Why Yahoo's latest take on passwords could be a step down in security
Yahoo recently announced it would offer an alternative to the passwords its users have always used to log into their accounts: temporary codes sent to your phone via text message every time you want to log in.
That sounds a lot like the two-factor authentication you might know and trust from your bank or even from Facebook, but there's an important difference.
Two-factor authentication is popular with services who want to show their concern about security. The two factors used to prove you are who you say you are are usually that 1) You know your password, and 2) you are the one holding your phone. Since Yahoo isn't asking for a password, they're back down to one-factor authentication — and that one factor belongs to whomever's holding your phone.
Yahoo security chief Alex Stamos points out that the company offers users two-factor authentication to secure their accounts — they have in the past, and they will continue to do so. But here's the thing, he says: People don't use it. They'd rather just use and reuse short, easily guessed passwords that are easy to type on a phone, on one hand, but easy targets for hackers on the other.
"The truth is that passwords are so incredibly, ridiculously broken that it is almost impossible to keep users safe as long as we have any," Stamos said.
Yahoo's working on other solutions. So is Microsoft, which announced last week that Windows users will be able to unlock their computers with an eye scan, facial recognition or a fingerprint starting with the next version of Windows. You'll need a computer with the right features — a fingerprint reader, of course, or a high-end camera with infrared sensors — but your computer will be more secure.
That sounds great, and there's no question using my fingerprint to unlock my iPhone has made it more secure. I'm one of those users who never used a security code to unlock my phone until I got a model with TouchID. Microsoft says they're providing developers with the tools they'll need to verify users' identities using users' eye scans, faces and fingerprints, along with other tools.
But here's the thing: When you use your your fingerprints, your eyes or your face to to protect yourself on a website, app or device, your identity is only as secure as the developer wants to keep it.
I'm comfortable with Apple's technique. My phone doesn't take a snapshot of my fingerprints, it maps out the locations of key features in them mashes that up into an encrypted code and uses that as my security key. If an app developer wants to use TouchID to secure my information, they can work with Apple to use Apple's system — but they don't get a copy of my security key. So I can decide for myself whether I want to trust Apple by using TouchID, but Apple's the only outfit you need to trust.
I'd need to know Microsoft's system worked in similar fashion before I trusted them with an image of my face or scan of my iris. If that's going to be the key that unlocks my digital identity, I need to know that copies aren't being made and passed around behind my back.