By Joe Dysart
Beyond the Password
Yahoo Thwarts Online Hackers With New Security Tech
Those vague promises that hackable passwords would one day be replaced with much more secure alternatives to protect our digital lives are finally coming true. Yahoo has come out with a new app called Account Key for smartphones that has completely eliminated the need to use an ID and password to access e-mail. Instead, users trying to log onto Yahoo e-mail can now be sent a message to their smartphones asking, “Are you trying to log on?” When the user provides a single tap “Yes” on the smartphone screen, Yahoo instantly provides access to the e-mail, completely eliminating the need to enter an ID or password.
“Passwords are difficult to remember, and secondary sign-in verification is inconvenient and confusing,” said Dylan Casey, vice president of product management at Yahoo. “We’re now taking a major leap toward a password-free future with the launch of Yahoo Account Key.”
Yahoo pulls off this feat by first asking a user to access his or her e-mail account in the traditional way—using an ID and password—and then downloading a smartphone app that deactivates that same ID and password. The app then replaces the ID and password with a digital account key, which is permanently stored on the user’s smartphone.
The next time the user attempts to log on to his or her Yahoo e-mail account, Yahoo asks if the user is looking to access e-mail, wirelessly detects the account key on the user’s phone, and grants access to the e-mail account when the user taps “Yes.”
The implications of Yahoo’s digital security technology are enormous. Granted, security pros have been successfully developing alternative methods for securing the digital world for years. But this is the first time a major corporation with a global reach (Yahoo) appears to have revolutionized the security on one of the most commonly used digital products on the planet (e-mail). If Yahoo’s new technology withstands the inevitable onslaughts from hackers looking to kill it in its crib, Account Key could usher in an entirely new era in digital security.
“The widespread practice of typing usernames and passwords to log on to the Internet might soon become obsolete,” said Robin Murdoch, managing director of Internet and social business for Accenture. “Consumers are increasingly frustrated with these traditional methods because they are becoming less reliable for protecting their personal data, such as e-mail addresses, mobile phone numbers and purchasing history.”
Indeed, according to Accenture’s 2015 Digital Consumer Survey (http://tinyurl.com/newsroom-accenture), 77% of consumers in 24 countries said that they are interested in using alternatives to protect Internet security. Moreover, those same consumers are very squeamish about the current level of online security: 54% of those surveyed said that they simply don’t believe their data is secure.
Fortunately, Yahoo is not the only global player working furiously to beat back the ne’er-do-wells of cyberspace. Apple Pay users, for example, already rely on their thumbprints to make purchases using their iPhones, not an ID and password.
“The future of authentication is free from traditional passwords,” said Geoff Sanders, CEO of LaunchKey (www.launchkey.com), which sells ID authentication technology.
MasterCard is currently pilot-testing an online ID verification system called Identity Check for shopping. It relies on a fingerprint scan or a selfie taken by the shopper to authenticate a purchase.
“Today, people shop on all sorts of devices, and they expect technology to simplify and secure the transaction,” said Ajay Bhalla, president of enterprise security solutions at MasterCard. “This is exactly what Identity Check delivers.”
And users of Microsoft’s Windows 10 can replace ID and password access to their computers with Windows Hello. It’s software that offers users the ability to sign in using fingerprint readers or facial recognition—although the facial recognition option requires a high-end depth-perception camera.
Meanwhile, Google has come up with a physical Security Key dongle (https://support.google.com/accounts/answer/6103523) that users plug in to their computer’s USB port to gain access to their Google accounts online.
Even more futuristic is Eyelock (www.eyelock.com), maker of a scanner that grants access to a computer—as well as any number of websites the user would like to use with it—only after it identifies the iris in the user’s eye. Apparently, the human iris is as unique as a fingerprint, and the chances of the device making a false match are one in 1.5 million, according to the maker. And while the iris scanner—called Myris—may sound like sci-fi, it’s already on the market for $280 at big box stores such as Best Buy, Staples and Fry’s.
Even more-far-out security technologies include under-skin silicon chips, wearable computer tattoos and ingestible authentication devices with batteries that are powered by stomach acid, according to Jonathan LeBlanc, global head of developer advocacy at PayPal (www.slideshare.net/jcleblanc/kill-all-passwords).
Of course, probably the greatest irony associated with all this new development in alternative security is that if people used passwords intelligently—creating 32-character-long passwords that feature letters, numbers and special symbols—there would no need for technological alternatives. According to security pros, such passwords are virtually uncrackable.
Chipmaker Intel brings this point home with resounding clarity with its free, online password checker (www-ssl.intel.com/content/www/us/en/forms/passwordwin.html), which tells the user how many years it takes to crack any password. Type in a gobbledygook mishmash of 32 letters, numbers and special symbols, for example, and you’ll find that it takes stupid amounts of computer power—plus approximately 25 years—to crack such a password.
Unfortunately, too few people are willing tote around and use 32-character passwords made from gobbledygook inputs. And too many—including those entrusted with securing the company secrets stored in their e-mail accounts and on in-house company computers—consequently default to passwords that are often laughably easy to guess.
Even in this day and age, when millions of IDs and passwords are regularly stolen from major corporations, the most commonly used passwords are “123456” and “password,” according to Splash Data (www.splashdata.com), a cyber security firm.
The result is that security pros, company presidents and others who fret daily about the security of their company jewels hope that Yahoo’s new technology, or something similar, will truly frustrate the world’s unscrupulous hackers, at least for awhile.
“The future of authentication is free from traditional passwords,” said Geoff Sanders, CEO of LaunchKey (www.launchkey.com), which sells ID authentication technology that includes fingerprint verification, geofencing, facial recognition and other verification alternatives. “We must remove the vulnerability and liability that passwords have created while implementing more secure authentication methods that account for an evolving and diversified landscape of use cases, end users and threats.”
Joe Dysart is an Internet speaker and business consultant based in Manhattan.