The danger of Yahoo’s new ‘on demand’ password feature

1s and 0s purple

Whatever you do, don’t lose your phone.

In an age where digital security and privacy are slowly becoming nonexistent, Yahoo has a new way to make your accounts even less secure. 

That’s right, with Yahoo’s new “on demand” passwords, you completely ditch your password and replace it with a time-sensitive code that’s sent to your phone or tablet through an app or text message. It’s like two-step verification without the password step.

In other words, users of the “on demand” feature no longer enter their regular passwords. Instead, they simply enter the one-time code. 

Because the “on demand” code is only valid for a limited time, the system theoretically removes some of the dangers of having your login credentials stolen and used to hijack your account. It also eliminates the need to create a strong password that’s hard to remember—and the tendency to use passwords that are downright horrible.

There’s just one problem.

If your phone is lost or stolen, your Yahoo account is at risk. “On demand” passwords take the first, most crucial step out of two step verification: a strong password. Yahoo’s “on demand” passwords are intended to make logging into your accounts a little convenient, but you sacrifice security in the process.

Yahoo already offers one of the best ways to secure your accounts: Two-step verification, which requires both a password and a verification code, provides an extra layer protection if your password were compromised or if your mobile device wer stolen.

While “on demand” passwords may be a step back in securing your accounts, Yahoo is making strides in the other direction: email encryption. The company announced Monday work on a system that allows users to easily use end-to-end PGP encryption, one of the most sophisticated encryption methods, through a simple browser plugin. Yahoo says the plugin will debut in the fall.

Here’s a video of the plugin in action. On the left is the traditional process for setting up PGP encryption for your email:

H/T The Verge | Illustration by Max Fleishman

William Turton

William Turton

Once named one of Forbes’ 20 Under 20 and hired as a staff writer for the Daily Dot when he was still a senior in high school, William Turton is a rising tech reporter focusing on information security, hacking culture, and politics. Since leaving the Daily Dot in April 2016, his work has appeared on Gizmodo, the Outline, and Vice News Tonight on HBO.