a wide spectrum of use for e2e encryption, ranging from the straightforward (sharing tax forms with an accountant), to the potentially life-threatening (emailing in a country that does not respect freedom of expression). Wherever you land on the spectrum, we’ve heard you loud and clear: We’re building the best products to ensure a more secure user experience and overall digital ecosystem.
donwan22
This may be good for those that have cell phones, but what about the ones that don’t have them,like me,and I don’t intend to get one as i have a very limited income.
Steven Andrés
I still think it’s a step in the right direction. Most readers of this blog use password managers or are meticulous at password selection and maintenance. It isn’t until you start to manage a 20,000+ user base that you realize your support staff spends a huge chunk of time on password issues. This isn’t a solution for high-security settings like bank transactions or classified networks, but for the 80/20 Pareto Principle, it’s “good enough”. Most of my users would welcome something like this implemented in Windows Active Directory.
A project I worked on for my PhD a few years ago (cheekily called ZeroFactorAuth) would send a one-time-token to a user’s email, because we wanted to avoid forcing users to have an SMS device. Of course, this would not work if you’re trying to login to email, naturally. But it worked quite well to login to web applications at a University that we did tested.
Laurence Marks
Lisa wrote: “Yahoo Mail doesn’t have a sterling reputation for security, but it’s been trying to turn that around in the past few years, by, for example, making SSL encryption the default for webmail, and by enabling HTTPS by default.”
Well, yeah, sort of. If you are an AT&T customer (landline, VoIP, or cellular), and your Yahoo! account was historically a telco ISP (e.g., pacbell, bellsouth), then guess what? Your AT&T password and your Yahoo! password are the same. Change one and the other magically changes. A security breach at either Yahoo! or AT&T exposes you to both. Not so safe…
Laurence Marks
Lisa wrote “Rather, its “on demand” passwords are going to rely solely on the second half of 2FA: namely, the one-use code sent to a mobile phone. Users will have to call up one of the codes every time they access Yahoo Mail.
…
“When users who’ve opted for on-demand passwords sign in, they’ll see a “send my password” button instead of a traditional password text box.”
Fortunately this is opt-in. Consider the following cases–obviously Yahoo didn’t:
1) You live, as I do, in a topological hole. No cellphone reception here in the middle of this metropolitan area, from any carrier. But I can walk 100 yards in any direction and get reception. Do I want to do this at 10 pm on a stormy night, to check email? No!
2) You take a week in the Caribbean/Mexico/Europe but don’t have international roaming. Too bad, no email for you.
Guess I won’t be opting into this service.
Paul Ducklin
“Topographical hole,” I think you mean :-)
(You should get a femtocell.)
Laurence Marks
Right–topographical hole. I wanted to get a femtocell but one provider had excessive monthly charges and the other didn’t offer them at all.
I wouldn’t mind a one-time femtocell fee of, say, $US 150 or so but $US 20 per month in perpetuity is ridiculous.
Paul Ducklin
It’s like the standing charge for a landline, except you have to provide your own landline to connect the femtocell to :-)
Christine
Ugh! This is why I don’t use Yahoo anymore…
Matt S
So, if I have your phone and it is not protected with a pin or password, then I automatically have access to your “secure” YAHOO email account.
Paul Ducklin
Actually, a number of mobile apps seem to cache your password, or at least to keep you logged in indefinitely so that you rarely need to type in your password at all.
By using private mode (or auto clearing cookies in your browser) you can at least arrange what amounts to an implicit “forced logout” by simply exiting the browser, but with a dedicated mobile app you rely on the login/logout process built into that app.
It’s very convenient, for example, to be able to start Tweeting where you left off yesterday without the hassle of putting in a password…but it does make that lock screen PIN important anyway, with or without Yahoo’s changes