Yahoo announced its new on-demand password feature that lets users into login in their account with a code sent to their mobile phone.

Yahoo has announced a new Password-Free login feature to let users access their account without the need for a password. When users will sign in his account, an on-demand password is sent to a user’s mobile phone, as explained by Yahoo in a blog post. The new feature will be available initially only for U.S. users.

“Today, we’re hoping to make that process less anxiety-inducing by introducing on-demand passwords, which are texted to your mobile phone when you need them,” Chris Stoner, Director of Product Management at Yahoo!, wrote in a blog post. “You no longer have to memorize a difficult password to sign in to your account – what a relief!”

To enable the new feature and receive on-demand passwords, users should take the following steps:

1) Sign in to Yahoo.com.

2) Click on the user name at the top right corner to go to the account information page.

3) Select “Security” in the left bar.

4) Click on the slider for “On-demand passwords” to opt-in.

5) Enter the phone number associated with the account and Yahoo will send a verification code.

6) Enter the code to login.

On-demand password for login isn’t the unique feature announced by Yahoo, the chief information security officer Alex Stamos confirmed that the company plans to introduce “end to end encryption” for email this year, a necessary measure to improve privacy protection following the Snowden‘s revelations.

y1

The intent of the company is to improve user’s experience maintaining a high level of security but is it really so.

“Our goal is to have this available by the end of the year,” Stamos told AFP. “Anybody who has the ability to write an email should have no problem using our email encryption.”

No doubt that on-demand password to login in process will avoid users to remind complex password with a significant improvement on the level of security for the single-factor authenticator, but be aware because the process isn’t a two-factor authentication process that is already provided by Yahoo.

In a two-factor authentication process, users must provide a password and then a second code sent to their mobile phone, in the specific case of on-demand password users just need to enter a password sent via text during the login process.

Resuming, when Yahoo users will choose  the on-demand password feature, they will see a button on the Yahoo login page that will read “Send my password.” By click the button users will receive a five-character code via SMS.

The on-demand system could not be as secure as two-factor authentication because it uses just a single factor to log in users. Do not be fooled by the fact that the code will arrive via SMS, a hacker could steal your mobile device, access your and take over it.
We must also consider that also services implementing a two-factor authentication can be hacked, so it is important to find out the actual level of security offered by the service.

Yahoo! has already released a beta version of the first Yahoo specific e2e encryption plug-in source code on GitHub.

“We encourage other mail providers to build compatible solutions, and for security researchers to take a look and report any potential vulnerabilities they find via our Bug Bounty program,” Stamos wrote in a blog post.

Pierluigi Paganini