Yahoo wants you to forget your password, announces 'on-demand' login service

The software giant has announced its take on password security with a service that removes the password altogether. With its on-demand service, Yahoo will deliver a one-time key every time a user needs to log in to their account, with a "send my password" button displayed instead of the password text box.

Yahoo has detailed instructions on how you can enable the service, which is now available to customers in the U.S.:

1) Sign in to your Yahoo.com account.2) Click on your name at the top right corner to go to your account information page.3) Select "Security" in the left bar.4) Click on the slider for "On-demand passwords" to opt-in.5) Enter your phone number and Yahoo will send you a verification code.6) Enter the code and voila!

Yahoo isn't the only tech company looking to simplify the account sign-in process, with Twitter also launching a Digits service that allows users to log in to their accounts via a unique code sent to the phone number associated with their accounts.

Along with on-demand passwords, Yahoo showcased an end-to-end encryption plugin for Yahoo Mail developed in collaboration with Google:

Yahoo's method is geared at being more user-friendly, and while the encryption service is not yet available to users, the company plans to launch it sometime before the end of the year.

Source: Yahoo

Harish Jonnalagadda

132 Comments

This seems like it might take more time to log into an account... And more costly if you don't have unlimited texts.
Who doesn't have unlimited text these days?
Edit 1: I dunno why this comment was made since this process doesn't require any message to be sent by the user. I'm replying considering the user meant outgoing SMS.
There are 195+ countries in world. Not everyone of them has unlimited outgoing text support. Forget about minor countries, even Indian telecom operators don't support unlimited outgoing SMS. Incoming though is free If the user meant incoming SMS occurs charges then I'm sorry but I didn't know about any country where incoming isn't free.
Incoming SMS are always free.
Not in the United States.
Seriously?! How much do you pay for an incoming text? That's really surprising since you cannot control what you will receive. Kinda stealing your money, in a way.
Same as outgoing if you don't have unlimited texting
Not having free incoming SMS means only one thing- Daylight Robbery.
Not in Australia...most of the time it costs a ridiculous amount and the inability to block them is a pain
They are free in Australia though :P even on Telstra.
@Leachan what are you smoking? Incoming sms are, and have always been, completely free in Australia. My Dad has one of those $60 / year plans and I SMS him all the time...he never runs out of credit unless he replies to me
Incoming sms are free in India
Free in Sweden as well, of course, obviously, naturally. Every other European country undoubtly as well, I take for granted. Someone said India earlier, too. Getting charged money to receive messages you did not request by special ordered pay service is so weird. An example: contest shows on TV can charge you a bit of money to participate freely, if you want. I would give up using mobile phones entirely if incoming things, domestically, cost money. I know United States charges for incoming calls as well. How is it even possible to be able to control or let alone feel relaxed about your cellular bill in the US? It makes me speechless. You have not always offered "unlimited" services, so how come cell phones even made it mainstream?
And you might not have your phone on you whenever you log in
Not sure about that considering people take their phone with them to the most private of places... The bathroom...
I don't think you use to have a laptop with you in bathroom instead of a phone.
I'm allowed laptops in class but not phones
I don't understand, SMS incoming is free na? Den why you need unlimited msg plan?
That depends on who your carrier is (also why there's always a warning that there might be extra charges on companies sending texts).
What if I loose my phone?...any alternative?
Well tighten it up then :P Sorry :P *lose
There is an alternative. Some temporary code will be given to you.
Someone wants to hack your account, sends a professional pickpocket who steals your phone. At a nearby table sits the attacker who now has your phone and is logged into your account already. In a few minutes he will require password change on your paypal account. By the time you find out the phone is missing your important info is already stolen, maybe paypal account is already empty, too. Thank you yahoo! Idiots.
You need at least 20 secs to input a Strong category password. So it will not differ too much.
it takes me 3 Seconds to type my password with over 16 letters including letter, numbers and symbols.
Even an expert need at least 7 secs to put a 15 digit complicated password. 3 secs will pass at instance while you thinking of your password but you can't think all those digits in 3 secs.
Muscle memory, my friend... ;)
Exactly! I don't remember my password precisely if I'm asked to write it down, but my fingers know without thinking about it :)
This isn't really much different to the Microsoft system if you have two step verification switched on in your account. But with MSFT you enter user name AND password before the code is sent.
Yeah but it cost us double time.
Microsoft had has this function for a long time as single-use code, you don't need two factor.
You can always use an authenticator instead... much easier
Incoming SMS has always been free in Spain, even if you are outside Spain... And outgoing SMS has been free for years with every carrier since nobody hardly uses them anymore, we use whatsapp here most of the time
Incoming texts are free though?
