In an effort to simplify authentication for its services, Yahoo has introduced a new mechanism that allows users to log in with temporary passwords that are sent to their mobile phones.
If this sounds like a two-factor authentication system where users need to provide one-time codes sent to their mobile phones in addition to their static passwords, it's not. Yahoo already had that option.
Instead, the new log-in mechanism, which is based on what Yahoo calls on-demand passwords, still relies on a single factor, the user's phone number.
Yahoo users -- only those based in the U.S. for now -- can turn on the new feature from their account security settings on Yahoo's site. They will need to provide a phone number and then confirm that they have access to it by inputting a verification code sent to them via SMS.
Once the system is set up, the next time they want to log in, Yahoo users will see a button that says "send my password" instead of a traditional password input field. Clicking on that button will send them a temporary four-character password via SMS.
The new system offers better security than static passwords, which can be stolen in a variety of ways, but it's not as effective as two-factor authentication because it depends solely on how secure the user's phone is.
"Two-factor authentication is more secure because it requires an attacker to compromise more than a single piece of information to be successful," said Tim Erlin, director of product management at security firm Tripwire, via email. "While Yahoo is lifting the burden of remembering a password, they are maintaining a single target for compromise: your SMS messages. Malware on your phone could be used to grab those SMS messages, and then have full access to your account."
The ability to intercept, steal and hide text messages is common for mobile malware, particularly for threats that target online banking users who often receive transaction and other authorization codes via SMS.
In addition, if a phone is lost or left unsupervised, it could be used to generate a password for the phone owner's Yahoo email account. As many incidents have shown, a person's email account can be a gateway for further compromises, because it can be used to reset the password for the user's accounts on other websites.
Malware creators will increasingly target mobile platforms because of the important role they play for users' online security, said TK Keanini, CTO at security firm Lancope, via email. "It is also important these days to ensure that the mobile account is secure because you don't want attackers changing features like call forwarding and other features that can put them in the middle of this communication stream."
Sign up for CIO Asia eNewsletters.