Yahoo's new on-demand password system is no replacement for two-factor authentication

The new authentication option offers better security than static passwords, but it's not as strong as two-step verification

In an effort to simplify authentication for its services, Yahoo has introduced a new mechanism that allows users to log in with temporary passwords that are sent to their mobile phones.

If this sounds like a two-factor authentication system where users need to provide one-time codes sent to their mobile phones in addition to their static passwords, it's not. Yahoo already had that option.

Instead, the new log-in mechanism, which is based on what Yahoo calls on-demand passwords, still relies on a single factor, the user's phone number.

Yahoo users -- only those based in the U.S. for now -- can turn on the new feature from their account security settings on Yahoo's site. They will need to provide a phone number and then confirm that they have access to it by inputting a verification code sent to them via SMS.

Once the system is set up, the next time they want to log in, Yahoo users will see a button that says "send my password" instead of a traditional password input field. Clicking on that button will send them a temporary four-character password via SMS.

The new system offers better security than static passwords, which can be stolen in a variety of ways, but it's not as effective as two-factor authentication because it depends solely on how secure the user's phone is.

"Two-factor authentication is more secure because it requires an attacker to compromise more than a single piece of information to be successful," said Tim Erlin, director of product management at security firm Tripwire, via email. "While Yahoo is lifting the burden of remembering a password, they are maintaining a single target for compromise: your SMS messages. Malware on your phone could be used to grab those SMS messages, and then have full access to your account."

The ability to intercept, steal and hide text messages is common for mobile malware, particularly for threats that target online banking users who often receive transaction and other authorization codes via SMS.

In addition, if a phone is lost or left unsupervised, it could be used to generate a password for the phone owner's Yahoo email account. As many incidents have shown, a person's email account can be a gateway for further compromises, because it can be used to reset the password for the user's accounts on other websites.

Malware creators will increasingly target mobile platforms because of the important role they play for users' online security, said TK Keanini, CTO at security firm Lancope, via email. "It is also important these days to ensure that the mobile account is secure because you don't want attackers changing features like call forwarding and other features that can put them in the middle of this communication stream."

Researchers have warned for years that static passwords no longer provide sufficient protection for online accounts, so any effort to replace them with something else is generally welcome.

It remains to be seen how vulnerable Yahoo's new system is, "but it can only be a good thing that a well-known brand in the technology field is seeking different ways to revamp the password," said Chris Boyd, a malware intelligence analyst at Malwarebytes, via email.

Given a choice, however, Boyd would still choose two-factor over single-factor authentication any time.

So, if you already have "two-step verification" enabled on your Yahoo account it's better to stick with it and not switch to the new "on-demand password" system. The two appear to be incompatible and switching to on-demand passwords could actually downgrade your account's security, according to Erlin.

Even with the potential drawbacks, "it is good to see Yahoo trying to address the password problem," said Jared DeMott, principal security researcher at Bromium, via email. However, most users will only do only what is required of them by default, "so if companies are serious about better login security, the default choice will need to be modified."

For now, Yahoo's new on-demand password system requires users to opt-in.

Join the CSO newsletter!

Error: Please check your email address.

Tags Yahooonline safetyLancopesecurityTripwireAccess control and authenticationMalwarebytesBromium

More about LancopeMalwarebytesTripwireYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place