Yahoo! launches! password-free! push! logins! for! mobes! Yahoo! has launched a password-free method of logging into its mail and online services that prompts users to approve access through a mobile push notification. The Yahoo! Account Key service is another blow to passwords, and the second dealt by the Purple Palace since it rolled out SMS two-factor authentication in March. …
Huh?
I'm not quite getting this. So, once enabled, is this 'push' method the only way to access the account? If so, what happens if you misplace your mobile - are you prevented from logging in? If there is another way to access the account in that instance, wouldn't that likely take the form of a password of sorts?
If it does then that would have all the problems of using a password as the main method of authentication. Actually, it'd be even harder to remember as it would be used so infrequently.
They've been asking everyone for their phone number for a couple of years now and new signups require one. They ain't got it out of me yet, nor will they. Yahoo Mail must have the highest rate of spamming and account hijacking so I don't trust them to keep it safe or not sell it when they run out of money.
Yahoo are not the only ones that been asking for your number, Microsoft for their MS account, Google does, facebook does and so do other services.
I hate this two pass system or what ever they call it, my mobile phone provider have started it now and they have made it compulsory, the problem is they already got my phone number, so not a lot i can do about that until my contract runs out and I change provider.
If you don't have to enter your password - then this isn't 2Factor auth - 2Factor auth requires 2 different forms of authentication, traditionally a password and some other form - usually OTP codes or like Twitter uses a push notification - which pretty much works the same way as Yahoo! are now using. As far as I can see - removing the password step makes this less secure - the whole point of a password with 2Factor is that it doesn't matter if some virus on your computer manages to capture your password - as the attacker still needs access to whatever the 2nd factor of authentication is.
However nicely designed and implemented, physical tokens, cards and phones are easily left behind, lost, stolen and abused. Then the remembered password would be the last resort.
And, in a world where we live without remembered passwords, say, where our identity is established without our volitional participation, we would be able to have a safe sleep only when we are alone in a firmly locked room. Is this what we want?
It is too obvious, anyway, that the conventional alphanumeric password alone can no longer suffice and we urgently need a successor to it, which should be found from among the broader family of the passwords (= what we know and nobody else knows).
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
