Today, I noticed that Yahoo has a new option for security called "Passwords On Demand". Rather than entering a password you know, it sends you a one-time password though an SMS message on a verified mobile phone. Seeing that I have two-factor authentication on anything that has the option, Including my Yahoo account, I thought little of it.
Then I began listening to Security Now episode 499
, and Steve Gibson spoke of the feature. Leo Laporte mentioned that it is actually less secure, at which point Steve agrees that it is
less secure simply because of the fact that someone from the government or a hacker could simply put malware on your phone to intercept your text messages, or simply obtain your phone to log in.
Deciding to give it a shot and see what it does, I swiftly changed my password options to use it. I received a one-time password consisting of eight letters, which I used to log in. That is when it dawned on me that this is not for people like Steve Gibson, who are security-savvy, or even myself, who happen to be tech-savvy. This is for people who have issues remembering passwords and end up writing them down somewhere, and do not want to bother with two-factor authentication. It is for the normal user
who simply does not want to be bothered with advanced security.
In many ways, it is
a brilliant solution for people who need something like it without wanting to bother with remembering a password, or the hassle of using LastPass or KeePass--and even though I use KeePass, I honestly find it annoying. Even two-factor takes so much time, when I would rather be dealing with other things or actually writing down information instead of wasting time to log in.
Once again, I feel like experts are blinded by their own ideals, seeing only one side of a multi-sided issue. I will not comment on the fact that there was technically a conflict of interest when Steve started talking about his own product, as I will not argue that his SQRL product is
a safer option. Steve is very professional in that regard, and I have no doubt that he was aware of the CoI issue.
Regardless, I believe that many within the tech industry will needlessly attack this idea as "bad", despite its actual use case for real security. It is rather sad, as this means that good ideas can be ruined very quickly. We shall see what it brings, though.