Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Yahoo's new on-demand password system is no replacement for two-factor authentication

Lucian Constantin | March 17, 2015
The new authentication option offers better security than static passwords, but it's not as strong as two-step verification.

Researchers have warned for years that static passwords no longer provide sufficient protection for online accounts, so any effort to replace them with something else is generally welcome.

It remains to be seen how vulnerable Yahoo's new system is, "but it can only be a good thing that a well-known brand in the technology field is seeking different ways to revamp the password," said Chris Boyd, a malware intelligence analyst at Malwarebytes, via email.

Given a choice, however, Boyd would still choose two-factor over single-factor authentication any time.

So, if you already have "two-step verification" enabled on your Yahoo account it's better to stick with it and not switch to the new "on-demand password" system. The two appear to be incompatible and switching to on-demand passwords could actually downgrade your account's security, according to Erlin.

Even with the potential drawbacks, "it is good to see Yahoo trying to address the password problem," said Jared DeMott, principal security researcher at Bromium, via email. However, most users will only do only what is required of them by default, "so if companies are serious about better login security, the default choice will need to be modified."

For now, Yahoo's new on-demand password system requires users to opt-in.

 

Previous Page  1  2 

Sign up for CIO Asia eNewsletters.