Sergey Nivens - Fotolia

Yahoo announces password-killing Account Key

Yahoo Account Key uses push notifications to provide a fast and secure way to access Yahoo accounts from a mobile device

Yahoo has announced a password-free way of signing into accounts to improve security and usability.

Yahoo Account Key uses push notifications to provide a fast and secure way to access Yahoo accounts from a mobile device.

This means users will no longer have to remember complicated passwords and, at the same time, will benefit from increased security.

Yahoo Account Key is said to be more secure than a traditional password because once it is activated, even if hackers get access to account info, they will not be able to sign into accounts.  

Account Key is available globally for the new Yahoo Mail app, with other Yahoo apps to be added later in 2015.

The move comes seven months after Yahoo replaced traditional passwords with single-use SMS codes, which the company said was the first step towards a “password-free future”.

Account Key works by linking Yahoo accounts to a mobile device. When a user opens an account with the feature enabled and enters their username, Yahoo sends a push notification to the device, which can then be approved or denied with a single tap.

Yahoo’s initiative is aimed at introducing a second factor of authentication and eliminating the problem of forgotten passwords and the re-use of the same password for multiple accounts.

Passwords are difficult to remember and secondary sign-in verification is inconvenient and confusing,” said Yahoo vice-president of product management Dylan Casey.

Were now taking a major leap towards a password-free future with the launch of Yahoo Account Key, which uses push notifications to give users simple and secure access using their mobile device,” he said.

Access control concerns

Despite usernames and passwords long being considered inadequate security mechanisms, some security commentators were critical of Yahoo’s switch to SMS codes.

The company’s latest scheme, aimed at killing off the password, is likely to come under similar criticism.

Commenting on Yahoo’s SMS codes, independent security consultant Graham Cluley said that access to online accounts controlled only by who has access to a mobile is not a good thing.

“All an unauthorised user would need is your Yahoo username and their paws on your mobile. Depending on how you have configured your smartphone, someone may not even need to unlock your device to read the SMS message it has just received from Yahoo,” he wrote in a blog post.

According to Cluley, Yahoo should have instead promoted the use of password management software such as LastPass, 1Password and KeePass.

Password management software, he said, would make it unnecessary to remember passwords, but at the same time encourage stronger, unique passwords.

The demise of the password

The security industry has long recognised that passwords are becoming increasingly insecure and difficult to use as they become more complex and harder to remember.

In 2012, security experts at UKFast warned that a tool for hackers capable of cracking nine billion passwords a second was available for as little as £400.

The Fast Identity Online (Fido) Alliance is a consortium of IT companies – including PayPal, Lenovo and Google – that hopes to revolutionise online authentication with an industry-supported standards-based open protocol.

In October 2014, Google launched a Fido-compliant USB security key to eliminate the reliance on mobile phones for its two-step verification service and sidestep hacker attempts to steal passcodes. 

The Fido protocol is designed to address the lack of interoperability among strong authentication technologies to reduce the reliance on usernames and passwords.

Previous attempts at introducing alternatives to passwords have failed because of the lack of an industry-wide standard, but pundits say Fido members may be big enough to make it happen.

Fido standards support a full range of authentication technologies, including biometrics, as well as further enabling existing technologies such as trusted platform modules, USB security tokens, embedded secure elements, smartcards and near-field communication.

Read more about password alternatives

Read more on Hackers and cybercrime prevention

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Too bad it sounds like this is being rolled out only for the mobile app. Heck, I have trouble signing into Yahoo even on a computer. I use password management software, but even that is not perfect and definitely causes hassles. 
I'm all for dumping passwords, but this ain't it. IF my phone is in my pocket, IF it hasn't been cloned, it's still an awkward workaround that feels less secure than a good, long password. I hate to alarm Yahoo, but my phone hasn't (yet) been glued to my hand and I just want to get online r i g h t  NOW.....  
This might work assuming; you have your phone with you and its battery has some charge. But is it a real replacement ?
What if like me you use your phone to browse the net and it get stolen or cloned it just transfers the master key to be the most stolen/broken/drowned/lost/faulty/locked-up/hacked piece of tech we have and assumes everyone has a phone. I wont mention which phone as a large number those who have a moby don't just have one.
omg better alert the anti-terrorist authorities ive got more than one phone so im either a terrorist or a drug dealer!!
I do not own a smart phone for a lot of reasons and security is a biggie. I would never use my phone to pay for anything. One the info is there "for your convince"  to pay for anything by waving your phone, you are at risk. I know of too many people that have lost or misplaced their phones. (another good reason  for back up your phone data). I know companies are trying to make things easier for the masses, but they are also making it easier for the more scrupulous in the world. No thanks I'll keep using my strong passwords ans feel somewhat safer.
Nice to go back and read these type of post again after they have a major breach of their password system.. Makes you think a bit more.. Is there anything anyone is going to be able to do to prevent attacks?