Yahoo Mail moves away from password sign-ins with push notifications for mobile access
Fri 16 Oct 2015

Amongst a slew of new features and improvements announced today for Yahoo Mail on mobile platforms is Yahoo Account Key, which allows users to sign in to their accounts by receiving a push notification instead of typing a password in.
“No matter where you are on the internet, passwords are a pain” writes Jeffrey Bonforte, Senior Vice President of Communication Products at Yahoo. “Account Key uses push notifications to provide a fast and secure way for you to access your Yahoo accounts from your smartphone. It frees you from memorizing complicated passwords, making signing-in to your Yahoo Mail app easy as tapping a button.”
In March of this year Yahoo introduced On Demand Passwords, which also uses the phone number associated with a user’s account as a kind of ‘hard ID’ for access, sending on request a verification code similar to those generated by multi-factor devices associated with online banking, and by service providers such as Google – but in the latter case, only to address problems such as a forgotten password or a need to authenticate in the event of evidence of a security breach.
Effectively Yahoo Account Key cuts the retyping out of On Demand Passwords, relying more on the singularity of the associated phone number than any hardware it might be activated on.
There are network considerations in adopting what is usually a low-frequency, high-security measure as a standard login procedure, but presumably Yahoo believes that it’s worth the expense and effort, particularly in light of the fact that the company had to force a great number of users to change their passwords after the breach of a third-party database in January of 2014.
It’s an interesting move in the continuing search for some uncopiable token, real or virtual, that can uniquely identify an individual for purposes of logging into network services. This week the UK government, which abandoned its earlier thought to force citizens to associate their use of government services with their Facebook IDs, has approached the issue by beginning a beta rollout of its GOV.UK Verify scheme. In the scheme a limited number of public or private entities, including the Post Office, personally authenticates citizens one time before allowing them to access a range of government services. The service also requires inputting a code sent to the user’s mobile phone.