Two-factor authentication is increasingly being used to ensure safer logins to popular email and social media sites.
The latest refinement comes from Yahoo, which has offered a version of TFA for about a year to its email susbscribers which sends a coded number to a smart phone that has to be entered to confirm a user’s identity.
On Sunday it announced a refinement for American subscribers: For greater security it will text a one-time password to a smart phone, so users won’t have to remember a (hopefully) complex series of letters and numbers to login.
Presumably if U.S. subscribers warm up to the idea it will be rolled out to other countries.
There are several problems with the idea, which are the same one for any second-factor ID sent to a mobile phone: First, what if the phone isn’t with you or you don’t have wireless access when you’re trying to log in? Pretend for a moment you’re trying to use a hardwired PC in a hotel business centre but your spouse has your phone. Or your phone can’t get a signal. from inside the building.
Second, it assumes your phone can only be used by you because there’s a login password needed on the device. And, what’s more important, that you haven’t configured your phone to display incoming texts regardless of the screen lock. If your phone is stolen and the thief knows your Yahoo username and then sees the one-time password, you’re cooked.
Still it is an improvement, and every step that betters security is welcome.