On Sunday at SXSW, Yahoo (YHOO) unveiled a new login procedure that does away with the need for remembering passwords. It’s a welcome advance for digital security, but no panacea.
In recent years, one of the most important developments in digital security has been two-factor authentication, which lets users prove their identity upon log-in by both knowing something (a password) and possessing something (a particular phone, to which the service provider sends a code).
Yahoo’s new log-in mechanism, currently available only for U.S.-based users, is a logical extension and simplification of two-factor authentication. Since the password is no longer king, it’s dispensed with in favor of relying solely on the “what you have” factor.
As people do tend to reuse passwords, and as truly-secure combinations of characters are hard to remember, evolving past the password is a welcome move. However, it does put a lot of emphasis on the handset itself as the modern identity card. If you lose your phone — or if you lack the signal coverage needed to receive that all-important text message with the authentication code in it — you’re in trouble.
There also are issues around the use of such mechanisms – and indeed, two-factor authentication systems — when you’re travelling abroad. The cost of roaming mobile services can be high, and many people get local or roaming SIM cards in the countries they’re visiting. As these are associated with different phone numbers, receiving the code for a Yahoo Mail login would mean reinserting one’s domestic SIM card and paying a quarter to take the SMS.
Nonetheless, these potential pitfalls don’t negate the benefits of moving past the password (which remains in place as an option, for now).
We’ll probably see this new model really take hold when wearables like smartwatches become more widespread. Such devices are even more likely than phones to be permanently in hand, and their biometric sensors could be capable of verifying identity through fingerprint, pulse or voice. If battery life can be extended and some safeguards can be put in place for broken/stolen/lost wearables, their use as new-age keys seems inevitable.
Encryption Advance
Yahoo also showed off its progress in developing a simple way to encrypt and decrypt emails. Like with the company’s new login procedure, it’s a caveat-laden step in the right direction.
When it comes to usability issues, the difficulty of remembering strong passwords has nothing on the trickiness of using the end-to-end email encryption technology known as PGP, or “Pretty Good Privacy”. For example, Edward Snowden confidant Glenn Greenwald almost missed the biggest story of his life because he couldn’t figure out how to get PGP running
So there’s a huge amount of interest in making PGP easier to use, particularly as it would let the big web firms off the hook when spies and law enforcement come knocking for the keys to their users’ encrypted communications. If end-to-end encryption is in use, the keys reside with the users themselves and, much to the chagrin of British Prime Minister David Cameron, there’s no other place to go if you want to decrypt those communications.
Google (GOOG) last year announced that it was working on a browser plugin that would allow Gmail-to-Gmail emails to be encrypted in this way. Yahoo came on-board in August, and on Sunday at SXSW showed off the progress it’s been making on its own plugin, which is based on Google’s work.
A video showed how the system would work once it rolls out by year-end, and Yahoo also quite smartly released the plugin’s source code so that security professionals can poke around and hopefully give it greater credibility by launch. This early release of the code also will help other webmail providers create compatible encryption systems, so people can mask their communications with more correspondents.
This trend is not limited to the big U.S. providers. One week ago, the largest German webmail providers, including Deutsche Telekom and United Internet, announced their own browser plugin for end-to-end PGP encryption, developed in conjunction with an open-source project called Mailvelope. This is intended for use with the cross-provider De-Mail system – a government-led initiative to promote identity-verified email over paper for official purposes – but again it sees end-to-end encryption hit the mainstream through the use of relatively simple-to-use browser plugins.
All of this may result in greater privacy to a large extent, but it’s important to realize that end-to-end email encryption has its limits. Today’s email technology is inherently leaky – you can encrypt the contents of the message, but you can’t encrypt the information about who is corresponding with whom and when. This metadata is in itself highly revealing and, until the next generation of email rolls around – perhaps the Dark Mail being developed by PGP creator Phil Zimmermann – no amount of encrypting the contents of an email will achieve full privacy for the correspondents.
David Meyer (@superglaze) is a technology writer based in Berlin, covering issues ranging from policy and privacy to emerging technologies and markets.
