Yahoo On-Demand Passwords improves security for some users - gHacks Tech News

Yahoo On-Demand Passwords improves security for some users

Yahoo announced the launch of the a new on-demand password feature today in the United States. If you have a US IP you get the new on-demand passwords options under account security in the Yahoo! account settings.

To enable it click on the get started link. This takes you to an information prompt highlighting how the feature works.

Basically, all you have to do to sign in is enter your username on the login prompt. You receive a text message that contains the on-demand password that you then use to sign in.

You use the regular sign-in prompt on the Yahoo website for this. It switches automatically to an on-demand prompt once you enter your username. There you find the send my password option listed which fires off a SMS to your mobile phone number containing it.

on-demand passwords

On the next page you enter the password sent to your mobile phone number and click on sign-in to complete the process.

While not mentioned explicitly, it is possible to use the feature in other countries as well provided that you set it up using a vpn or proxy. The system verified my German phone number just fine and sent me the passwords as well when I requested them.

Security and privacy

Is security better or worse when you are using on-demand passwords? There is no definitive answer to that as it depends on several factors.

yahoo password

For the average user, it may improve security as one-time passwords are used to sign into the account. This not only protects against weak passwords selected by the user but protects the account when passwords are stolen via phishing or on public computer systems.

Tech-savvy users on the other hand may not benefit from this at all. If you select a secure password, use a password manager to save it, maybe use two-factor authentication on top of that and make sure that you don't stay signed in on public systems, then Yahoo's on-demand solution is not nearly as secure as that.

Since on-demand passwords are linked to a mobile phone, all hell may break lose if a user loses that phone especially if it is not protected by a password or pin when that happens. It is however not that easy for the attacker to use the phone to gain access to Yahoo since the username is not mentioned in the SMS messages.

In addition to that, more dire things may happen when someone gets hold of your phone.

This leaves privacy as a concern. If you confirm a mobile phone number you practically confirm the account at the same time which is valuable to companies, especially since they may retrieve additional information such as the mobile provider in the process,

Closing Words

Yahoo On-Demand Passwords are a convenient solution for users who don't want to be bothered when it comes to Internet security. Setup is relatively easy and once done, protects against several common threats on today's Internet.  It may be necessary however to create app passwords for accounts that don't support the new login feature.

Now You: What's your take on On-Demand Passwords?

Summary
Yahoo On-Demand Passwords improves security for some users
Article Name
Yahoo On-Demand Passwords improves security for some users
Description
Yahoo On-Demand Passwords is a new authentication option that sends one-time passwords to mobile phone numbers for use during sign-in.
Author




  • We need your help

    Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

    We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.

    If you like our content, and would like to help, please consider making a contribution:

    Comments

    1. RamboIT said on March 16, 2015 at 6:53 pm
      Reply

      This process seems slow and mildly painful. Why didn’t they choose to go with the system that Microsoft uses where you simply tap to okay the log in on your smartphone’s MS account app (mine is on Android) The MS system seems way better than reading an eight character password then typing it into a different device. What a PITA.

    2. Nebulus said on March 17, 2015 at 12:11 am
      Reply

      This is a really bad idea. One factor authentication is always weaker that 2FA, no matter which of the factors you ignore (the password or the code sent on your phone).

    Leave a Reply