Yahoo is trying something new: telling its users to bypass a password entirely in favor of a smartphone app through which a user grants access when a login is attempted. This seems like, in the words of one Twitter wit, two-factor authentication (2FA) with one factor. Is Yahoo’s Account Key offering a strange decision that will poorly affect the security of those with accounts in its network?
My straightforward answer is: No. Yahoo wants to make it easier for its users to have the benefits of authorized logins while reducing the utility of stolen passwords to bad actors, and it chose a method that’s better than passwords in nearly all circumstances. Strong words, I know! I don’t expect other companies to follow immediately, but Yahoo is trying to stand out.
It’s borrowing a page from more sophisticated systems, like Duo Security, which has a more complicated setup and is designed for corporate-scale security, but employs the same basic principles. Yahoo is bringing this idea to the masses who can use existing apps to take advantage.
The key factor is a lack of password
Let’s break down how its new Yahoo Account Key system works. I’ve tested it, and it works just like Yahoo says it should.
First, you install their new iOS app for Yahoo Mail. Account Key works just with this app and logging into Yahoo on the web, but will be rolling out to other apps this year, the company said in a blog post.
Next, log in with your username and password. You’re essentially turning the app into a trusted device—a la Apple’s old two-step and new two-factor systems—and thus you have to present current information. Next, tap the profile icon at the top of the screen and tap Settings. Tap Account Key and you can enable the service. Yahoo wisely walks you through a demo of accepting and rejecting connections so you can practice it. This is important for its target user for this feature.
In my test, I went to Yahoo.com to log into my email account. I entered the address, and it clearly immediately recognized I had Account Key active, as the password field changed to read Click to Use Account Key, and the Sign In button transformed to read Continue. A screen on the website says its waiting for approval, and your iOS device sends a notification that opens to a view that lets you agree to allow the log in or not.
But for most people, the gulf between what Yahoo is offering and a plain password is enormous, and a boost.
I’m looking forward to more straightforward variants on Yahoo’s scheme that shift cracking from global to physical proximity while also making it a better process for people who don’t want to manage their security, while still benefiting from it.