Yahoo scraps passwords

Yahoo mail has changed.
Yahoo mail has changed.

Yahoo is getting rid of passwords altogether.

Those who have used Yahoo Mail recently will find that there is no password required on its iOS and Android devices. Instead they will receive a push notification asking to confirm whether they are the legitimate user or reject the request as a fraudulent attempt to access personal information.

Earlier in the year, Yahoo brought out on-demand passwords which allowed users to sign in to their accounts with a code they get sent via text message. “It was the first step to a password free future”, wrote Dylan Casey, Yahoo's VP of product management, in a blog post announcing the changes.

Yahoo is offering this feature, called Account Key, as part of its mail app redesign, marking the company's 18th birthday. This feature, the company said in a blog post announcing the app's redesign “will take user convenience and security to the next level.”

The Account Key will hopefully solve some of the problems with passwords including the fact that people use the same passwords for multiple accounts, leaving them wide open to compromise. A Yahoo spokesperson talked to SCMagazineUK.com saying that Account Key bypasses many of the problems of passwords: “When a user creates their own password, they often: 1) don't make it sufficiently complex, 2) use the same password across multiple sites, and 3) use simpler passwords that are easier to enter on their mobile device.”

The password is increasingly seen as antiquated and has been treated with suspicion by the industry. They're seen as easy to bypass and too simple to really provide the security that so many require. Even GCHQ has expressed scepticism about the usefulness of passwords.

Industry players have been considering alternate approaches including two-factor authentication, where users use multiple forms of identification to access their accounts, sometimes including biometric data, like a fingerprint or DNA sample, to access secure accounts.

Apple recently introduced a kind of two-factor authentication to its ID system. Once a user tries to log in to their apple device, a message is sent to another of their connected apple devices ensuring that it's the correct user logging in. This new approach by Yahoo is not quite the two-factor authentication of Apple.

Yahoo told SC that this new password-less feature, “makes life easier and more secure for our users by relieving them of the responsibility of creating a password that is at once difficult to guess, unique to one site and still memorable.”

This new feature, however, is met with a guarded suspicion by other industry professionals.Bill Carey, VP of marketing and business development at Siber systems told SC that: "It may be a good thing in terms of security since a user would have to have their phone with them instead of knowing a password." He added,  "But convenience and security still remains to be seen."

David Emm, principle security researcher at  Kaspersky, a cyber-security company, is slightly more sceptical. He told  SC that this won't necessarily enhance security but rather swap "one login method for another – and one that's no more secure". Emm said:  "My concern with this is that if your phone is lost or stolen, it gives cyber-criminals a ticket into your email inbox. It's easy to find out an email address just by clicking a few buttons on a phone." 

Two-factor authentication, on the other hand "enhances your security.  It ensures that a cyber-criminal would have to figure out your original password and also have access to your mobile phone in order to receive the one-time passcode to log in." 

The other features that Yahoo is rolling out include search functions as well as the ability to incorporate other kinds of email accounts into the mail app and manage multiple mailboxes.