Yahoo just launched a new login process that does away with static passwords in favor of single-use versions sent to smartphones on the fly.
The company says its new approach, which is similar to two-factor authentication, is designed to boost ease and security. When it comes to strangers, it just might. But it could also give anyone in your life—like roommates or family members—some souped-up snooping powers.
Are Disposable Passwords More Secure?
Instead of relying on a fixed password, Yahoo’s system sends a temporary access word or code on demand to your smartphone. This should bypass the use of easily guessable passwords or hard-to-memorize character soup like “K7jl3nwes0f.”
The on-demand passwords are also disposable; once they’re used, they won’t work again. That should be comforting for the large swaths of people who ignore security experts and use the same login across multiple accounts. In other words, attackers can’t get their hands on a single key that could unlock your whole kingdom.
The premise relies entirely on you having your smartphone by your side. In that way, it’s similar to two-factor authentication protocols that kick into action when you try to log in (first factor) and text you an unlock code (second factor). Numerous services—including Gmail, Facebook and Twitter—offer two-factor options.
Yahoo itself also offers two-step verification, but to use the new on-demand system, you must disable it. Once you do, you forego the secondary layer of protection for your Yahoo Mail (and presumably Flickr and Tumblr accounts, too). Now, anyone with your phone may see your on-demand password, and unlocking the device won’t even be necessary in most cases.
Text messages, after all, are often set to show up directly on phones’ lockscreens.
Of course, the system still requires you to enter your Yahoo username. That may make it more tempting for the prying eyes of the people you already know—those loved ones likely in view of your smartphone and who already know your username—more so than strangers.
According to a recent survey of 13,132 respondents conducted by anti-virus software company Avast, one in five men and one in four women confessed to checking their partner’s smartphone. Those are merely the participants who admitted to spying. Add in attentive parents, prying roommates or nosy siblings, and you might wind up with a whole lot of unauthorized access.
Whether the threat comes from strangers or loved ones, password management applications and services still seem like the best bet. Users have plenty of options now, including those from LastPass, Dashlane, 1Password and others. These can act like iron fortresses for your logins, without clamping them down so tightly that you can’t share some when need be.
You can’t blame Yahoo for trying to improve email security. The company, which serves more than 80 million users in the U.S. and more than 270 million users worldwide, announced these changes following a well-publicized email security breach last January.
Last year, Yahoo announced that it was working with Google on an end-to-end email encryption plugin, and it just showed off the fruits of its labor at SXSW. Like with its new on-demand passwords, the company hopes to make email encryption more commonplace by making the process simpler.
Featured photo by Karen Roe