Yahoo is rolling out “on-demand” email passwords, received via phone notifications, meaning you never have to remember a fixed password ever again, if you so choose. The service is opt in. The question for me though, is as follows: If Yahoo thinks this is good for the consumer, could this be a model for corporate IT security as well?
Here’s how you can opt in if you have a Yahoo email account according to Yahoo’s director of product management, Chris Stoner:
1) Sign in to your Yahoo.com account.
2) Click on your name at the top right corner to go to your account information page.
3) Select “Account Security” in the left bar.
4) Click on the slider for “On-demand passwords” to opt-in.
5) Enter your phone number and Yahoo will send you a verification code.
6) Enter the code and voila!
Sounds very simple. It also avoids the problems of trying to remember a complicated fixed password, or even worse, having a cybercrook guess your favorite color or best friend’s name and instantly get access to tons of sensitive personal information which they could use to ruin your life.
Other email providers have offered similar two-step authentication procedures, where you enter a fixed password first, then have a temporary password sent to your phone which you use to gain access to the account. Yahoo’s new system simply skips that first step.
What seems to be happening here is that Yahoo decided to push Identity and Access Management functions for its users down to the users’ own phones. Anyone who wants to access a Yahoo account that has opted into this feature will need the phone associated with that account. Given how often people lose their mobile devices or have them stolen, this approach may wind up being less than secure, including companies or other organizations looking to secure their networks and people on the cheap. If the mobile devices themselves are not well protected from unauthorized access, and if users are accessing their Yahoo accounts off of their phones, which they probably will, then all cybercrooks have to do is nab a corporate phone, break into it, and then VOILA, they are inside. You would then need a real Identity and Access Management solution to stop the attacker in his/her tracks by detecting the unauthorized access and then either wiping the mobile device or locking it out of the corporate network, if it isn’t already too late. On its own, therefore, Yahoo’s new security procedure for its account holders falls short, especially for larger organizations.
- Yahoo Goes Passwordless to Access Account Services - April 6, 2015
- The Identity of Things Could Streamline Government Services - March 30, 2015
- The Third-Party Threat: Are You Safe? - March 18, 2015