Yahoo abolishes passwords, will humanity be released from passwords?
SMS one-time convenience and security
On May 18, Yahoo announced "a function to invalidate the password of Yahoo! Japan ID". After completing the procedure with the specified URL, you will be able to use the one-time password sent by SMS of the registered mobile number instead of the password for logging in to the Yahoo site and using services that support Yahoo smart login. It seems to be convenient because it is freed from troublesome password management, but what about security?
Freelance writer Shinji Nakao
Freelance writer Shinji Nakao
Freelance writer and editor. From ASCII book editing to O'Reilly Japan, he translates, writes, and interviews both on paper and on the Web. He has a lot of IT, but occasionally writes in automobile-related media. I've been using the internet (though I didn't say it) since UUCP.
- Password limit, list-type attack to catch up
- Yahoo launches a service that allows you to log in without a password
- Easier than password forgetting / reissuing procedure
- The challenge is a vulnerability in the SMS protocol
- Yahoo made a preliminary decision from GAFA
Although passwords have been pointed out for their shortcomings and annoyances for many years, it is also easy to manage them comprehensively and implement them in the system. There is. The dependence on the Internet for daily life and business is increasing, and the number of required passwords easily exceeds the management ability of human beings. Nonetheless, the service side prohibits and limits the use of reusable and easy-to-remember phrases, and demands regular changes. In addition, the sophistication of attacks will make users even more at the mercy of complex password rules. Users can barely come to terms with security and convenience by using the session retention features and password management tools of their web browsers. It has been reported again that hundreds of millions and billions of account information are normally traded on the darknet. It is no longer necessary to consider security on the assumption that user account information of major services is leaked. Since the leaked account information includes duplicated information, old information, and discarded accounts, it is not necessary to take the number of leaked accounts at face value, but it is not a problem that can be left unattended. Especially for major portal sites, e-commerce sites, and social networks that receive a large amount of unauthorized access every day, it can be said that drastic measures are being urged. Yahoo announced that it has made it possible to invalidate passwords by logging in from smartphones, probably because it felt that drastic action was necessary to counter the growing list attacks. However, it is not a suddenly announced decision. It wasn't until April 2017 that Yahoo started using SMS verification codes to log in to some of its services without setting a secret password. It provided a method to send a one-time password to SMS when setting up a new account for some services such as shopping and auctions. After about a year of operation, we have created a situation where 2 million IDs are logged in without a password. It can be said that the existing account can also invalidate the password of the Yahoo! Japan ID for those who want it, judging from the status of the measures from the new account and judging that it can be done. For the time being, for smartphone users who have set the "smart login" function, if you follow the prescribed procedure (online), the set password will be invalidated and it will be sent by SMS to the registered mobile phone number. You can log in with just a time password. A new password is issued each time you log in, so you don't have to worry about hacking or leaking password information. It is necessary to receive SMS and enter the code each time you log in, but in principle login from the same device can be simplified by using the session ID and token generated when authentication is successful. Now that SMS using smartphones has become widespread and password management for countless services has become unrealistic, the one-time password method using SMS is not as complicated as one might think. If a service that you use only occasionally does not know (remember) the password every time you log in and reissues it (usually you will be asked to log in with a temporary password by email), send the password by SMS each time. It's the same as having a password. As you become more familiar with it, many users may start to appreciate the one-time method. Once you get used to receiving SMS, you'll be more secure than having to manage it, reusing passwords, or logging in with simple phrases. Attacks using the password list in question can also be disabled. If Yahoo's method is evaluated in the market without major incidents, similar services may switch to the same method. [Next page] Yahoo made a preliminary decision from GAFA, but there are also issues with the SMS protocolRecommended articles
To List
To List
To List
SB Creative Co., Ltd.
Business + IT is operated by SB Creative Corp. of SoftBank Group.
Copyright © SB Creative Corp. All rights reserved.
By registering as a business + IT member, you can subscribe to member-only content and e-mail newsletters, and invite you to special seminars!
Registration merit Member registration (free)
