back to article Yahoo Japan strives for universal passwordless authentication

Yahoo Japan has revealed that it plans to go passwordless, and that 30 million of its 50 million monthly active users have already stopped using passwords in favor of a combination of FIDO and TXT messages. A case study penned by staff from Yahoo Japan and Google's developer team, explains that the company started work on …

  1. Pete 2 Silver badge

    The calm before the storm

    > eliminating passwords from the user authentication process reduces the damage from list-based attacks, and from a usability perspective, providing an authentication method that does not rely on remembering passwords

    Well, yes. But only because there is an inevitable lag between someone introducing a new security feature and the baddies exposing its weaknesses. Although it seems to me that FIDO / SMS based authentication does little except make users even more dependent on technology and extends the length of the chain of events. So rather than having people contain their passwords in their own memory (brain) and then use their own fingers to enter it, there are now several electronic systems that the authentication data has to pass through, first. All of which have to be working, secure and kept up-to-date.

    None of which are under the control of the user (which admittedly, might be a good thing!)

    And that is presuming you don't lose your phone, go somewhere that cannot receive the messages, allow your battery to go flat or break it. ISTM all this does is trade one set of potential problems (hacks, forgotten passwords) for a different set.

  2. GlenP Silver badge


    SMS is all very well if you have a mobile signal.

    I've had to resort to running upstairs, waving my phone out of the window and hoping the SMS message came through and I could get back down to type the code in the 15 minutes the particular site permitted. I got there on the third attempt having wasted the best part of an hour. WiFi calling helps but is by no means universal across operators and phones and still assumes you have a connection available.

    I'm quite happy with using authenticators as an addition to passwords, not as an alternative - the clue is in the 2 of 2FA.

    1. MiguelC Silver badge

      Re: SMS...

      15 bloody minutes? oh, the luxury!

      Both banks I most work with send validation codes by SMS with 60 seconds expiration time... between operator delays and my own fat fingers, I'm probably marked down as a "request new code" addict

    2. heyrick Silver badge

      Re: SMS...

      SMS is all very well and good if you have your mobile phone.

      It was useful for me when changing to a different phone that my bank was happy to send authentication codes for their "secure" app by text instead of by post (thirty seconds versus thirty days). It was also useful that the app retained my login details so I only needed to enter the auth code.

      But at no time did any of this process actually verify that I was me. I have an n- password but the bank seems intent on replacing that with a five digit code (yup, only five, "for my security"). The password was not demanded. All the bank knew was that somebody had their app on my phone. Once the auth code had been entered, I was free to choose my own five digits. The same five digits that are used to validate online purchases, or authorise new direct debits or authorise new destinees for doing bank transfers. So, essentially, "for my security" they pissed all over anything that resembled actual security. Because just like all those processor problems, convenience always trumps security.

  3. Doctor Syntax Silver badge

    "the company is fond of using techniques that allow Apple’s iOS and Google’s Chrome browser to read and enter incoming one-time passwords so that users have nothing to do to arrange authentication.....The percentage of inquiries involving forgotten login IDs or passwords has decreased by 25 percent "

    So the thieves don't have to bother getting the password reset nowadays - hte phone is its own security.

    1. Paul Kinsler

      the phone is its own security.

      There is, after all, a reason that MFA actually stands for "Mobile Fone Authentication" :-)

  4. sreynolds

    So now the new target will be..

    The poorly encrypted with some KDF that is based on some pissweak password/biometric because the keystore is so secure. Please history always repeats.

    1. Flocke Kroes Silver badge

      Re: So now the new target will be..

      U2F / FIDO1 was reasonably sane with only one popular crippling disaster: many sites did not understand the concept of a backup authentication device.

      FIDO2 is an abomination with the following "convenience" features: By default there is only one secret that is shared between all uses. The secret can be copied from one device to the next. Per device secrets are optionally implemented - with the requirement that the per device secret can be copied to other devices. No passwords. Authentication by finger print or facial recognition.

  5. Mast1

    Am I naive

    "Users are encouraged to use the same authentication method on all their devices," jumped out at me.

    So "security through obscurity" is relegated from even being a second line of defense ?

  6. heyrick Silver badge

    because half of its users employ the same password on six or more sites

    They know this how?

    And, they want to replace one password maybe being recycled on multiple sites with one digital identity for all sites?

    1. Flocke Kroes Silver badge

      Re: They know this how?

      The "at least six sites" could be ones that Yahoo acquired and therefore have legitimate access to the hashed password databases. The whole idea of big internet companies is that they track you wherever you go, so they are able to link the different user names of a single user to each of the sites they control. Finally they can run a list of popular passwords through the correct hashing algorithm with the correct salt for each site to test for recycled passwords.

      On the other hand, people might use a common email address as the user name for multiple sites and the sites might store the passwords in plain text.

  7. Anonymous Coward
    Anonymous Coward

    You can't access from Europe anyway

    They've made a huge number of accounts very secure for Japanese in Europe by just not allowing you to log in...

    GDPR too much for them to deal with presumably.

    Girlfriend now has to use VPN just to read the news.....

  8. ICam


    Standard Yahoo! 2FA via TOTP is hobbled due to unavailability of backup recovery codes.

    The recovery method therefore falls back to SMS, which as we all know, is ultra-secure...

    They are not the only site where this is the case, but you'd think they'd do better.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like