TomYesterday at the 2015 South By Southwest Interactive Exhibition, Yahoo announced a new “on-demand” feature which sends a one-time password each time you need to log in to your email account.
The idea is similar to other methods of email or text authentication; however it tries to remove the other point of authentication that tends to go with this system – most commonly a password. We were curious as to how the system actually worked, so we decided to try it out…Here’s what we found out.
It’s great that Yahoo are looking into ways to increase security to an email account, however we feel there is a long way to go until this replaces passwords.
First off, when you register for the service you will still require your original password for your account. Once you provide your phone number you will then receive an initial verification code to allow you to access your email through individual passwords sent to your phone on each occasion.
So, now you can forget your password right? Wrong. Think about what happens when you have no mobile network signal? Or if your phone runs out of battery? In these case you will still need your password, or have Yahoo send a temporary password to another email address, which you will need to log into using your email account’s password. Furthermore, if you choose to change your phone number the likelihood is you will need to go through a tedious process to prove you are who you are, creating further friction.
Some users may also have mobile plans which involve costs when receiving text messages, effectively meaning that you have to pay each time you access your email. Yahoo may themselves have cost issues when sending messages through networks outside the US, where the feature is currently being trialled.
Besides these time and cost issues, there is another security concern. While this system does a good job of creating random passwords specific to your account, what happens if someone manages to hack your phone? Providing they can access your phone then they will be able to access your email, as they can simply request a code to be sent to the phone next time they want to log-in. Even if the user has other security in place on their phone it’s common for text messages to be displayed as notifications even when the phone is locked, so anyone who see’s this can then access your email. Leaving your phone on the table at work or lunch could now have repercussions…
Overall, this poses a great security threat to an account which is of great importance to your overall online security. Because if/when cracked, hackers will have the potential to open large parts of your digital identity through your email. In fact, even Dylan Casey, Yahoo’s vice president of product management, says himself that while on-demand passwords are designed as a convenience, it is not for everyone. Eventually, he said, Yahoo will be introducing authentication methods that are more secure than SMS, so he admits there is work to be done.
Services like Yahoo on-demand passwords show great progress in authentication methods and that’s good news. However don’t forget that most of these forms of authentication still rely heavily on passwords at various points. So, we still need to keep our passwords safe, even if we choose to use a feature that enables us not to use them every day. If you truly want to be able to forget your passwords, a password manager like Dashlane is still the only viable solution.
Want to get the low-down on some of the other latest developments in the security world? Check out our new Medium page here.