Yahoo

Yahoo! Japan wants universal passwordless login • The Register

Yahoo Japan has revealed that it plans to do away with passwords and that 30 million of its 50 million monthly active users have already switched from using passwords to a combination of FIDO and TXT messages.

A case study written by Yahoo Japan staff and Google’s developer team explains that the company started working on passwordless initiatives in 2015, but now plans to move forward as the half of its users use the same password on six or more sites.

The web giant also sees phishing as a significant threat and found that a third of customer inquiries were for lost credentials.

“From a security perspective, eliminating passwords from the user authentication process reduces damage from list-based attacks, and from a usability perspective, providing a method of authentication which does not rely on remembering passwords prevents situations where a user cannot log in because they forgot their password,” the case study states.

The replacement for Yahoo Japan is either authentication by one-time codes sent by SMS, or the Fast Identity Online (FIDO) standard.

When using SMS, the company likes to use techniques that allow Apple’s iOS and Google’s Chrome browsers to read and enter incoming one-time passwords so users don’t have to do anything. to arrange authentication.

Users are encouraged to use authenticator apps that work with FIDO and WebAuthn, with one-time codes generated on the device used to access Yahoo Japan.

“The biggest challenge in delivering passwordless accounts isn’t adding authentication methods, but popularizing the use of authenticators,” the case study says. The user experience is therefore paramount.

Yahoo Japan has therefore taken advantage of awkward moments to promote adoption – when users sign up for services like e-commerce that have a high potential for fraud, or reset forgotten passwords, they receive suggestions to adopt more secure and easier to use authentication methods.

Users are encouraged to use the same authentication method on all their devices, but Yahoo ! Japan recognizes that this is not easy or possible for everyone, and will therefore tolerate mixed methods. The company also plans to leverage multiple methods for the foreseeable future.

The company’s efforts have worked, in two dimensions.

“The percentage of requests involving forgotten logins or passwords decreased by 25% compared to the period when the number of such requests was at its highest,” explains the case study. Yahoo Japan has also seen a decline in unauthorized access as its number of passwordless accounts increases. ®