The way to permanently cure someone’s headache is to cut off their head, and that appears to be the principle Yahoo has adopted with a new security policy announced Sunday.
Users of Yahoo Mail no longer have to rack their brains to remember passwords, said Chris Stoner, the company’s director of product management.
Instead, they can opt for on-demand passwords after signing in to their Yahoo.com account and entering their phone number.
Yahoo will send them a verification code to enter, and the next time they sign in, it will send them an on-demand password.
This service is currently available to users in the United States.
Swimming Naked in a Shark Pool?
“Yahoo just made it easier for attackers to compromise an account,” said Tim Erlin, director of product management, and security and IT risk strategist for Tripwire.
“Two-factor authentication is more secure,” he told the E-Commerce Times, “because it requires an attacker to compromise more than a single piece of information to be successful.”
Granted, Yahoo is easing users’ burden by relieving them of having to remember passwords, but “they are maintaining a single target for compromise: their SMS messages,” Erlin remarked.
Malware on users’ smartphones could grab incoming SMS messages and thus give hackers full access to their accounts.
Further, on-demand passwords are mutually exclusive with Yahoo’s own two-step verification process, so enabling them “forces users to effectively downgrade security on their accounts,” Erlin cautioned.
Another View of Things
Not everyone is convinced Yahoo is making a misstep.
“We need more innovation like this with authentication,” enthused T.K. Keanini, CTO of Lancope.
Passwords “are just pieces of information — and in all these strategies, we want to make them useful for the shortest amount of time but not be an administrative burden,” he told the E-Commerce Times.
Many companies in the cybersecurity industry have been trying to come up with an alternative to passwords, which are easily and often forgotten or hacked.
Yahoo “knows that the most personal device on a person these days is their mobile phone — but let’s not stop there,” Keanini suggested. “Let’s keep innovating even more techniques to raise the cost to our attackers.”
Advantages of Two-Factor Authentication
Two-factor authentication uses two different components in combination to authenticate an individual. Those components could be something the user knows, something the user possesses, or something inseparable from the user.
Take, for example, the humble ATM machine. Withdrawing cash from it requires a combination of something the user possesses — a bank card — and something the user knows — the PIN.
Two-factor authentication has been touted as a good way to secure accounts. Banks for some time have been criticized for not moving fast enough on 2FA.
At the National Cyber Security Alliance’s forum held earlier this year, California State and federal cybersecurity experts urged the use of strong security measures such as 2FA when logging in to Gmail, Facebook and other websites that retain personal data.
Google introduced 2FA back in 2011, while Microsoft began rolling it out in 2013 — so it’s difficult to understand why Yahoo is taking the road less traveled.
Keeping Your Mobile Device Secure
The security of the mobile phone will determine how secure Yahoo’s new approach to email security is over time, Keanini opined.
“We will see a major shift by attackers to target malware on these mobile platforms because of their larger role in the overall security of the individual,” he predicted.
Users also will have to ensure their mobile account is secure, Keanini added, “because you don’t want attackers changing features like call-forwarding and other features that can put them in the middle of the communication stream.”