Yahoo’s new on-demand password system is no replacement for two-factor authentication
In an effort to simplify authentication for its services, Yahoo has introduced a new mechanism that allows users to log in with temporary passwords that are sent to their mobile phones.
If this sounds like a two-factor authentication system where users need to provide one-time codes sent to their mobile phones in addition to their static passwords, it’s not. Yahoo already had that option.
Instead, the new log-in mechanism, which is based on what Yahoo calls on-demand passwords, still relies on a single factor, the user’s phone number.
Yahoo users—only those based in the U.S. for now—can turn on the new feature from their account security settings on Yahoo’s site. They will need to provide a phone number and then confirm that they have access to it by inputting a verification code sent to them via SMS.