Yahoo on-demand password

prime

I'm not sure how I feel about this.

http://www.pcworld.com/article/2897332/yahoos-new-ondemand-password-system-is-no-replacement-for-twofactor-authentication.html

What do you all think?

RichardPayne

I think the article covers it well enough. This isn't a 2FA replacement. It has the plus of lower risk server side but I higher risk of compromise client side.

I won't be using it.

prime

From the looks you just log in with your email address and a password will be sent to your phone. So it would get really annoying having some jerk just type your email address and you get a text all the time.

AGAlumB

@prime: Indeed. I don't know about you, but I get enough spam. :p

@RichardPayne: Even more troubling, someone getting your phone would allow them to get into your account without having to also have your password.

I like that they are at least trying, though. I guess. >_<

svondutch

@brenty Besides the risk of someone getting your phone, there is also the risk of...

1. someone forwarding your calls, and then
2. have an accessibility feature read your texts out loud over the phone

AGAlumB

Wow.

RichardPayne

I think @svondutch's post points out most is the need to prioiritise security over convenience on your email account. That account controls access to all of your other accounts and it's security is paramount.

Oh, and use authenticator apps, not texts. :)

AGAlumB

@RichardPayne: Well, if your phone falls into the 'wrong hands' (literally, ha!) then both the authenticator app and the SMS app will be compromised. It highlights the importance of using the phone (whether through text or app) as a factor in addition to your password, rather than as a replacement for it. We certainly live in interesting times. ;)

prime

@brenty
If your phone falls into the wrong hands, this is why (I think) it's very important to have a passcode on your phone. Sadly, I know a lot of people who don't, because "they never leave their phone unattended". They are called accidents for a reason.

You're right, very interesting times we live in, I remember when I only had 3 passwords for years and thought it was safe and a good idea.

Megan

Hi @prime,

Yes, a passcode on your phone is DEFINITELY a good idea. We store so much valuable information on those little portable easily-misplaceable devices, it only makes sense to keep it protected. :)

prime

@Megan
I am shocked how many people don't have a password for their cell phone. They think "I alway have it" or "its a pain". I think it's more of a pain calling having an "oops".

I also don't use a 4 PIN passcode either now, since Touch ID, no reason not to have a stronger password for your phone.

AGAlumB

@prime: My wife says, "But my password is too long and I keep forgetting it!

Exactly. There's an app for that! :p

Touch ID is amazing. Unfortunately 1Password hasn't gotten Lock Screen Status (yet)™. :pirate: