Yah Who?

Posted March 19, 2015

Yahoo Offers Optional On-Demand Password-Free Email Login. Now Unnecessary for Users to Remember Passwords to Login.

Last year, Yahoo suffered a massive hack that compromised Yahoo Mail usernames and passwords. In response to that attack, writes Samantha Murphy Kelly on mashable.com (link to article), “[Yahoo wanted] to provide a safe, encrypted way to keep accounts secure.”

How Yahoo’s password-free login works

Murphy writes that the “new on-demand login feature…sends…a specialized code to [users’] mobile devices to gain access. The code is generated only for that account [and] changes each time [users] log in.” The same password is never used twice.

For years, ThreatMetrix warned that passwords offer minimal security

In a 2013 blog titled “ThreatMetrix Strategies for Helping Your Business Avoid Its Own Password Apocalypse,” the company pointed to the 130 million people who had their identities stolen or bank accounts drained when Adobe and LivingSocial were breached (Since that time, of course, tens of millions more people have had their personal information compromised in breaches from Target to Anthem.) and noted that password systems were not up to the task of protecting those people.

Alisdair Faulkner, ThreatMetrix’s chief products officer, observed in the same blog:

“Retailers are caught between a rock and a hard place. They loathe introducing speed bumps, such as resetting passwords or requiring two-factor authentication, as these steps pose an inconvenience to their customers. It’s crucial to adapt effective technologies that can quickly identify potential threats without negatively impacting the user experience for customers.”

Other companies offering similar password protection to Yahoo’s

Murphy notes that “Many companies like Twitter, Facebook and Google have offered a similar option — two-factor authentication — for some time. This method is like double-locking your door at night (you need both a standard password and the messaged code to enter). Yahoo differs because you don’t need a permanent password, just the one that the company sends you on demand.”

Even though Yahoo’s method differs slightly, no doubt there are going to be users who are turned off by having to jump through hoops just to check their email.

What happens if Yahoo email user loses his device or has it stolen?

Writing on techcrunch.com (link to article), Jon Russell notes that “if you lose your phone, the person in possession of it has a ticket into your email. In some cases, if you get SMS notifications on your lock-screen, the on-demand password will show up even if your phone is locked. So, if you lose it, the person who picks it up doesn’t even need to know your passcode to get into your Yahoo account once they know your ID.”

ThreatMetrix

ThreatMetrix

close btn