Sergey Nivens - Fotolia

Yahoo announces password-killing Account Key

Yahoo Account Key uses push notifications to provide a fast and secure way to access Yahoo accounts from a mobile device

Yahoo has announced a password-free way of signing into accounts to improve security and usability.

Yahoo Account Key uses push notifications to provide a fast and secure way to access Yahoo accounts from a mobile device.

This means users will no longer have to remember complicated passwords and, at the same time, will benefit from increased security.

Yahoo Account Key is said to be more secure than a traditional password because once it is activated, even if hackers get access to account info, they will not be able to sign into accounts.  

Account Key is available globally for the new Yahoo Mail app, with other Yahoo apps to be added later in 2015.

The move comes seven months after Yahoo replaced traditional passwords with single-use SMS codes, which the company said was the first step towards a “password-free future”.

Account Key works by linking Yahoo accounts to a mobile device. When a user opens an account with the feature enabled and enters their username, Yahoo sends a push notification to the device, which can then be approved or denied with a single tap.

Yahoo’s initiative is aimed at introducing a second factor of authentication and eliminating the problem of forgotten passwords and the re-use of the same password for multiple accounts.

Passwords are difficult to remember and secondary sign-in verification is inconvenient and confusing,” said Yahoo vice-president of product management Dylan Casey.

Were now taking a major leap towards a password-free future with the launch of Yahoo Account Key, which uses push notifications to give users simple and secure access using their mobile device,” he said.

Access control concerns

Despite usernames and passwords long being considered inadequate security mechanisms, some security commentators were critical of Yahoo’s switch to SMS codes.

The company’s latest scheme, aimed at killing off the password, is likely to come under similar criticism.

Commenting on Yahoo’s SMS codes, independent security consultant Graham Cluley said that access to online accounts controlled only by who has access to a mobile is not a good thing.

“All an unauthorised user would need is your Yahoo username and their paws on your mobile. Depending on how you have configured your smartphone, someone may not even need to unlock your device to read the SMS message it has just received from Yahoo,” he wrote in a blog post.

According to Cluley, Yahoo should have instead promoted the use of password management software such as LastPass, 1Password and KeePass.

Password management software, he said, would make it unnecessary to remember passwords, but at the same time encourage stronger, unique passwords.

The demise of the password

The security industry has long recognised that passwords are becoming increasingly insecure and difficult to use as they become more complex and harder to remember.

In 2012, security experts at UKFast warned that a tool for hackers capable of cracking nine billion passwords a second was available for as little as £400.

The Fast Identity Online (Fido) Alliance is a consortium of IT companies – including PayPal, Lenovo and Google – that hopes to revolutionise online authentication with an industry-supported standards-based open protocol.

In October 2014, Google launched a Fido-compliant USB security key to eliminate the reliance on mobile phones for its two-step verification service and sidestep hacker attempts to steal passcodes. 

The Fido protocol is designed to address the lack of interoperability among strong authentication technologies to reduce the reliance on usernames and passwords.

Previous attempts at introducing alternatives to passwords have failed because of the lack of an industry-wide standard, but pundits say Fido members may be big enough to make it happen.

Fido standards support a full range of authentication technologies, including biometrics, as well as further enabling existing technologies such as trusted platform modules, USB security tokens, embedded secure elements, smartcards and near-field communication.

Read more about password alternatives

Read more on Hackers and cybercrime prevention