Yahoo recently rolled out a new way for users to access their services
without entering a password. Their new system uses a cellphone to authenticate the user. Instead of entering a password, the user receives a verification code via text message on their phone. (The user would have provided their phone number to Yahoo when setting this option up.) Once the user receives this code, they enter it on the Yahoo login page and voilà!, they’re logged in.
So what’s wrong with this? Is this a wonderful advance in the field of authentication?
The intentions are good. It is encouraging that online services are putting thought and effort into making their users’ lives easier and more secure. However, a cold analysis of this method finds that it’s not a particularly secure solution.
Fundamentally, it’s still a single-factor method of authentication. This means that it does
not offer any additional security by itself. If the single factor is compromised, you still lose control of your account. In the same way that losing/forgetting your password prevents you from accessing your email, losing or forgetting your phone does the same.
However, that’s something we already knew. The real question is: is this method more secure than ordinary passwords?
