March 2015 – DoGoodSoft's Official Blog

Europol chief warns on computer encryption

A European police chief says the sophisticated online communications are the biggest problem for security agencies tackling terrorism. Hidden areas of the internet and encrypted communications make it harder to monitor terror suspects, warns Europol’s Rob Wainwright. “Tech firms should consider the impact sophisticated encryption software has on law enforcement”, he said.

A spokesman for TechUK, the UK’s technology trade association, said: “With the right resources and cooperation between the security agencies and technology companies, alongside a clear legal framework for that cooperation, we can ensure both national security and economic security are upheld.”

Mr Wainwright said that in most current investigations the use of encrypted communications was found to be central to the way terrorists operated. “It’s become perhaps the biggest problem for the police and the security service authorities in dealing with the threats from terrorism,” he explained. “It’s changed the very nature of counter-terrorist work from one that has been traditionally reliant on having good monitoring capability of communications to one that essentially doesn’t provide that anymore.”

Mr Wainwright, whose organisation supports police forces in Europe, said terrorists were exploiting the “dark net”, where users can go online anonymously, away from the gaze of police and security services.

Secret messaging

But he is also concerned at moves by companies such as Apple to allow customers to encrypt data on their smartphones, and the development of heavily encrypted instant messaging apps is another cause for concern, he said.

This meant people could send text and voice messages which police found very difficult or impossible to access, he said.

“We are disappointed by the position taken by these tech firms and it only adds to our problems in getting to the communications of the most dangerous people that are abusing the internet.[Tech firms] are doing it, I suppose, because of a commercial imperative driven by what they perceive to be consumer demand for greater privacy of their communications.”

Surveillance

Mr Wainwright acknowledged this was a result of the revelations by former National Security Agency contractor Edward Snowden, who exposed how security services were conducting widespread surveillance of emails and messages.

He said security agencies now had to work to rebuild trust between technology firms and the authorities.

The TechUK spokesman told the programme: “From huge volumes of financial transactions to personal details held on devices, the security of digital communications fundamentally underpins the UK economy.

“Encryption is an essential component of the modern world and ensures the UK retains its position as one of the world’s leading economies. “Tech companies take their security responsibilities incredibly seriously, and in the ongoing course of counter-terrorism and other investigations engage with law enforcement and security agencies.”

The programme also found evidence that supporters of the Islamic State (IS) are using encrypted sites to radicalise or groom new recruits.

On one blogging website, a 17-year-old girl who wants to become a “jihadi bride” is told that if she needs to speak securely she should use an encrypted messaging app. The family of 15-year-old Yusra Hussein from Bristol, who went to Syria last year, also believe she was groomed in this way.

Twitter terrorism

The extent of the challenge faced by security services is shown in the scale of social media use by IS.

Mr Wainwright revealed that IS is believed to have up to 50,000 different Twitter accounts tweeting up to 100,000 messages a day. Europol is now setting up a European Internet Referral Unit to identify and remove sites being used by terrorist organisations.

Mr Wainwright also says current laws are “deficient” and should be reviewed to ensure security agencies are able to monitor all areas of the online world. “There is a significant capability gap that has to change if we’re serious about ensuring the internet isn’t abused and effectively enhancing the terrorist threat. We have to make sure we reach the right balance by ensuring the fundamental principles of privacy are upheld so there’s a lot of work for legislators and tech firms to do.”

FBI Quietly Removes Recommendation To Encrypt Your Phone… As FBI Director Warns How Encryption Will Lead To Tears

Back in October, we highlighted the contradiction of FBI Director James Comey raging against encryption and demanding backdoors, while at the very same time the FBI’s own website was suggesting mobile encryption as a way to stay safe. Sometime after that post went online, all of the information on that page about staying safe magically disappeared, though thankfully I screenshotted it at the time:

If you really want, you can still see that information over at the Internet Archive or in a separate press release the FBI apparently didn’t track down and memory hole yet. Still, it’s no surprise that the FBI quietly deleted that original page recommending that you encrypt your phones “to protect the user’s personal data,” because the big boss man is going around spreading a bunch of scare stories about how we’re all going to be dead or crying if people actually encrypted their phones:

Calling the use of encrypted phones and computers a “huge problem” and an affront to the “rule of law,” Comey, painted an apocalyptic picture of the world if the communications technology isn’t banned.

“We’re drifting to a place where a whole lot of people are going to look at us with tears in their eyes,” he told the House Appropriations Committee, describing a hypothetical in which a kidnapped young girl’s phone is discovered but can’t be unlocked.

So, until recently, the FBI was actively recommending you encrypt your data to protect your safety — and yet, today it’s “an affront to the rule of law.” Is this guy serious?

More directly, this should raise serious questions about what Comey thinks his role is at the FBI (or the FBI’s role is for the country)? Is it to keep Americans safe — or is it to undermine their privacy and security just so it can spy on everyone?