Most of you aren't understanding, from what I'm reading. Your incoming SMS may be free in your country, but in the United States, the carriers charge for BOTH incoming AND outgoing SMS. $.20 a message is the standard rate. The reason why our rates are so high is because we get our phones on a subsidy (i.e., the carriers pay for the phone and we, as a consumer, sign a contract to pay back the remainder, usually after two years). It had changed to where the payments are split over 24 months, like with T-Mobile and Verizon, but that's only if you have excellent credit. And full-retail devices are an option, but $600 for a cell phone just isn't in the cards for most of us. Sooo yeah, be happy you have a provider that charges you much less for your phone pricing. :)
We in Europe have subsidised handsets too. I have the impression that having a cell phone costs a lot in the US. Have a look at Carphone Warehouse in the UK for example.
This is so revolutionary! now they must be the best email client, maybe I will start using Yahoo again /s
Outlook already has that.
Does it? I know I has 2-step verification, but I haven't seen this exact feature on Outlook.com yet. Can you explain how to enable it?
There's a link when signing in with a Microsoft Account to "Use a code instead". I think it used to be just below the password box
Lets see when you lose your Phone ;P
These days most of the mailing service providers use two-step authentication service for better security (Apple is latest to them). Yahoo! is giving more priority to the 2nd step (instead of both)
No they are not prioritizing the second step since there is only one step. This is one factor authentication just like the password! And its just as valid as a password. Perfectly authenticating someone means checking identity so that whenever a service is used it can be inferred that the person linked to the username was actually the one using it. How do you check identity? Asking for something or a bunch of things that are unique to that person: Something the person knows(pw, security question etc), something the person has (phone, document, key, chip card etc), something the person is(biometrics, voice, typing characteristic etc). All of them are valid and have pros and cons. The more you require, the closer you get to perfect authentication the higher the costs, be it money or time.
I prefer my authenticator app and two-step. Better security. I have it on everything from Twitter and Facebook to Yahoo, Outlook, Apple, and Google *shudders*. Good hell....I'm a digital crazy Nazi! ;) lol
Is Yahoo even still a thing...? Here in NZ, my ISP moved it's webmail to Yahoo. Worst move ever.
In canada one of the bigger cable operators has had it for about 13yrs.
Well if your ISP is using it, then I think its still a thing, so you answered your own question.
Microsoft already have something similar... They sent me before text message to verify my login.
That's two-factor authentication. With Yahoo's new service, the verification key delivered to your mobile is the only password required to login.
I think the outlook two layer thing is better, anyone who has my phone can easily access the Yahoo account, for example in my case my roommates have access to my device. So not that effective.
So, the benefit being I can steal your phone and steal your account even without a password. Two factors is better, IMO. Something you know AND something you have.
I would love to see biometric login facility in future to be implemented in all of the services. Windows 10 is one step ahead for the future investment.
yea, but that's as a second layer of security, this is replacing the password with that
Two step authentication is vulnerable bcoz there is some bypass process to get access to your password, but authentication only via real time password message is very secure as it changes randomly.
Would be better if they had something like the Authenticator app which saves time rather than waiting for a msg that may never come, in some cases
And the hassle if your mobile conks out or you want to login to a third party app
Not at all. If you're missing the app, you still can get texts... I do this for my MSFT account frequently when I use different phones.
Have the Authenticator app on multiple phones?
Yes I have
So anybody with your phone can log into your email?
Yahoo have the worst login system as it is, so makes sense they need to make it less secure so people can actually get into their own accounts.
Yeah it's pretty hard to reset password as it is. Unless the account is an isp secondary address
The days of pc chatting were so nice. Yahoo messenger was where I used to chat with my aunt abroad.
Relying on sms every time I need to log in my email? That's a big NOPE.
Agreed
When I'm out of country, my att text message cost goes up to like 50 cents per text. So that will be my cost of login each time I use Wi-Fi to get into my yahoo account. Thankfully I rarely use it.
No two factor authentication is much better than this.
Sounds annoying, tbh.
And if u forger to paid ur bill jajajaja and switch phone number jajajajjaja
I see things going like this "Let me just log into my email and...damn guess I have to wait for that text...oh shit I changed my phone number and after telling my parents, my job, and facebook I forgot to tell Yahoo! Not that I could have logged in anyway without my old number!"
Thats why you stay logged in
I think he meant when he is on a pc or another device
I've been doing this on my owa account at my school for a year or two, not talking about two step verification either. It's nice!
No thank you Yahoo.
...Software giant..
That also left me scratching my head.
What if your phone is stolen? The thief can now just get a text and have yor mail as well, and you no longer have access at all, unless there is still a standard password option, which kind of defeats the purpose of this whole thing. I just don't see a positive with this as oposed to a simple double verification with an app that generates your second key.
