If you own a Yahoo e-mail account, you can forget your password. Literally. The search engine announced Sunday that it has started letting e-mail users in the U.S. change the security settings on their accounts so they can opt in to a new verification procedure.
Instead of having one password with which to access their accounts, users can elect to provide Yahoo with mobile phone numbers instead. When they wish to access their accounts, Yahoo will send a text to their phones with a one-time password.
Eliminating Passwords Altogether
The new password-on-demand option is one of two security upgrades to its e-mail system that Yahoo announced on Sunday. The company said that it was providing the option in response to worries among users about losing or forgetting their e-mail passwords.
“Today, we’re hoping to make that process less anxiety-inducing by introducing on-demand passwords, which are texted to your mobile phone when you need them,” Chris Stoner, Director of Product Management at Yahoo, wrote on the company’s Tumblr feed. “You no longer have to memorize a difficult password to sign in to your account -- what a relief.”
But the move could have far broader implications than just easing the minds of some of Yahoo’s more forgetful e-mail users. The development represents the first step in eliminating passwords altogether, Yahoo vice president of product management for consumer platforms Dylan Casey said at the South by Southwest festival in Austin, Texas, according to CNET.
The new security process could make going online safer for Yahoo’s users, since temporary passwords are more secure than static ones, which hackers can steal from corporate databases.
However, while the new option may offer better protection than the standard username and password combo, it remains a much less secure option than two-factor identification, which requires users to enter both static passwords and unique codes texted to their phones. Yahoo has offered two-factor identification as an option for some time, making the company's latest development something of a step backward in terms of overall security.
But the new on-demand password capability was not the only new feature Yahoo announced at SXSW. The company also said that it is working to create an e-mail extension that would provide users with end-to-end (e2e) encryption. That could ultimately prove to have a much more significant impact on e-mail security.
The extension is still in the development phase, however. The company is currently working on the source code, which it made publicly available through GitHub to solicit feedback from the security industry. Yahoo said it hopes to have a fully working version of the extension ready for release by the end of the year.
“Today, our users are much more conscious of the need to stay secure online,” Alex Stamos, Yahoo’s Chief Information Security Officer, wrote in a post on Tumblr. “There is a wide spectrum of use for e2e encryption, ranging from the straightforward (sharing tax forms with an accountant), to the potentially life-threatening (e-mailing in a country that does not respect freedom of expression).”
Yahoo said it is hoping that other companies will develop encryption systems of their own that are compatible with Yahoo’s extension.
Posted: 2015-03-17 @ 3:46am PT
And what happens if I lose my cellphone?
I rather see them implementing two-factors based on OTP (one-time-password) standard protocol like implemented by Dropbox or Github. Google has it too, but makes the same "mistake" as Yahoo of binding it to a cellular number. "Mistake?" No, intentional tracking strategy: in exchange for account security, they want to be able to track your whereabouts. My privacy is more important to me than my Yahoo or Google account. Not interested!