Yahoo! now provides its users with the ability to receive one-time on-demand passwords on their mobile phones, eliminating the need to memorize and type traditional credentials. This is a promising way of tackling the challenge of making the logon process convenient while compelling users to use passwords that are hard to guess. Here's a first look at the workflow of Yahoo's on-demand passwords feature, along with a few comments and observations.
How to Activate Yahoo! On-Demand Passwords
Once logged into the Yahoo! account, the person needs to go the Personal info page of their user profile, select Account security and click "Get started" in the On-demand passwords area.
The user will be asked to verify his or her phone number, since that is where Yahoo! will eventually send on-demand passwords. The verification process entails Yahoo! sending a 5-digit code using SMS, which the person will need to type into the Yahoo! web page.
After validating their access to the phone, the person is asked to define or establish an email-based account recovery method. Yahoo! will send account access recovery instructions to the designated email address, should the user request this action later.
After enabling on-demand passwords, the person will be reminded that some apps don't support his feature and, instead, require the use of application-specific "set-and-forget" passwords.
Logging on Using Yahoo! On-Demand Passwords
When Yahoo! users attempt to sign into the service, the see the traditional window requesting the username and password pair. However, the window automatically changes if the person enters a username that corresponds to an account that enabled on-demand passwords.
The notion of a standard password no longer applies if the user enabled on-demand passwords. When signing on, the person is expected to click the "Send my password" button after typing their username. Yahoo! then sends an SMS message to the person's phone a one-time four-character code to use in lieu of a traditional password.
The process is reasonably convenient from the user's perspective, though some people might be confused by the traditional logon screen that requests both the username and password. My primary concern with the workflow is that it makes it relatively easy for a scammer to determine which accounts use traditional vs. on-demand passwords and to spam the phones of on-demand users with unsolicited logon codes. All the miscreant needs to do to accomplish this is to supply victims' usernames to the Yahoo! logon form.
What If the User Cannot Receive the On-Demand Password?
Yahoo! users who enabled on-demand passwords will be somewhat inconvenienced in situations where users cannot receive the SMS message carrying the one-time-use authentication code. People in such situations will need to validate that they have access to the email address or phone number they've enrolled with Yahoo! earlier.
The person needs to click "I can't access my account" at the initial logon screen. Assuming the user remembers their username, Yahoo! will send an account access recovery instructions to the person's email address or mobile phone.
After following instructions that Yahoo! sends to the user's email address or mobile phone, the user will be logged into their Yahoo! account. At that point, they will also have the option to easily disable on-demand passwords.
Note that although users cannot directly use their traditional password after enabling on-demand passwords, Yahoo! hangs on to the (hash of the) original password. Therefore, it's important that people select a hard-to-guess password before enabling the Yahoo! on-demand password feature.
In Search of Easier Authentication Options
Perhaps the biggest security concern associated with Yahoo! on-demand passwords was outlined by Graham Cluley. He pointed out that anyone in the possession of the user's phone and knowledge of his or her username can logon to Yahoo! as that person. Despite this weakness, this authentication scheme improves security by addressing the most common threats related to unauthorized account access. People who decide to enable on-demand passwords will not be away from their phones for long and will quickly notice when the phone disappears. The best way to address this risk is to configure the phone to lock itself after a brief period of inactivity and to avoid showing SMS messages until the phone is unlocked.
It's exciting to see companies continue to look for less intrusive ways of authenticating users while making the logon experience as unobtrusive as possible. Yahoo! on-demand password are innovative and their initial implementation seems to do a reasonable job of balancing security with convenience. I'm sure the company will refine the implementation and workflow of this feature based on feedback from users and the community at large.
If the topic of passwords and authentication interests you, take a look at the following articles of mine:
- Creative Options for Better Authentication of Mobile Phone Users
- We Still Suck at Protecting Logon Credentials
- Beyond Logins: Continuous and Seamless User Authentication