Yahoo’s attempt to kill off passwords raises security concerns

Yahoo’s attempt to kill off passwords by introducing an on-demand one-time passcode option for its email services has raised security concerns

Yahoo’s attempt to kill off passwords by introducing an on-demand one-time passcode option for its email services has raised security concerns.

“We’re hoping to make that process [of logging in] less anxiety-inducing by introducing on-demand passwords,” said Yahoo director of product management Chris Stone in a blog post.

The announcement comes almost five months after Twitter announced plans to introduce a similar access mechanism for its users.

Yahoo’s on-demand passwords are sent by text to the user’s mobile phone, which means they no longer have to remember difficult passwords to sign into Yahoo email accounts.

Unlike the increasing popular two-factor systems that require a static username and password combination as well as a one-time passcode, the new Yahoo system relies on the on demand code alone.

The optional service is currently only available in the US, but Yahoo is expected to eventually roll out the service to its email subscribers around the world.

While some security industry representatives have praised Yahoo for innovating around authentication by taking steps to eliminate passwords, most have raised concerns that overall security is reduced.

“Yahoo’s announcement that it plans to eliminate passwords will be a huge step back in securing personal information,” said SecurEnvoy co-founder and technical director Andy Kemshall.

“First, at point of login, users expect and are used to instant access to their accounts, but with Yahoo adopting only one step of authentication this will make the email account less secure,” he said.

Mobile-based access "not a good thing"

Kemshall said not only will this require users to wait for a password to be sent by text, it is potentially “asking for trouble” considering the array of factors that can text messages.

“Users are likely to become frustrated and revert back to the old method of logging in,” he said.

Read more about password alternatives

Kemshall said a better approach would be to retain the username and password combination and to use one time pass codes that are pre-loaded and stored on the mobile phone.

However, other commentators have pointed out that mobile-based systems mean that if the mobile is lost or stolen, users will be unable to access their accounts.

Even worse, in the Yahoo one-time passcode scenario, whoever takes possession of the phone will be able to receive the codes necessary to access the mobile owner’s email account.

Vice-president of advanced security and governance at security firm Proofpoint, Kevin Epstein, said that while two-factor authentication has gained credibility in the industry, the model proposed by Yahoo is single-factor authentication that is tied to a device.

“It is unclear what would prevent anyone with possession of the user's email address and device from gaining immediate access to the user's email account,” he said.

Independent security consultant Graham Cluley believes that access to online accounts controlled only by who has access to a mobile is not a good thing.

“All an unauthorised user would need is your Yahoo username and their paws on your mobile, and depending on how you have configured your smartphone, someone may not even need to unlock your device to read the SMS message it has just received from Yahoo,” he wrote in a blog post.

Password management software 

According to Cluley, Yahoo should have instead promoted the use of password management software like LastPass, 1Password, and KeePass.

Password management software, he said, would make it unnecessary to remember passwords, but at the same time encourage stronger, unique passwords.

The security industry has long recognised that passwords are becoming increasingly insecure and difficult to use as they become more complex and hard to remember.

In 2012, security experts at UKFast warned that a tool for hackers capable of cracking nine billion passwords a second was available for as little as £400.

The Fast Identity Online (Fido) Alliance is a consortium of IT companies – including PayPal, Lenovo and Google – that hopes to revolutionise online authentication with an industry-supported standards-based open protocol.

In October 2014, Google launched a Fido-compliant USB security key to eliminate the reliance on mobile phones for its two-step verification service and sidestep hacker attempts to steal passcodes. 

The Fido protocol is designed to address the lack of interoperability among strong authentication technologies to reduce the reliance on usernames and passwords.

Previous attempts at introducing alternatives to passwords have failed because of the lack of an industry-wide standard, but pundits say Fido members may be big enough to make it happen.

Fido standards support a full range of authentication technologies, including biometrics, as well as further enabling existing technologies such as trusted platform modules, USB security tokens, embedded secure elements, smartcards and near-field communication.

In January 2015, a study by Visa revealed that the new generation of banking customers would rather use biometric security devices than PINs and passwords for authentication.

The study showed that 75% of 16 to 24-year-olds said they would have no problem using biometric security, with 69% expecting it to be faster and easier than a password or a PIN.

Read more on IT for telecoms and internet organisations