Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:08 PM
Connect Directly

Yahoo's One-Time Passwords Have Security Experts Divided

Better protection from keyloggers, but you'd better not lose your phone, Yahoo users.

Yahoo yesterday announced that in lieu of a standard username-password combination, Yahoo users in the US could log into their accounts with one-time passwords sent to their mobile phones via SMS message. Yahoo! calls them "on-demand passwords," texted to your mobile phone when you need them.

To be clear, Yahoo is not proposing "on-demand passwords" as a second factor of authentication, but rather as an alternative to the traditional username-password combo. It's really just replacing a "something you know" with a "something you have." Yahoo already offers two-factor authentication, but for now, it cannot be combined with on-demand passwords: users will need to choose between the two options.

Yahoo director of product management Chris Stoner writes that the new technology makes logging in "less anxiety-inducing," by eliminating the stress of remembering passwords. Certainly an admirable goal, but security professionals have mixed responses to the news. 

"We need more innovation like this with authentication," says T.K. Keanini, CTO of Lancope. "Passwords are just pieces of information, and in all these strategies, we want to make it useful for the shortest amount of time but not be an administrative burden. Yahoo knows that the most personal device on a person these days is their mobile phone. And let's not stop here. Let’s keep innovating even more techniques to raise the cost to our attackers."

Yet, others aren't convinced. Instead of enhancing security like multi-factor authentication, some say, Yahoo's solution simply changes the single factor to something else -- something that can be infected, intercepted, broken, lost, stolen, or temporarily left unattended long enough for a nearby ne'er-do-well to do some mischief.   

“Yahoo just made it easier for attackers to compromise an account," says Tim Erlin, director of product management and security and IT risk strategist for Tripwire. "Ease of use is taking center stage for Yahoo, but it opens up some new attack vectors as well. Two-factor authentication is more secure, because it requires an attacker to compromise more than a single piece of information to be successful.

"While Yahoo is lifting the burden of remembering a password," he says, "they are maintaining a single target for compromise: your SMS messages. Malware on your phone could be used to grab those SMS messages and then have full access to your account."

Recent research by Alcatel-Lucent's Kindsight Security Labs estimated that 15 million mobile devices, Androids in particular, are infected by malware. One of the top threats was SMSTracker, which allows the attacker to remotely track and monitor all calls, SMS/MMS messages, GPS locations, and browser histories of an Android device.

[Having trouble getting your colleagues to take mobile threats seriously? Overwhelmed with mobile threats, and not sure where to start? Check out "Five Mobile Computing Vulnerabilities You Need To Know" at Interop Las Vegas.]

Keanini concedes that "the security of the system will depend on how secure that device remains over time. We will see a major shift by the attacker to target malware on these mobile platforms because of their larger role in the overall security of the individual," he says. "It is also important these days to ensure that the mobile account is secure because you don't want attackers changing features like call forwarding and other features that can put them in the middle of this communication stream."

Joe Siegrist, CEO and co-founder of LastPass, takes that thought a step further. He notes that not only might you need to worry about criminal attackers intercepting SMS communications; you need to wonder if the phone companies themselves will abuse their access to your device and what it transmits. "Moving to a model where any phone company can easily gain access to an account," he says, "is not progress, unfortunately." 

Security analyst Graham Cluley would have preferred that Yahoo try another solution entirely. He writes:

Personally, rather than making things "simple" for users who cannot remember their passwords, I would have preferred to have seen Yahoo promoting the usage of password management software like LastPass1Password, and KeePass which would similarly make it unnecessary to remember passwords... and perhaps encourage stronger, unique passwords at the same time.

However, Cluley did add that Yahoo's on-demand password solution could be a good option when logging in from an untrusted device -- for example when one's traveling or using a public console. One could request an on-demand password instead of running the risk of, perhaps, having one's regular password slurped up by a keylogger.  


Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Strategist
3/22/2015 | 3:54:42 AM
One thing is for sure: it's an experiment
I value my own data enough to use 2 factor authentication.   I would like token+one time password .  No one offers it :(

I am a little bit concerned after watching so many hacking tutorials and reading so many security-related articles.  I've seen hackers in conference presentations say 'game over' way too many times.
User Rank: Ninja
3/17/2015 | 12:46:54 PM
Re: you can have...

And I might add, Yahoo doesn't care. They hold no liability in the end.   I supposed that was the first thing they did when they recieved the venture capital years ago. That and to make sure the Chief Idiots were paid as well.


In the end, " It a privilege not a right to use Yahoo", just ask them.   And deep in the fine print, is the clause " Use at your own risk".

User Rank: Ninja
3/17/2015 | 12:41:32 PM
Yahoo and Security 101

Everyone morning I wake up and hope Yahoo will finally get it and I am still waiting.

Security 101 Rule #1:  Never  have one point to have hackers focus on  - this is Security 101 Yahoooooo !   `

Maybe they should focus on all the hacker, scam infected emails that their servers allow rather than making it easier for them to attack anything that is Yahoo.


Sadly, I am going to wake up tomorrow with the same hope.  The streak continues.

Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
3/17/2015 | 8:46:02 AM
Re: you can have...
and that disruptive technology would have to combine.... security & ease of use. And so it goes!

User Rank: Ninja
3/17/2015 | 7:58:49 AM
Re: you can have...
That's a problem though, as lack of ease of use is going to cause people not to bother, or sacrifice security in the name of that ease. 

Something new does need to be tried with security and authentication, as although two-factor is effective, I feel like that's a slope that leads to three factor and so on. We need a new, disruptive tech to give us the best of both worlds.

What this is though, I have no idea. 
Curt Franklin
Curt Franklin,
User Rank: Author
3/16/2015 | 6:30:05 PM
Re: you can have...
Tom, I absolutely agree that you've succinctly stated the way things have always been viewed in the security industry. If we're going to have better security with the much larger user base that computers and mobile devices now enjoy, though, we're going to have to be smart enough to have systems that are secure and easy for authorized users to use properly. If we can't do that, users will continue to choose ease over security and we're all well and truly in deep trouble.
Thomas Claburn
Thomas Claburn,
User Rank: Ninja
3/16/2015 | 5:59:51 PM
you can have...
...security or ease of use.

Choose one.
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-11-17
An integer overflow in the search_in_range function in regexec.c in Oniguruma 6.x before 6.9.4_rc2 leads to an out-of-bounds read, in which the offset of this read is under the control of an attacker. (This only affects the 32-bit compiled version). Remote attackers can cause a denial-of-service or ...
PUBLISHED: 2019-11-17
iTerm2 through 3.3.6 has potentially insufficient documentation about the presence of search history in com.googlecode.iterm2.plist, which might allow remote attackers to obtain sensitive information, as demonstrated by searching for the NoSyncSearchHistory string in .plist files within public Git r...
PUBLISHED: 2019-11-17
jhead 3.03 is affected by: heap-based buffer over-read. The impact is: Denial of service. The component is: ReadJpegSections and process_SOFn in jpgfile.c. The attack vector is: Open a specially crafted JPEG file.
PUBLISHED: 2019-11-17
MiniUPnP ngiflib 0.4 has a NULL pointer dereference in GifIndexToTrueColor in ngiflib.c via a file that lacks a palette.
PUBLISHED: 2019-11-16
Eval injection in the Math plugin of Limnoria (before 2019.11.09) and Supybot (through 2018-05-09) allows remote unprivileged attackers to disclose information or possibly have unspecified other impact via the calc and icalc IRC commands.