Bravo Yahoo! Thank you for introducing password “insecurity” to casual internet users and helping to bring it back to the forefront of security pundits’ discussions. Yahoo! doubled down on staying relevant with end-users and the industry as a whole by unveiling their Yahoo! On-demand password security offering last week. True, allowing users to login with a one-time code sent to their cell phone shows a degree of innovation. Be that as it may, Yahoo! is now experiencing the double-edged sword of playing fast and loose with user security. The blogosphere has come down hard on them since their offer hit the internet, and the CISO himself has had to respond to the discord.
By most measures, Yahoo! is the second most popular email service in the world. Handing over 800 million active users per month is impressive and it speaks to the company’s maturity. They have first-hand experience with every demand a technology company could have, including ensuring end-users can access their service. I applaud Yahoo! for going out on a limb with their new On-demand password security approach. They’re thinking of new ways to tackle well-known problems, but are doing so with the understanding that the end result must be palatable to its user base. They didn’t develop this offering in a bubble. It’s available now and doesn’t require users to upgrade to a new browser or wait for a new industry-wide protocol to be developed.
These are good things.
Of course, it is not all sunshine and roses. By using a 4-character code as the one-time passcode, the Yahoo! On-demand password security solution is too weak in my opinion. It uses only uppercase characters so there’s a 1 in 26^4 (456,976) chance that a randomly entered password would be correct. Google Authenticator uses 6-digit codes (1 in 10^6 or 1,000,000) so Yahoo! may have under-stepped in this regard. Use of a phone for an authentication method is also not a deterrent to a serious, targeted attacker as this article details. The ultra-security conscious are correct that Yahoo!’s new method is far inferior to full two-factor authentication, but this ignores the usability aspect. Our PortalGuard solution has actually had an “OTP only” logon option since 2011 but, to date, few customers have enabled it. Whether this is due to administrators being leery of the security ramifications is unknown.
Yahoo! will definitely discover if end-users have similar reservations.