No matter how many warnings there are, weak passwords continue to be one of the easiest and most common ways hackers get into a bevy of systems. In fact, not changing passwords regularly or following other basic best practices is the common issue behind some of the biggest hacks around the world. Yahoo! is finally stepping up their game and taking drastic measures: Allowing webmail users to get rid of their passwords entirely. At the 2015 SXSW, Yahoo! revealed their new on-demand passwords that are a completely different beast than the standard two-factor authentication that many like companies use.
Obviously, that classic fixed password is what everyone is used to. You may be prompted to change your passwords every six months or so, and some tech companies have two-factor authentication as a means of keeping hackers at bay. Yahoo! is offering a new solution: To access your email, a code is sent to the user’s phone with four simple numbers. At the moment, only US users can access this system and it’s 100 percent optional. But how realistic is it?
One Step or Two Step?
For now, Yahoo! has assured users that the classic two-factor authentication is still available. The announcement almost instantly split groups into supporters and critics. Some people think it’s a simple and easy solution to help secure email, while others are still rallying behind the two-factor approach (assuming it’s actually upheld to a certain standard). The issue with two-factor authentication is that many people/companies don’t actually use it or update passwords regularly.
Two-factor requires a regular password as well as a one-time code. With on-demand, the code changes every single time you want to access your account. Critics say that hackers can easily develop malware that targets phones, picking up text messages and voila! They have instant account access, or at least that’s what PC World says. According to McAfee, the delay in security patches from developers causes vulnerabilities, too. Plus, there are “what if” scenarios with on-demand that could lock people out of their accounts for lengthy periods. What if they lose their phone, they’re overseas without their usual number, they have no signal or their phone is dead?
Going Full Circle
While Yahoo! detailed the on-demand option, they also hinted at the end-to-end encryption project they’re working on, slated for a fall release. Clearly, Yahoo! is looking closer at email security in the digital landscape, but it’s too soon to tell if they’re on the right track. Luckily, Yahoo! users can choose what kind of authentication they want (for now), so no major changes are required.
The timing is perfect, too, considering Yahoo! just dealt with security problems themselves. A slew of vulnerabilities were discovered by Mark Litchfield—supreme bug bounty hunter—that, had they been discovered by a hacker, could have opened up the entire Yahoo! ecommerce platform to attack. Perhaps that was the “bug” that pushed Yahoo! to focus more critically on security.