Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:08 PM
Connect Directly

Yahoo's One-Time Passwords Have Security Experts Divided

Better protection from keyloggers, but you'd better not lose your phone, Yahoo users.

Yahoo yesterday announced that in lieu of a standard username-password combination, Yahoo users in the US could log into their accounts with one-time passwords sent to their mobile phones via SMS message. Yahoo! calls them "on-demand passwords," texted to your mobile phone when you need them.

To be clear, Yahoo is not proposing "on-demand passwords" as a second factor of authentication, but rather as an alternative to the traditional username-password combo. It's really just replacing a "something you know" with a "something you have." Yahoo already offers two-factor authentication, but for now, it cannot be combined with on-demand passwords: users will need to choose between the two options.

Yahoo director of product management Chris Stoner writes that the new technology makes logging in "less anxiety-inducing," by eliminating the stress of remembering passwords. Certainly an admirable goal, but security professionals have mixed responses to the news. 

"We need more innovation like this with authentication," says T.K. Keanini, CTO of Lancope. "Passwords are just pieces of information, and in all these strategies, we want to make it useful for the shortest amount of time but not be an administrative burden. Yahoo knows that the most personal device on a person these days is their mobile phone. And let's not stop here. Let’s keep innovating even more techniques to raise the cost to our attackers."

Yet, others aren't convinced. Instead of enhancing security like multi-factor authentication, some say, Yahoo's solution simply changes the single factor to something else -- something that can be infected, intercepted, broken, lost, stolen, or temporarily left unattended long enough for a nearby ne'er-do-well to do some mischief.   

“Yahoo just made it easier for attackers to compromise an account," says Tim Erlin, director of product management and security and IT risk strategist for Tripwire. "Ease of use is taking center stage for Yahoo, but it opens up some new attack vectors as well. Two-factor authentication is more secure, because it requires an attacker to compromise more than a single piece of information to be successful.

"While Yahoo is lifting the burden of remembering a password," he says, "they are maintaining a single target for compromise: your SMS messages. Malware on your phone could be used to grab those SMS messages and then have full access to your account."

Recent research by Alcatel-Lucent's Kindsight Security Labs estimated that 15 million mobile devices, Androids in particular, are infected by malware. One of the top threats was SMSTracker, which allows the attacker to remotely track and monitor all calls, SMS/MMS messages, GPS locations, and browser histories of an Android device.

[Having trouble getting your colleagues to take mobile threats seriously? Overwhelmed with mobile threats, and not sure where to start? Check out "Five Mobile Computing Vulnerabilities You Need To Know" at Interop Las Vegas.]

Keanini concedes that "the security of the system will depend on how secure that device remains over time. We will see a major shift by the attacker to target malware on these mobile platforms because of their larger role in the overall security of the individual," he says. "It is also important these days to ensure that the mobile account is secure because you don't want attackers changing features like call forwarding and other features that can put them in the middle of this communication stream."

Joe Siegrist, CEO and co-founder of LastPass, takes that thought a step further. He notes that not only might you need to worry about criminal attackers intercepting SMS communications; you need to wonder if the phone companies themselves will abuse their access to your device and what it transmits. "Moving to a model where any phone company can easily gain access to an account," he says, "is not progress, unfortunately." 

Security analyst Graham Cluley would have preferred that Yahoo try another solution entirely. He writes:

Personally, rather than making things "simple" for users who cannot remember their passwords, I would have preferred to have seen Yahoo promoting the usage of password management software like LastPass1Password, and KeePass which would similarly make it unnecessary to remember passwords... and perhaps encourage stronger, unique passwords at the same time.

However, Cluley did add that Yahoo's on-demand password solution could be a good option when logging in from an untrusted device -- for example when one's traveling or using a public console. One could request an on-demand password instead of running the risk of, perhaps, having one's regular password slurped up by a keylogger.  


Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Strategist
3/22/2015 | 3:54:42 AM
One thing is for sure: it's an experiment
I value my own data enough to use 2 factor authentication.   I would like token+one time password .  No one offers it :(

I am a little bit concerned after watching so many hacking tutorials and reading so many security-related articles.  I've seen hackers in conference presentations say 'game over' way too many times.
User Rank: Ninja
3/17/2015 | 12:46:54 PM
Re: you can have...

And I might add, Yahoo doesn't care. They hold no liability in the end.   I supposed that was the first thing they did when they recieved the venture capital years ago. That and to make sure the Chief Idiots were paid as well.


In the end, " It a privilege not a right to use Yahoo", just ask them.   And deep in the fine print, is the clause " Use at your own risk".

User Rank: Ninja
3/17/2015 | 12:41:32 PM
Yahoo and Security 101

Everyone morning I wake up and hope Yahoo will finally get it and I am still waiting.

Security 101 Rule #1:  Never  have one point to have hackers focus on  - this is Security 101 Yahoooooo !   `

Maybe they should focus on all the hacker, scam infected emails that their servers allow rather than making it easier for them to attack anything that is Yahoo.


Sadly, I am going to wake up tomorrow with the same hope.  The streak continues.

Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
3/17/2015 | 8:46:02 AM
Re: you can have...
and that disruptive technology would have to combine.... security & ease of use. And so it goes!

User Rank: Ninja
3/17/2015 | 7:58:49 AM
Re: you can have...
That's a problem though, as lack of ease of use is going to cause people not to bother, or sacrifice security in the name of that ease. 

Something new does need to be tried with security and authentication, as although two-factor is effective, I feel like that's a slope that leads to three factor and so on. We need a new, disruptive tech to give us the best of both worlds.

What this is though, I have no idea. 
Curt Franklin
Curt Franklin,
User Rank: Author
3/16/2015 | 6:30:05 PM
Re: you can have...
Tom, I absolutely agree that you've succinctly stated the way things have always been viewed in the security industry. If we're going to have better security with the much larger user base that computers and mobile devices now enjoy, though, we're going to have to be smart enough to have systems that are secure and easy for authorized users to use properly. If we can't do that, users will continue to choose ease over security and we're all well and truly in deep trouble.
Thomas Claburn
Thomas Claburn,
User Rank: Ninja
3/16/2015 | 5:59:51 PM
you can have...
...security or ease of use.

Choose one.
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-03-09
Products.GenericSetup is a mini-framework for expressing the configured state of a Zope Site as a set of filesystem artifacts. In Products.GenericSetup before version 2.1.1 there is an information disclosure vulnerability - anonymous visitors may view log and snapshot files generated by the Generic ...
PUBLISHED: 2021-03-09
The `com.bmuschko:gradle-vagrant-plugin` Gradle plugin contains an information disclosure vulnerability due to the logging of the system environment variables. When this Gradle plugin is executed in public CI/CD, this can lead to sensitive credentials being exposed to malicious actors. This is fixed...
PUBLISHED: 2021-03-09
react-dev-utils prior to v11.0.4 exposes a function, getProcessForPort, where an input argument is concatenated into a command string to be executed. This function is typically used from react-scripts (in Create React App projects), where the usage is safe. Only when this function is manually invoke...
PUBLISHED: 2021-03-08
Dell iDRAC8 versions prior to contain a host header injection vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability by injecting arbitrary ‘Host’ header values to poison a web-cache or trigger redirections.
PUBLISHED: 2021-03-08
Maxum Rumpus 8.2.13 and 8.2.14 is affected by a command injection vulnerability. The web administration contains functionality in which administrators are able to manage users. The edit users form contains a parameter vulnerable to command injection due to insufficient validation.