Yahoo's on-demand password service is not suitable for business use and will cause trouble for those who think it is, according to experts within the security community.
Yahoo announced its on-demand password service on Monday. The feature lets users tie their account security to their mobile phone number.
Once activated, whenever the customer attempts to open their account Yahoo will send a custom one-time password (OTP) token to their phone, removing the need for them to remember a password.
Yahoo claims the feature is designed to help forgetful or busy customers secure their accounts without having to remember complex passwords. However, experts within the security industry have expressed concerns about the service.
Co-Founder and technical director at SecurEnvoy Andy Kemshall said the move was "a huge step back in securing personal information" for two reasons.
"At [the] point of login, users expect and are used to instant access to their accounts but with Yahoo adopting only one step of authentication this will make the email account less secure but also add a layer of inconvenience to the user, with them having to wait around for a password to be sent via SMS," he said.
"Secondly, think of it this way: if all ATM's removed the need for PINs, and all you needed to do was put your card in and cash came out, despite being incredibly quick and convenient, if the card is lost, you have opened a major gateway to your money.
"The same applies to this plan Yahoo is introducing."
Director of product management at Tripwire Tim Erlin was equally negative.
"Yahoo just made it easier for attackers to compromise an account. Ease of use is taking center stage for Yahoo, but it opens up some new attack vectors as well," he said.
"Two-factor authentication is more secure because it requires an attacker to compromise more than a single piece of information to be successful."
He added: "While Yahoo is lifting the burden of remembering a password, it is maintaining a single target for compromise: your SMS messages. Malware on your phone could be used to grab those SMS messages and gain full access to your account.
"On-demand passwords are also mutually exclusive with Yahoo's two-step verification, so enabling them forces users to effectively downgrade security on their account."
Security specialist at ESET Mark James agreed, arguing password security is still a useful tool.
"I am not a firm believer in getting rid of passwords as I think they have a place alongside other forms of security to establish a layered approach," he said.
Not all bad
Some researchers were less negative. CTO at Lancope TK Keanini said the news is positive as it shows Yahoo is aware of the need for change within the security industry.
"We need more innovation like this with authentication. Passwords are just pieces of information and in all these strategies, we want to make it useful for the shortest amount of time but not be an administrative burden," he said.
"Yahoo knows that the most personal device on a person these days is their mobile phone and let's not stop here, let's keep innovating even more techniques to raise the cost to our attackers."
Principal security researcher at Bromium Jared DeMott agreed, noting: "Times change and so must login measures. But balancing privacy, ease-of-use and recovery, against security is always the trick."
Yahoo is one of many companies experimenting with alternative authentication strategies. Fujitsu demoed a proof-of-concept iris-scanning smartphone lock at Mobile World Congress in Barcelona.
IBM software case reminiscent of TSMC trade secrets theft claim
iPhone 8 specs, release date, price, features, basically everything! But will it have a curved display?
CISO pay boom as security become a boardroom concern