Yahoo recently introduced a new mechanism that is supposed to allow users to log in with temporary passwords that are sent to their smartphones. According to Yahoo, this is an attempt to simplify authentication for its services. Now this seems like this is a standard two-factor authentication system, the type where you need to provide one-time code sent to your mobile device in addition to your static password, but I assure you it’s not because you’ve already had this option.
This new log-in mechanism still relies on a single factor, your mobile phone number. This new mechanism is based on what Yahoo is calling on-demand passwords. Yahoo users (only ones in the U.S. at the moment) can turn on the new feature from their account security settings on the site itself. Users will need to provide a phone number and then confirm that they have access to it by inputting a verification code that Yahoo will send to them via SMS.
As soon as the system is set up you will see a button that says “send my password” instead of a traditional password input field. Clicking that button will send you a temporary four-character password. But how does this new system compare to what we’ve been using all this time? While the new system offers better security than static passwords (which can be easily stolen) it is not as effective as a two-factor authentication because it depends entirely on how secure the user’s phone is.
According to Director of Product Management at Tripwire Tim Erlin, “Two-factor authentication is more secure because it requires an attacker to compromise more than a single piece of information to be successful. While Yahoo is lifting the burden of remembering a password, they are maintaining a single target for compromise: your SMS messages. Malware on your phone could be used to grab those SMS messages, and then have full access to your account.”
Moreover, if your phone is lost or left unsupervised it could be used to generate a password for the phone owner’s Yahoo email account. A lot of incidents have recently shown that a person’s email account can be a gateway for further compromises due to the fact that it can be used to reset the password for the user’s accounts on other websites.
Researchers have been warning against static passwords for a while now, stating that they no longer provide sufficient protection for online accounts. With that being said, usually efforts to replace static passwords are a welcome change. It is still unclear how vulnerable Yahoo’s new system is, “but it can only be a good thing that a well-known brnad in the technology field is seeking different ways to revamp the password,” states Chris Boyd, a malware intelligence analyst at Malwarebytes.
However, given the choice Boyd would still choose two-factor over single-factor authentication every single time. If you already have a two-step verification enabled on your Yahoo account it is better to stick with it and not switch to the new one offered by Yahoo. The two systems appear to be incompatible with each other and switching to on-demand passwords might downgrade your account security.
Despite the evident drawbacks to the new system, Principal Security Researcher at Bromium Jared DeMott says that “it is good to see Yahoo trying to address the password problem.” The real problem is that users will almost always choose the option that is required of them, “so if companies are serious about better login security, the default choice will need to be modified.”