Yahoo yesterday announced that in lieu of a standard username-password combination, Yahoo users in the US could log into their accounts with one-time passwords sent to their mobile phones via SMS message. Yahoo! calls them "on-demand passwords," texted to your mobile phone when you need them.
To be clear, Yahoo is not proposing "on-demand passwords" as a second factor of authentication, but rather as an alternative to the traditional username-password combo. It's really just replacing a "something you know" with a "something you have." Yahoo already offers two-factor authentication, but for now, it cannot be combined with on-demand passwords: users will need to choose between the two options.
Yahoo director of product management Chris Stoner writes that the new technology makes logging in "less anxiety-inducing," by eliminating the stress of remembering passwords. Certainly an admirable goal, but security professionals have mixed responses to the news.
"We need more innovation like this with authentication," says T.K. Keanini, CTO of Lancope. "Passwords are just pieces of information, and in all these strategies, we want to make it useful for the shortest amount of time but not be an administrative burden. Yahoo knows that the most personal device on a person these days is their mobile phone. And let's not stop here. Let’s keep innovating even more techniques to raise the cost to our attackers."
Yet, others aren't convinced. Instead of enhancing security like multi-factor authentication, some say, Yahoo's solution simply changes the single factor to something else -- something that can be infected, intercepted, broken, lost, stolen, or temporarily left unattended long enough for a nearby ne'er-do-well to do some mischief.
“Yahoo just made it easier for attackers to compromise an account," says Tim Erlin, director of product management and security and IT risk strategist for Tripwire. "Ease of use is taking center stage for Yahoo, but it opens up some new attack vectors as well. Two-factor authentication is more secure, because it requires an attacker to compromise more than a single piece of information to be successful.
"While Yahoo is lifting the burden of remembering a password," he says, "they are maintaining a single target for compromise: your SMS messages. Malware on your phone could be used to grab those SMS messages and then have full access to your account."
Recent research by Alcatel-Lucent's Kindsight Security Labs estimated that 15 million mobile devices, Androids in particular, are infected by malware. One of the top threats was SMSTracker, which allows the attacker to remotely track and monitor all calls, SMS/MMS messages, GPS locations, and browser histories of an Android device.
[Having trouble getting your colleagues to take mobile threats seriously? Overwhelmed with mobile threats, and not sure where to start? Check out "Five Mobile Computing Vulnerabilities You Need To Know" at Interop Las Vegas.]
Keanini concedes that "the security of the system will depend on how secure that device remains over time. We will see a major shift by the attacker to target malware on these mobile platforms because of their larger role in the overall security of the individual," he says. "It is also important these days to ensure that the mobile account is secure because you don't want attackers changing features like call forwarding and other features that can put them in the middle of this communication stream."
Joe Siegrist, CEO and co-founder of LastPass, takes that thought a step further. He notes that not only might you need to worry about criminal attackers intercepting SMS communications; you need to wonder if the phone companies themselves will abuse their access to your device and what it transmits. "Moving to a model where any phone company can easily gain access to an account," he says, "is not progress, unfortunately."
Security analyst Graham Cluley would have preferred that Yahoo try another solution entirely. He writes:
Personally, rather than making things "simple" for users who cannot remember their passwords, I would have preferred to have seen Yahoo promoting the usage of password management software like LastPass, 1Password, and KeePass which would similarly make it unnecessary to remember passwords... and perhaps encourage stronger, unique passwords at the same time.
However, Cluley did add that Yahoo's on-demand password solution could be a good option when logging in from an untrusted device -- for example when one's traveling or using a public console. One could request an on-demand password instead of running the risk of, perhaps, having one's regular password slurped up by a keylogger.