Yahoo On-Demand Passwords improves security for some users
Yahoo announced the launch of the a new on-demand password feature today in the United States. If you have a US IP you get the new on-demand passwords options under account security in the Yahoo! account settings.
To enable it click on the get started link. This takes you to an information prompt highlighting how the feature works.
Basically, all you have to do to sign in is enter your username on the login prompt. You receive a text message that contains the on-demand password that you then use to sign in.
You use the regular sign-in prompt on the Yahoo website for this. It switches automatically to an on-demand prompt once you enter your username. There you find the send my password option listed which fires off a SMS to your mobile phone number containing it.
On the next page you enter the password sent to your mobile phone number and click on sign-in to complete the process.
While not mentioned explicitly, it is possible to use the feature in other countries as well provided that you set it up using a vpn or proxy. The system verified my German phone number just fine and sent me the passwords as well when I requested them.
Security and privacy
Is security better or worse when you are using on-demand passwords? There is no definitive answer to that as it depends on several factors.
For the average user, it may improve security as one-time passwords are used to sign into the account. This not only protects against weak passwords selected by the user but protects the account when passwords are stolen via phishing or on public computer systems.
Tech-savvy users on the other hand may not benefit from this at all. If you select a secure password, use a password manager to save it, maybe use two-factor authentication on top of that and make sure that you don't stay signed in on public systems, then Yahoo's on-demand solution is not nearly as secure as that.
Since on-demand passwords are linked to a mobile phone, all hell may break lose if a user loses that phone especially if it is not protected by a password or pin when that happens. It is however not that easy for the attacker to use the phone to gain access to Yahoo since the username is not mentioned in the SMS messages.
In addition to that, more dire things may happen when someone gets hold of your phone.
This leaves privacy as a concern. If you confirm a mobile phone number you practically confirm the account at the same time which is valuable to companies, especially since they may retrieve additional information such as the mobile provider in the process,
Yahoo On-Demand Passwords are a convenient solution for users who don't want to be bothered when it comes to Internet security. Setup is relatively easy and once done, protects against several common threats on today's Internet.Â It may be necessary however to create app passwords for accounts that don't support the new login feature.
Now You: What's your take on On-Demand Passwords?
This process seems slow and mildly painful. Why didn’t they choose to go with the system that Microsoft uses where you simply tap to okay the log in on your smartphone’s MS account app (mine is on Android) The MS system seems way better than reading an eight character password then typing it into a different device. What a PITA.
This is a really bad idea. One factor authentication is always weaker that 2FA, no matter which of the factors you ignore (the password or the code sent on your phone).