Yahoo took advantage of South by Southwest's (SXSW) opening weekend this week to make major announcements surrounding its security protocol. Primarily, the company announced its new “on-demand” passwords, and followed up with news that its end-to-end encryption source code for Yahoo Mail was available on GitHub.
The company's on-demand passwords will, as Chris Stoner, director of product management, Yahoo, explained in a blog post, make the logging in process “less anxiety-inducing.” Essentially, users won't need to use a predetermined password to log into an account. Instead, each time they want to log in, they will receive a text message with a verification code.
The system is markedly separate from two-factor authentication, however. Two-factor requires two forms of logging into an account and often incorporates a text message password. The on-demand passwords only require one factor of authentication.
Yahoo is not the first to implement the technology, but a Yahoo spokesperson said in an email to SCMagazine.com that it's “still a relatively new trend in the industry, so we're excited to be leading on this for our users.”
The prospect of phasing out passwords might be exciting to many in the security community, but multiple professionals have noted its possible security lapses. In particular, the password program didn't consider, or at least take seriously enough, mobile malware and the chances of a device being compromised.
“While Yahoo is lifting the burden of remembering a password, they are maintaining a single target for compromise: your SMS messages,” said Tim Erlin, director of product management, security and IT risk strategist for Tripwire, in prepared commentary to SCMagazine.com. “Malware on your phone could be used to grab those SMS messages and then have full access to your account.”
Furthermore, two-factor authentication and on-demand passwords are mutually exclusive, so users will have to choose between the two.
At the same time, John Bradley, senior technical architect at Ping Identity, noted in prepared commentary to SCMagazine.com that this move optimized account recovery, and he said receiving a new password through SMS could be more secure than through email.
The feature is currently only available for only U.S.-based users.
Also during SXSW, Yahoo's Chief Information Security Officer Alex Stamos elaborated on plans to integrate end-to-end encryption on Yahoo Mail. The company released the encryption extension source code on GitHub for security researchers to sift through for possible bugs.
The encryption is slated to deploy for all users by the end of the year.