Yahoo wants to end your dependency on memorizing passwords — or creating crap ones that can be guessed or hacked — after it introduced a new “on-demand” system that sends a one-time password when you need to log in.
The new approach is designed to increase security and make your Yahoo account less hackable. In some ways it achieves that. Countless millions of people recycle memorable passwords across a number of services, including their email account. Not only are they usually fairly hackable in nature (randomized passwords are preferred), but they’re inherently insecure because, if/when cracked, they open large parts of your digital identity, or your entire online presence.
On-demand passwords, which are not usable after you’ve logged in, are designed to remove that password-chain/ potential domino effect because they are specific to your Yahoo account. But, there’s one fairly major caveat: if you lose your phone, the person in possession of it has a ticket into your email.
In some cases, if you get SMS notifications on your lock-screen, the on-demand password will show up even if your phone is locked. So, if you lose it, the person who picks it up doesn’t even need to know your passcode to get into your Yahoo account once they know your ID.
A better approach might be two-step passwords, whereby after entering your main password, you are then set a temporary password via SMS. That’s the basic if two-factor authentication. Yahoo told CNET that this is “the first step to eliminating passwords,” so we hope expect that there’s more to come on that front.
Yahoo is right to focus on mobile security, it’s an area where the average internet user is chronically unaware of best practices. Even those who are more savvy get caught out. The best approach remains a password manager, such as 1Password or LastPass, and an awareness of the risks.
In related news, the company also showed an early glimpse of its end-to-end email encryption plug-in, which it is working on in conjunction with Google, at South-By-Southwest.
The video below — via The Verge — aims to show how much easier Yahoo’s solution is to convention encryption options. The feature will be optional for users. When activated, it will keep the body of an email encrypted but leave basic details, like the timestamp and subject, unencrypted. Yahoo expects it to be made available before the end of the year.