Yahoo only the latest at "kill the password" altar

Industry looking to improve access controls and authentication, but decisions still governed by security requirements, use cases, hacker disruption
Written by John Fontana, Contributor

Yahoo this week became the latest to pass out the torches and pitchforks on the march to kill the password as a way to repair authentication for consumers and enterprises.

The ongoing deathwatch is a popular rallying point, but the bottom line is a multitude of authentication options will exist going forward based on security requirements, use cases, and even court cases.

Yahoo Thursday took a step toward eliminating the password on its mail services by offering up push notification to mobile phones for access control, which asks a user to confirm they are trying to log into their account. The user taps a button to accept or reject the log-in.

The announcement is part of a series of identity and authentication improvements Yahoo has been undertaking for nearly the past two years, including a similar push service called On-Demand Password that was not well received, and a plan to adopt a standard identity federation protocol called OpenID Connect.

But this latest twist hopes to take a major leap forward, one that has proved elusive to the industry for many reasons, including poor adoption numbers. Yahoo's newest authentication service, called Account Key, seeks to replace the password with a phone notification.

Similar phone-based authentication services are advertised as two-factor authentication, since the user must present a secret they know (password) and something they have (phone code) when logging in. Yahoo's service eliminates the secret they know (and often can't remember).

"In many cases, an online service will check the password, then do a mobile push authentication so they have confidence that the person holding the smart phone is who they say they are," said Mark Diodati, a research VP at Gartner. "Mobile push is much better than using a password by itself, and Yahoo may be doing additional background checks [contextual authentication] behind the scenes to make the solution multi-factor."

The authentication market is hot as passwords have become the worst security construct in use today.

The FIDO Alliance has been making strides with its emerging standard based on public-key cryptography, which addresses both password-less and two-factor authentication (that includes a password) in biometric, token and other form factors. FIDO eliminates the need to send codes that can be stolen and reused and instead focuses on a cryptographic key exchange.

In addition, wearable technology -- such as the Nymi wristband that promises continuous strong authentication to applications, devices and services -- are entering the market and promising improvements in secure authentication.

While Account Key is a unique authentication flow, the phone still suffers from issues that plague the devices when used to provide one-time passcodes (OTPs), such as loss of the device and resident malware tied to man-in-the-middle attacks. Yahoo isn't alone in facing these issues.

Yahoo began revamping its authentication system almost two years ago building out both identity and authentication pieces. First it phased out a sign-in option that accepted Facebook and Google credentials from users, a type of credential sharing known as federation.

The company then took a board seat with the OpenID Foundation and contributed to work on OpenID Connect, a standardized identity protocol. Later came On-Demand and this week Account Key.

(Disclosure: My employer is a member of the FIDO Alliance)

Editorial standards