Passwords have problems.
They need to be long and/or complex, people make up really bad ones (think pets’ names), recording and storing them incorrectly can cause problems, they’re often very easily cracked, and they get reused even though they really should be unique.
Two-factor authentication (2FA) doesn’t take away the pain of having to cook up a strong password, but at least it requires us to prove we are who we say we are in two different ways before we can log in or use a service, be it with a code sent via text message, one generated by an app like Google Authenticator, a PIN for our bank accounts or the like.
Yahoo’s trying a new approach. Basically, it’s guillotining 2FA and discarding the step of having to have a primary password to begin with.
Rather, its “on demand” passwords are going to rely solely on the second half of 2FA: namely, the one-use code sent to a mobile phone. Users will have to call up one of the codes every time they access Yahoo Mail.
Chris Stoner, Yahoo’s Director of Product Management, said that on-demand passwords should lift the onus of unique password creation and storage right off our shoulders:
We’ve all been there... you’re logging into your email and you panic because you’ve forgotten your password. After racking your brain for what feels like hours, it finally comes to you. Phew!
Today, we’re hoping to make that process less anxiety-inducing by introducing on-demand passwords, which are texted to your mobile phone when you need them. You no longer have to memorize a difficult password to sign in to your account - what a relief!
You can think of it more or less as one-step authentication.
When users who’ve opted for on-demand passwords sign in, they’ll see a “send my password” button instead of a traditional password text box.
The new, optional sign-in has been available since Sunday for US users.
As many have pointed out, that “what a relief” Stoner envisioned is going to turn into less tranquil and far less printable words when Yahoo users lose their phone.
Yahoo does have recovery methods, enabling users to use other email accounts to regain access to their Yahoo accounts.
But while that should help in the event of a phone getting misplaced, it’s not going to help once that phone gets found, by a thief or somebody with bad intentions.
As it is, the phones don’t need to be unlocked for a thief/finder to see the on-demand codes come in, as they display at the top of screens. The only other thing a thief needs to get in to a Yahoo account is the phone owner’s account name.
That’s where Yahoo’s 2SV looks a whole lot safer. Back to the primary password and the second factor delivered via SMS, and a thief or phone finder still has to have not only the phone but also the account’s primary password.
But wait, there’s more!
Yahoo Mail doesn’t have a sterling reputation for security, but it’s been trying to turn that around in the past few years, by, for example, making SSL encryption the default for webmail, and by enabling HTTPS by default.
The next step in the evolution of Yahoo’s security standards, in addition to its new “on demand” passwords, is an end-to-end (e2e) encryption system.
Yahoo unveiled a working version of the system at South by Southwest (SXSW) on Sunday.
The company said in a post that at this point, it’s looking for input from the security industry on the work it’s done so far, and it’s aiming to get an e2e tool out for all users by the end of the year.
Here’s a video Yahoo showed at SXSW that shows what its “common sense solution to encryption” will look like in Yahoo Mail with a Chrome extension, comparing its method to the more traditional, more difficult to use PGP encryption using GPGTools.
Yahoo released the code for the Yahoo-specific e2e encryption extension on GitHub.
The Chrome extension from Google, called End-to-End, is in alpha stage.
Yahoo CIO Alex Stamos says that now’s the time for e2e, particularly given users’ increased awareness of privacy threats:
Just a few years ago, e2e encryption was not widely discussed, nor widely understood. Today, our users are much more conscious of the need to stay secure online. There is a wide spectrum of use for e2e encryption, ranging from the straightforward (sharing tax forms with an accountant), to the potentially life-threatening (emailing in a country that does not respect freedom of expression). Wherever you land on the spectrum, we’ve heard you loud and clear: We’re building the best products to ensure a more secure user experience and overall digital ecosystem.