SAN JOSE, Calif. — Tired of trying to remember a different password for each of your online accounts? Or worried about re-using the same password too many times? You’re not alone. Tech experts agree that traditional passwords are annoying, outmoded and too easily hacked.
This week, Yahoo and Microsoft offered up some alternatives: Yahoo says it can text temporary passwords to users’ phones each time they want to sign into their Yahoo accounts. Microsoft says it is building facial-recognition and fingerprint-identification technology into Windows 10, the new computer operating system coming this summer, so users can log on with their fingertip or face. The two approaches drew different reviews.
Here’s what you should know:
New day, new password
Convenience and security. That’s what Yahoo is promising users who choose to receive a single-use password “on demand” — sent by text message to their mobile phone each time they want to sign into their Yahoo account. Once you opt into the program, there’s no more need to create or memorize a password for Yahoo’s email or other services.
Not a good move, experts say.
“Yahoo just made it easier for attackers to compromise an account,” said Tim Erlin, risk strategist for the cybersecurity firm Tripwire. Temporary passwords can fall into the hands of anyone who steals your phone. While most phones can be set to require a separate password to unlock the home screen, many people don’t bother to do so. Phones can also be infected with malware that intercepts or copies text messages, he said.
Though it may be convenient, Erlin said, Yahoo’s on-demand option is a step backward from another alternative the company offers, known as two-factor authentication. With that option, users must provide both a traditional password and a one-time code that is texted to their phones. That’s considered stronger because a hacker would need both to get into a user’s account.
Yahoo security chief Alex Stamos agrees that two-factor authentication is stronger. But many people don’t use it, he said in an online post defending against critics. Instead, people too often recycle short passwords that are easier to type, especially on small phone screens, but also easy for hackers to guess, he said.
Since most online services let users reset passwords by sending a text or email to their phones, users are already vulnerable if they lose their device, Stamos argued.
“The truth is that passwords are so incredibly, ridiculously broken that it is almost impossible to keep users safe as long as we have any,” Stamos wrote on his Twitter account. He said Yahoo is working on other solutions.
The concept of logging in by scanning your fingerprint or face used to seem like sci-fi. But the future is here.
Microsoft said this week that it is building “biometric authentication” technology into the next version of its Windows software, so that users can unlock computers or phones with their face, iris or fingerprint. The devices must have a fingerprint reader or a high-end camera with infrared sensors, which are becoming more common.
Windows 10 users may also be able to use their face or fingerprint to sign into other online accounts. Microsoft is providing related software to builders of independent apps and websites so they too can verify a user’s identity through a combination of biometrics and an encrypted code automatically generated by the user’s computer or phone, Microsoft Vice President Joe Belfiore wrote in a blog post.
Google already offers facial recognition as an option for unlocking Android phones, although it’s not widely used. Early versions were criticized as unreliable, but the technology has improved, said Anil Jain, a biometrics expert at Michigan State University. Apple and Samsung offer fingerprint identification to unlock some phones; Apple also uses it to authorize purchases through Apple Pay.
It’s too early to know if Microsoft’s system will be effective or gain wide acceptance, Jain cautioned. But alternatives to passwords are definitely needed, said fraud expert Al Pascual, who studies the banking and payments industry at Javelin Strategy & Research.
Too many people use the same password for multiple accounts, and they are routinely stolen by hackers.
“The password today,” he said, “is more of a liability than any kind of security measure.”