You are thinking too far. And considering that your phone might have been stolen your first responsibility will be to lock your phone. Because I think you can block your number anytime calling to the customer care number from another phone. But I don't think the thief will show more interest of getting SMS only to get access your yahoo account, not any others.
Unless your email account is a way to access your bank info.
Arghya, actually, you aren't thinking enough. This is an awful level of "security" and no one should be using it.
No thanks, yahoo is outdated
I already have to use a workaround to get my @yahoo.com.au email to sync on my phone. This is only going to add more work.
This is a shitty feature. The last time I logged in Yahoo, it asked me to receive an sms to login so I waited and waited until after 1 day there is still no verification code!! Will not use Yahoo anymore!
This is caused by mobile network error. As soon as your password request reach Yahoo server, they send you the code. But sometimes your operator got busy, so it reaches after.
Yeah, so Yahoo needs to consider that happening to people.
Ughhh! I hate how yahoo keeps making me change passwords
Or you could just use a password manager. It's more secure anyway.
sending the verication code using text in phone. Just wondering if sending the verication using text messaging is safe?
Simplify?? I hope this doesn't become mandatory. How about clients syncing yahoo Emails, how would they be affected?
You will be needed an app-specific password customized by your own.
Very bad move. I don't want to wait for a stupid sms and then take out my phone from pocket, open my phone with a password, go to sms and then after this I see a code which I enter. It is simple to remember one password, and on my PC, I click on remember me, so it is not much of a hassel.
This is not mandatory. You can choose the alternative either.
Then its fine.. I thought they made it mandotary
I have no roaming, so I can't log in outside my country? Or what if my operator doesn't network coverage on place where I need to log in?
@WURMiL:
You only access your E-Mail where it ducking pleases Yahoo! Got that?!
Now that's annoying
How secure is your mobile phone? Nobody got that thought? Right now it is much easier to hack mobiles
As a tech support rep for a large tech company providing assistance to people with all different kinds of email accounts, YAHOO users do not remember their passwords!
They're all 45+ years old and tech clueless.
To be fair, those users do not often forget their password (mostly they have the same pasword or write it down).
Last used the Yahoo account when it was Yahoo!, and the spam was fantastic.
I only use my Yahoo! id to share my feedback at answers.yahoo.com .
Who gives a duck about that, since Yahoo! seems to hate Windows Phone just as much as Google...
Yahoo uses Bing search
This is about as much use as a chocolate fire guard. What happens when you lose your phone, when your service is cut off, or when the network is down or when you simply change number? About as archaic as whatsapp...
What could possibly go wrong?
Used Yahoo years ago, hence already forgotten my password. At least Yahoo knows what people are using! :)
If a user lost his/her phone then they will not be able to access their webmail/contacts for a short period of time. I am still wondering whether they overlooked this possibility or simply ignored this scenario?
Lol whenever I have the option to send password to mobile, i tend to pick any alternative ...i hope other companies dont follow in these footsteps. On that note I quite like using the authenticator app. Once its all setup it's simply quick and easy.
I wish all the password can replace with biometric : Fingerprint, retina scan........ Then there is need to remember anyway password :)
I left trust on yahoo when they choose that as their new logo instead of many beautiful users created. Silly na?
Only in India. Hai na?
Just switched to outlook long time ago..
This may be more secure, but not simpler.
Forget Yahoo..... Done :-)
It's not gona work good... What if I forgot to bring my phone to office... And what if a friend of mine gets access to phone..he gets access to password too... Its tightening security for id owner only.. And making way easier for other to get access.
I have never used yahoo.
Yahoo Serious?
Ah well...there are a whole bunch of us who are going to have to give up on Yahoo...as crew on ocean going ships, it is a tad bit hard to get a cellphone signal 100's of miles out to sea.
I dont like ymail at all. It was my first email. Had it for years. Just to many issues. I like outlook so much better. So i am abandoning it with no regrets.
Dumped Yahoo a couple years ago when they effed-up thier news pages and email. Best move ever. I'm also, Google free.
How is this going to work with email clients?
Security by obscurity.
whose the fucking idiots running this company, I still get spam and can't even log in at times...but these dummies want me to check my phone if I am on my tablet.
This article seems very similar (including title) to engadget's article. I understand talking about the same topics but this is too close http://www.engadget.com/2015/03/15/yahoo-on-demand-passwords
Oops! I forgot my Yahoo! password!
Yahoo should first care of brings applications for Windows phone and later try of add extra safety to the mail. I'm user of Yahoo and it's frustrating, don't have messenger on Windows phone the login alternative is good but if, lost the phone, don't know how will, get, back to your email.
Ha! Yahoo is still alive?!?
They need to do something. Yahoo is the easiest and most frequently hacked mail out there. But this is just gonna make it a pain if you have to request a new password everytime.
Stopped using Yahoo as Microsoft have closed my Nokia Ovi account, which was powered by Yahoo. This new rule would have made me close it anyway, as what happens when I don't have a mobile signal, or am roaming and don't want to pay for data?
So gain access to someone's phone and you're in?
This won't work for someone who is in a PCI-compliant office (can't have your cell phone out).

Show more comments