On Sunday, Yahoo launched a new service called “on-demand” passwords, which lets someone log into a Yahoo account using a unique, one-time code that is delivered via text message. It’s basically two-factor authentication without the first step.
Sounds interesting, but it begs the question, how secure are on demand passwords?
The whole point of multi-factor authentication is that if one authentication factor is compromised, access is still protected with an additional authentication factor. If a password is compromised, then a one-time token (delivered via text or a time-based token) protects access. For example, if the smart phone that receives or generates the second authentication factor is lost or stolen, a third party has access to the 2nd factor, but still does not have access to the password (assuming it is not stored clear-text somewhere on the phone).
Password-less authentication is nothing more than traditional “2-factor” authentication minus the password, and if your phone is lost or stolen (or the sim card is stolen), then a hacker would have the ability to receive the Yahoo one-time password and access your Yahoo account.
Yahoo’s one-time password is nothing new, and is less secure than using a complex password in addition to a second authentication mechanism, such as a time-based token or SMS delivered one-time password. If my smartphone were ever lost or stolen, I would rather have the piece of mind that my accounts are protected by a unique and complex password AND a second authentication factor. My recommendation would be to keep your Yahoo password in place, use a password manager, ensure that your passwords meet complexity and length requirements, and always activate 2-factor authentication where available.