Yahoo Account Key and the Next Generation of Passwords
Yahoo Mail is turning 18 years old this month and the company is revamping the email service with several new features including Account Key, referred to by the company as a “password-free sign-in.” The service is similar to the two-factor authentication already in place at some email providers – when a user enters their email username and presses “continue,” they receive a notification sent to the Yahoo email app associated with their phone number which allows them to verify the login. The feature is intended to increase online security as well as address user problems with creating strong passwords and remembering them.
The feature raises a number of issues that may be seen as problematic. Some users may be reticent to provide their phone number to Yahoo, for one. More importantly, there does not appear to be a clear protocol in place to access your Yahoo email account if your phone is misplaced, broken, stolen or simply runs out of battery life. As of this writing, clicking "Your phone isn't with you and you can't get that phone number back," on the Account Key help page draws a blank answer. Clicking the “Can’t access your account?” link on the Yahoo mail page and selecting “I have a problem with my password or I am not able to receive a password on my phone” offers to send your password to that same inaccessible phone number. When the user chooses an alternative password recovery option they’re asked to contact Yahoo Customer Care.
The attempt by Yahoo to rebrand their email service with a new account access protocol is in keeping with a number of companies attempting to supersede traditional forms of password authentication. Earlier this year, the British digital services company Intelligent Environments released an Emoji Passcode feature as part of its Android banking app, allowing users to utilize strings of Emojis instead of alphanumeric characters as passwords. Traditional banking pins, made up of four non-repeating numbers, allow for 7,290 unique password permutations whereas there could be 3,498,308 unique permutations of Emoji passcodes based on their selection of 44 smiley/sad faces. MasterCard is also introducing new technology that approves payments for online purchases using facial scans. The feature involves the user staring into their phone camera and blinking once as confirmation for the purchase – the blinking intended to act as a deterrent to a criminal holding up a user’s picture to access their account. The company is also working with the company Nymi, inventors of the Nymi Band, a wrist band that measures the electrocardiogram rhythms of a person’s heartbeat and uses them as a unique identifier for the purposes of biometric authentication, ie. a password based on the rhythm of your heart.