Yahoo Goes Passwordless to Access Account Services

Yahoo Goes Passwordless to Access Account ServicesYahoo is rolling out “on-demand” email passwords, received via phone notifications, meaning you never have to remember a fixed password ever again, if you so choose. The service is opt in. The question for me though, is as follows: If Yahoo thinks this is good for the consumer, could this be a model for corporate IT security as well?

Here’s how you can opt in if you have a Yahoo email account according to Yahoo’s director of product management, Chris Stoner:

1)    Sign in to your Yahoo.com account.

2)    Click on your name at the top right corner to go to your account information page.

3)    Select “Account Security” in the left bar.

4)    Click on the slider for “On-demand passwords” to opt-in.

5)    Enter your phone number and Yahoo will send you a verification code.

6)    Enter the code and voila!

Sounds very simple. It also avoids the problems of trying to remember a complicated fixed password, or even worse, having a cybercrook guess your favorite color or best friend’s name and instantly get access to tons of sensitive personal information which they could use to ruin your life.

Other email providers have offered similar two-step authentication procedures, where you enter a fixed password first, then have a temporary password sent to your phone which you use to gain access to the account. Yahoo’s new system simply skips that first step.

What seems to be happening here is that Yahoo decided to push Identity and Access Management functions for its users down to the users’ own phones. Anyone who wants to access a Yahoo account that has opted into this feature will need the phone associated with that account. Given how often people lose their mobile devices or have them stolen, this approach may wind up being less than secure, including companies or other organizations looking to secure their networks and people on the cheap. If the mobile devices themselves are not  well protected from unauthorized access, and if users are accessing their Yahoo accounts off of their phones, which they probably will, then all cybercrooks have to do is nab a corporate phone, break into it, and then VOILA, they are inside. You would then need a real Identity and Access Management solution to stop the attacker in his/her tracks by detecting the unauthorized access and then either wiping the mobile device or locking it out of the corporate network, if it isn’t already too late. On its own, therefore, Yahoo’s new security procedure for its account holders falls short, especially for larger organizations.

For Solutions Review’s list of top IAM providers, click here. For our 2015 IAM Buyers Guide, click here.

Follow Doug

Doug Atkinson

President at Solutions Review
An entrepreneur and executive with a passion for enterprise technology, Doug founded Solutions Review in 2012. He has previously served as a newspaper boy, a McDonald's grill cook, a bartender, a political consultant, a web developer, the VP of Sales for e-Dialog - a digital marketing agency - and as Special Assistant to Governor William Weld of Massachusetts.
Follow Doug