Skip links

Yahoo Japan strives for universal passwordless authentication

Yahoo Japan has revealed that it plans to go passwordless, and that 30 million of its 50 million monthly active users have already stopped using passwords in favor of a combination of FIDO and TXT messages.

A case study penned by staff from Yahoo Japan and Google’s developer team, explains that the company started work on passwordless initiatives in 2015 but now plans to go all-in because half of its users employ the same password on six or more sites.

The web giant also sees phishing as a significant threat, and has found that a third of customer inquiries relate to lost credentials.

“From a security perspective, eliminating passwords from the user authentication process reduces the damage from list-based attacks, and from a usability perspective, providing an authentication method that does not rely on remembering passwords prevents situations where a user is unable to login because they forgot their password,” the case study states.

Yahoo Japan’s replacement is either authentication by one-time codes sent by SMS, or the Fast Identity Online (FIDO) standard.

When using SMS, the company is fond of using techniques that allow Apple’s iOS and Google’s Chrome browser to read and enter incoming one-time passwords so that users have nothing to do to arrange authentication.

Users are encouraged to use authenticator apps that work with FIDO and WebAuthn, with one-time codes generated on the device used to access Yahoo Japan.

“The greatest difficulty for offering passwordless accounts is not the addition of authentication methods, but popularizing the use of authenticators,” the case study states. User experience is therefore paramount.

Yahoo Japan has therefore used tricky moments to promote adoption – when users sign up for services like e-commerce that have high fraud potential, or reset forgotten passwords, they receive suggestions to adopt authentication methods that are more secure and easier to use.

Users are encouraged to use the same authentication method on all their devices, but Yahoo ! Japan recognizes that’s not easy or possible for all, and so will tolerate mixed methods. The company also envisages operating multiple methods for the foreseeable future.

The company’s efforts have worked, in two dimensions.

“The percentage of inquiries involving forgotten login IDs or passwords has decreased by 25 percent compared to the period when the number of such inquiries was at its highest,” the case study explains. Yahoo Japan has also seen a decline in unauthorized access as its number of passwordless accounts rises. ®