Yahoo is switching to password-less authentication
According to a recent announcement made by the company, you will soon no longer need to enter a password in order to sign in to your Yahoo Mail account. The new security method will be called Yahoo Account Key and is basically the two-step authentication procedure, but without the first step. The Account Key feature has started rolling out today along with the new Yahoo Mail app, so it should already be available to the US users. Additionally, this authentication method will soon be added to every other Yahoo service that requires a user account.
From now on, if you choose to use the Account Key feature, whenever you try to login to your Yahoo Mail account, you will receive a notification on the device that you linked to the account. Unlike the two-step authentication, you will no longer receive a code that you then need to type, but instead will have to tap 'Yes' on the notification window which will show up on your smartphone. While this seems incredibly simple and takes away the pain of memorizing complicated passwords, there are a lot of questions that are yet to be answered.
To be completely honest, I'm not sure that I like this idea and here are a few reasons why. If you had to step verification on whoever wanted to gain access to your account would need to know your Yahoo ID, password and to have access to the attached mobile device. But, if you enable Account Key, anyone who knows your Yahoo address (so anyone you've ever emailed) can log into your account as long as he or she has 2 minutes alone with your phone. Another thing that worries me is spamming. Before, you needed to enter both the username and the password correctly in order for Yahoo to send you the message with the verification code, but now, everyone who knows your email can keep trying to log-in, thus making your phone spam notification after notification. Since Yahoo's official announcement didn't contain any details about this kind of situations I would recommend that you don't activate the Account Key feature until the company clarifies these matters.
I find it hard to believe they removed the first step, i.e. I think you still would have to know the Yahoo ID *AND* the password before they would ever send that notification to the phone. If they're not doing that, I'm not using that feature.