Yahoo launches password-free logins

Never having to remember a password again may be appealing -- but is such a concept promoting lax security?


If remembering passwords is too much of a chore, Yahoo will make them for you.

During a session at the South by Southwest festival hosted in Austin, Texas, as reported by sister site CNET, the tech giant launched "on-demand" passwords, which takes remembering your security password to access accounts of the equation.

Yahoo's vice president of product management for consumer platforms Dylan Casey said during the event that the service is the "first step to eliminating passwords."

Available now in the US, on-demand passwords work by users first logging into their Yahoo accounts normally. Once you've accessed your account, you can head over to security settings and turn on on-demand passwords. The next step is to register your phone and connect it to your account.

When you next login, the password field will be replaced with a "send my password" button. A password containing four characters will then be sent to your phone, verifying your identity through the linked device and granting you access to the account.

While Casey said the service was designed after Yahoo put itself "in the shoes of the people using our products," the security process arguably is taking a step back from two-step verification, which is slowly being adopted by web services worldwide. Two-step verification services rely not only on the traditional password -- which is often easily crackable, guessed or susceptible to brute-force attacks -- but also often involves an additional code being sent to a linked mobile device to heighten account security. In other words, accessing an account requires a password and a device you own, which makes breaking into accounts far more difficult without an attacker having physical access to your mobile device.

While users may enjoy the convenience of on-demand passwords -- as long as their devices are not lost or stolen -- Yahoo's new scheme could be viewed as a lax security protocol designed to appeal to the general public, but not necessarily as a way to keep accounts and data any safer.

See also: How to send encrypted messages to iOS, Android devices for free

In related news, Yahoo chief information security officer Alex Stamos confirmed that end-to-end encryption will be introduced to Yahoo Mail by the end of 2015. Encryption will be offered via a plugin, developed by Yahoo and Google after the Edward Snowden US National Security Agency (NSA) revelations.

While Google has previously said it will include encryption services by default within the Android operation system, the tech giant has been forced to backtrack on its decision across the board due to compatibility and performance issues in older devices.

Read on: In the world of security