Yahoo’s on-demand passwords are simple, but are they safe?

Yahoo just announced what they call ‘a new, simple way to log in’. With the new opt-in login process, Yahoo will send you an SMS text to your phone with a temporary password that you can use to log in to your account. Yahoo is shifting the responsibility for authentication from ‘what you know’ (i.e. passwords – hard) to ‘what you have’ (your cellphone – easy). The optional authentication method, in and of itself, isn’t a security problem as long as users would use basic precautions for protecting their phones that they should be using for their passwords.

Blog_yahoo-simple

If you are considering using Yahoo’s new process, you should be taking steps to protect your phone – at minimum:

  • never let anyone else use your cellphone
  • always lock your cellphone
  • in case of loss or theft of your cellphone, change passwords on accounts that someone finding it would have access to

The problem is that most people don’t follow even basic security rules, and the odds are that they won’t suddenly change their instilled bad habits. For example, only a minimum number of people actually lock their smartphone when it’s not in use (only 36% set a 4-digit security code), which means that someone could take advantage of an unguarded moment to do what he likes with the phone.

Because people continue to use cellphones as if they were only for phone calls (no email, Internet, calendars, private data), I don’t consider the new Yahoo on-demand login to be the best or safest option. It has nothing to do with the technical implementation, but with the way people typically use their phones.