New Yahoo Login System Uses No Password

John Lister's picture

Yahoo has introduced an option to log in without needing to remember a password. It requires a cellphone and may trade security for convenience.

Under the new system, which is optional, users can choose not to use a standard passwords for future log-ins. Once activated, the system will mean a button appears on Yahoo's site when the user is ready to log in to the account.

When the user clicks this button, Yahoo sends a one-time only, four character password to the user's cellphone. Once the user logs in, the password field becomes inactive. The process is then repeated the next time the user logs in.

Yahoo Looks To Post-Password World

Yahoo says it's offered the option because customers say they find it difficult to remember lots of different passwords. It's likely not the end of the changes however, as the company describes it as "the first step to eliminating passwords." (Source: cnet.com)

The system does have one major security flaw: if somebody steals the user's phone and knows their Yahoo user ID (a user name or email address) they can log in to the account by obtaining the temporary password.

One way round this is to make sure the phone itself has a password lock or other security measure so that thieves can't use it. This won't work with all phone setups though, as some phones will display text messages on the lock screen such that the content is visible even when the phone is locked. (Source: techcrunch.com)

New Yahoo System Is Not 'Two-Factor Authentication'

The use of the phone might sound like Yahoo's new option is the same as something that's already widely used called two-factor authentication, but that's not the case at all. Two-factor is designed to increase security, whereas the new Yahoo passwordless option may in some cases weaken it.

The idea of two-factor authentication is to tighten security by having two different types of identification, commonly described as being something only you know and something only you have. With many set-ups this is a standard password and a cellphone.

In these set-ups, the user not only logs in with a password, but then receives a one-off code on their phone which they type in. While this increases security and protects against people who guess or hack a password, it is considerably more inconvenient. For this reason, many online firms compromise by only requiring the passcode when somebody logs in from an unfamiliar device or location.

What's Your Opinion?

Would you switch to a system such as Yahoo's that doesn't require you to remember a password? Do you prefer the additional security of two-factor authentication? Or do you find the traditional system of a user name and password meets your needs?

Rate this article: 
Average: 5 (5 votes)

Comments

magicmusicpro's picture

I would just like to be able to go through a year or two without having to suffer with Yahoo's constant changes -- especially E-Mail. The company is a pain in the ass what with the constant screwing around.

f58tammy's picture

This is not a feature I will be opting in for. The problem is every time I want to check my email I would have to make sure I had my phone (which I keep in my car) with me. Wait for the code to get sent and the type it into my browser. I have a better idea you pick six pictures click on the one you designate as yours. Or if you want more than one you can designate as many of the six you want to click onto. No passwords needed after you set this up, no phones, no hassles.