New Move a Step Forward in On-Demand Accessibility, But Is It More Secure?
Yahoo announced towards the middle of last month the introduction of a new, opt-in system for users to feel more secure: it has created a password-less entry system. Yes, you read that correctly. Yahoo created the new system in the hope that it would keep users’ passwords from becoming stale and insecure. But does it succeed?
Like two-factor authentication, the setup takes advantage of your phone and desktop device. Unlike two-factor authentication, however, no password is created for the non-phone device: Login consists of clicking a button after which a one-time, four-digit passcode is sent via a text message. The user can then use the one-time passcode to get into their system.
While many security experts express optimism that a company such as Yahoo is trying to think ahead when it comes to user security, the fact is that all agree that the new password system is actually less secure than two-factor authentication, and in fact switching from a two-factor system to the new one is a security downgrade.
The reason for the concern is simple: two-factor authentication requires a hacker to break two separate levels of authentication, which can be difficult. By contrast, malware sitting on a phone collecting SMS info can lead to an immediate break-in. As such forms of malware are increasingly common, Yahoo’s system may actually be less safe than a regular password system if a phone’s already been compromised. Because of this, while Yahoo’s new four-digit passcode system may be interesting, for users who have two factor authentication, switching to the new system might feel easier, but in fact could lead to big security holes later.
Verdict: Perhaps after a few months, this will be worth revisiting, once users see the longer-term effects for those who are using the new system, or the next upgrade in any case.