The poor old password, that random string of letters and numbers that people use to check email, make purchases or access bank account information. These days the password has a target on its chest; hardly a day goes by without some sort of email popping into my inbox stating that a technology is going to kill the age-old authenticator.
I don’t think the password will ever completely go away, it will be deprecated and be one thread in a tapestry of various authentication factors. But Yahoo is not standing still and while not killing the password outright it is replacing them with one-time passcodes.
Instead of accessing a Yahoo account with the traditional login information, account holders can now opt to be send a code to their mobile device. After choosing the new security feature and enrolling the mobile device the user will receive a temporary password to access information.
Reaction to the news has been mixed. LastPass, a password manager provider, says the solution is actually weaker since it is only one factor of authentication and phone numbers can be ported to different devices.
Ping Identity says Yahoo isn’t killing the password but optimizing the the reset flow, says John Bradley, senior technical architect at Ping Identity. “Yahoo has automated account recovery so it can be done for every login, which matches the way a lot of people manage passwords now — they don’t bother remembering them and do a reset every time they want into an account,” he explains.
This solution can be more secure than how individuals reset passwords traditionally. “Sending a new password via SMS is probably more secure than sending via email, which is likely available on your unlocked phone and other places. Letting users opt-in to using single factor is better than the password alone,” Bradley adds.