Yahoo starts kicking passwords to the curb, unveiled single-use 'on demand' passwords

Yahoo steps up to improve security and protect privacy by introducing single-use "on demand" passwords and showing off its end-to-end email encryption that should be available by the end of 2015.

JD Hancock (Creative Commons BY or BY-SA)

Yahoo took its first step toward kicking passwords to the curb by introducing "on demand" passwords. Yahoo's on-demand passwords may sound similar to two-factor authentication, but it is not the same thing as it only requires one step. Instead, the single-use passwords are similar to clicking "I forgot my password" every time you try to sign into email.

When Yahoo announced "on demand" passwords being available to users in the U.S., it said the steps to set up single-use passwords are easy to follow.

  1. Sign in to your account.
  2. Click on your name at the top right corner to go to your account information page.
  3. Select "Security" in the left bar.
  4. Click on the slider for "On-demand passwords" to opt-in.
  5. Enter your phone number and Yahoo will send you a verification code.
  6. Enter the code and voila!
Yahoo's on-demand passwords

Of course, that means you have no issue with giving Yahoo your phone number. It seems like all the major email providers want your phone number for the sake of security; if you don't give it to them, then you are pestered endlessly to hand it over each time you sign into email. Microsoft is one of the most persistent and annoying by sending you to the page to input your phone number without an easy way to navigate away from it…unless you tweak the URL. Or at least it used to, as I rarely sign in nowadays.

Yahoo email to offer end-to-end encryption by end of 2015

If email were to bite the dust and be replaced by apps that don't leave as many digital traces when communicating, then you'd have to own a smartphone and give out that number. Some security folks believe that is the answer to more private and secure communications. As an email service, Yahoo is not too keen on that idea; at South by Southwest, Chief Information Security Officer Alex Stamos said, "We're one of the world's largest email providers. We're not going to just throw away email." Instead, Stamos gave a public demonstration of Yahoo's new encrypted email service.

Last year, Yahoo said it would come out with a plug-in to provide end-to-end encryption for all its users in 2015. Stamos showed off a video of that plugin for Yahoo email and also posted it on Tumblr. While it's not ready to roll out to the public, Yahoo did roll out the source code for security researchers to pour over for potential bugs. Stamos wrote:

We constantly iterate on our products to provide the best possible experience for our users – and our security features are no exception. To that end, we've released the first Yahoo-specific e2e encryption plug-in source code on GitHub. We encourage other mail providers to build compatible solutions, and for security researchers to take a look and report any potential vulnerabilities they find via our Bug Bounty program.

While Yahoo has not necessarily been known for having the most secure email service, the company seems serious about changing that. "What we're trying to do at Yahoo is build our products so they're safe and trustworthy, not just secure," Stamos told The Washington Post. He believes users may just choose to encrypt their emails when sending sensitive information, but once the plugin is available then why not encrypt all the time?

Stamos went head-to-head with NSA Chief Admiral Mike Rogers last month, saying building backdoors in crypto is "like drilling a hole in the windshield." Stamos also pointed out that Yahoo has "about 1.3 billion users around the world," and "if we're going to build defects/backdoors or golden master keys for the U.S. government," then what other "countries should we give backdoors to?"

It's important to note that Stamos said Yahoo's end-to-end encryption plugin "won't let users completely mask their digital communications." According to The Wall Street Journal, he added, "Even if the message is unreadable, data about the message — such as when it was sent, to whom and its subject line — remain readable. That's so the message can be routed across the Internet."

Here's the video of the plugin in action. According to Stamos, using end-to-end PGP encryption in Yahoo mail with a Chrome extension takes about half the time as using traditional GPG tools. It's not supposed to be a big complicated process that scares users away from encrypting emails; it's encryption for "normal" people. "Anybody who has the ability to write an email should have no problem using our email encryption," Stamos said.

New! Download the State of Cybercrime 2017 report