Yahoo Mail, which is celebrating its 18th birthday this month, has evolved over the years in many ways. Yahoo announced a new version of its Mail service this week, promising users a new way to secure access that doesn’t require passwords.
The cornerstone of Yahoo’s password-less approach to Mail access is a technology the company is calling Yahoo Account Key. In a Tumblr post, Dylan Casey, vice president of product management at Yahoo, explained that Account Key makes use of push notification on a mobile device to provide users with an easy way to access a Yahoo account.
“Account Key streamlines the sign-in process with a secure, elegant and easy-to-use interface that makes access as easy as tapping a button,” Casey said. “It’s also more secure than a traditional password because once you activate Account Key—even if someone gets access to your account info—they can’t sign in.”
Security experts eWEEK contacted expressed skepticism about the password-less future that Yahoo is now promising.
Passwords have been an absolute bane for users for a long time, said Jake Kouns, chief information security officer at Risk Based Security. “No one likes to have to remember a password, or worse yet, be forced to change it regularly,” Kouns told eWEEK. “At Risk Based Security, we have tracked over 268 million accounts and credentials exposed and many are leading to data breaches, so there definitely needs to be a better solution than just passwords.”
If Yahoo can successfully come up with a secure approach that effectively removes the need for passwords, it will definitely be appealing to users, Kouns said. However, he added, “On the surface, Yahoo’s approach has outlined removing passwords, but unfortunately, actually appears to not be truly improving security.”
Yahoo’s approach is moving away from what many consider to be a tried-and-true best practice of using two-factor authentication that includes a combination of something a user has and something a user knows.
“Regardless, if the Yahoo approach is more secure, it doesn’t appear to be worse that what is already implemented for most email providers,” Kouns said. “If it makes life better for users, they will most likely be happy users.”
Lance James, cyber-security and intelligence advisor for Unit 221b, said that the Yahoo password-less approach is “gimmicky” and doesn’t really make a massive dent in the problem. “The fact that you have to use your phone number for this is ill-advised, mainly because it’s another piece of data that’s traded out instead of a password,” James said. “The one step is interesting, but the phone or smartwatch device shouldn’t be assumed to be trusted or unlocked or left around somewhere that someone can get it.”
There is a simple attack vector against the new system, given that mobile device malware is a growing problem, James said, adding that if an attacker is somehow able to compromise a phone, the Yahoo password-less system is a risk.
“If they [attackers] merely find out the Yahoo user name and log in to Yahoo with a compromised Android phone [which is more likely than with an iPhone], it’s quite easy for them to forward the text or just hit the ‘yes’ button without the user being notified,” James said.
Yahoo’s new approach isn’t going to make much of a difference, James said. “I don’t think in the long run this feature makes a major impact against many of the common attacks,” he added.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.