Yahoo: Forgot your password? No problem, just don't lose your phone. (+video)
At SXSW, Yahoo debuts its 'on-demand' password feature and demonstrates how its prototype for end-to-end encryption will be simpler for all.
The tech giant announced at the 2015 South by Southwest festival (SXSW) that “on-demand” passwords are now available for Yahoo e-mail users. It works by the company sending short, temporary passwords via text messages that individuals can use to access their e-mail.
Users can sign up by logging into their Yahoo account with their normal password and accessing the on-demand feature through the security setting. Once activated and an account holder’s phone is registered, the password field will be replaced by a "send my password" button. Yahoo will then text a four-character passcode that can be used one time to enter an account.
This process is referred to as "two-factor authentication" and is already used by many services, including Gmail. The two-step process works by users entering their password and a company sending a correlating password, but Yahoo is attempting to subtract a step by allowing users to have the second password sent directly to phones without entering their personalized code.
“This is the first step to eliminating passwords," says Dylan Casey, Yahoo's vice president of product management for consumer platforms, in an interview with CNET at the festival.
The new security measure is meant to address the vulnerabilities that weak and overused passwords expose consumers to, though the system is not perfect.
Some have pointed out that users will only be able to access Yahoo e-mail with a cell and Internet connection (which can be a problem on a flight), but there are more pressing issues, such as if someone loses their phone. The on-demand alerts appear on a mobile’s locked screen, so another person has the potential to breach a Yahoo account without identifying the personal password to the e-mail. Additionally, hackers (of all kinds) still have the capability to break into phones, but the on-demand feature option is expected to be the first phase in Yahoo’s plans to beef up e-mail security.
In addition to helping users secure passwords, Yahoo is also looking to simplify the encryption process for customers.
Last August, Yahoo announced it would be offering end-to-end encryption sometime in 2015. This type of security measure differs from the basic SSL encryption, which is used automatically with Web mail, because instead of allowing the service provider to see the e-mail, only the sender and receiver can read the message.
During a SXSW presentation, Yahoo showed off its unfinished product by comparing its new encryption method to a more traditional technique. A side-by-side video displayed how the process took about a minute for a Yahoo user, while the Mac OS user was left in the dust.
Yahoo has also partnered with Google, who plans on offering its own end-to-end version, to extend the service. This is important for end-to-end encryption because it requires the cooperation of both e-mail providers for a message to remain private.
In an interview with The Washington Post, Yahoo information security chief Alex Stamos explained that for an encryption tool to be effective, it has to be basic enough for everyday users, yet strong enough to protect those facing more “advance threats,” such as activists and journalists in nations that stifle free speech.
"What we're trying to do at Yahoo is build our products so they're safe and trustworthy, not just secure," Mr. Stamos told the Post. Yahoo says it understands that convincing people to take this extra step for security requires the process to be as easy as possible and should entail no more than a few clicks.
Yahoo plans to roll out the end-to-end encryption feature by the end of 2015.