Not surprisingly, Comey pulls out the trifecta of FUD in trying to explain why it needs to spy on everyone: pedophiles, kidnappers and drug dealers:

“Tech execs say privacy should be the paramount virtue,” Comey continued, “When I hear that I close my eyes and say try to image what the world looks like where pedophiles can’t be seen, kidnapper can’t be seen, drug dealers can’t be seen.”

Except we know exactly what that looks like — because that’s the world we’ve basically alwayslived with. And yet, law enforcement folks like the FBI and various police departments were able to use basic detective work to track down criminals.

If you want to understand just how ridiculous Comey’s arguments are, simply replace his desire for unencrypted devices with video cameras in every corner of your home that stream directly into the FBI. Same thing. Would that make it easier for the FBI to solve some crimes? Undoubtedly. Would it be a massive violation of privacy and put many more people at risk? Absolutely.

It’s as if Comey has absolutely no concept of a cost-benefit analysis. All “bad people” must be stopped, even if it means destroying all of our freedoms, based on what he has to say. That’s insane — and raises serious questions about his competence to lead a government agency charged with protecting the Constitution.

Multiple Digital Certificate Attacks Affect 100% of UK Businesses

All—as in 100%—of UK organizations have responded to multiple attacks on keys and certificates in the past two years.

The Ponemon Institute found that attacks are becoming more widespread as the number of keys and certificates deployed on infrastructure such as web servers, network appliances and cloud services has grown by 40% to almost 24,000 per enterprise over the past two years.

Russian cyber-criminals, for instance, recently stole digital certificates from one of the top five global banks, enabling them to steal 80 million records, while another attack allowed hackers to steal data from 4.5 million healthcare patients.

Despite the ubiquity of the attacks, a full 63% percent of organizations do not know where all keys and certificates are located or how they’re being used. But at least the attacks have led to a modicum of self-awareness: 60% of all surveyed respondents agreed that they need to do a better job at responding to vulnerabilities involving keys and certificates. And 54% noted that the trust established by keys and certificates that is necessary for online banking, shopping and government is in jeopardy.

“With the rising tide of attacks on keys and certificates, it’s important that enterprises really understand the grave financial consequences,” said Larry Ponemon, chairman and founder of the Ponemon Institute. “We couldn’t run the world’s digital economy without the system of trust they create. [Organizations] need a wake-up call like this to realize they can no longer place blind trust in keys and certificates that are increasingly being misused by cybercriminals.”

Conducted in the United Kingdom, Australia, France, Germany, and the United States, the report highlights that over the next two years, the potential financial risk facing UK enterprises from attacks on keys and certificates is expected to reach at least £33 million.

As for security professionals specifically, they said that they fear a “Cryptoapocalypse” event the most. Coined by researchers at Black Hat 2013, a Cryptoapocalypse would dwarf Heartbleed in scope, complexity and time to remediate.

“Whether they realize it or not, every business and government relies upon cryptographic keys and digital certificates to operate,” said Kevin Bocek, vice president of security strategy and threat intelligence at report sponsor Venafi. “Without the trust established by keys and certificates, we’d be back to the Internet ‘stone age’—not knowing if a website, device or mobile application can be trusted.”

Bee behaviour mapped by tiny trackers

A tiny new tracker designed to monitor bee behaviour is being tested by ecologists at Kew Gardens in London.

It is made from off-the-shelf technology and is based on equipment used to track pallets in warehouses, said its creator Dr Mark O’Neill.

Readers, used to pick up a signal from the kit, are connected to Raspberry Pi computers, which log the readings.

The device has a reach of up to 2.5m (8.2ft). Previously used models were restricted to 1cm (0.4in).

The tracker consists of a standard RFID (radio frequency identification) chip and a specially designed aerial, which Dr O’Neill has created to be thinner and lighter than other models used to track small insects, allowing him to boost the range.

The engineer, who is technical director at the Newcastle-based tech firm Tumbling Dice, is currently trying to patent the invention.

“The first stage was to make very raw pre-production tags using components I could easily buy”, he said, “I want to make optimised aerial components which would be a lot smaller. I’ve made about 50 so far. I’ve soldered them all on my desk – it feels like surgery.”

The average “forage time” for a worker bee is around 20 minutes, suggesting they have a forage range of around 1km (0.6 miles) , Dr O’Neill explained.

The idea is to have readers dotted around a hive and flower patch in order to track the signals as the bees move around freely in the wild.

Chilled bees

The tiny trackers, which are just 8mm (0.3in) high and 4.8mm (1.9in) wide, are stuck to the bees with superglue in a process which takes five to 10 minutes. The bees are chilled first to make them more docile.

“They make a hell of a noise,” acknowledged Dr O’Neill.

He told the BBC he hoped that the trackers – which weigh less than a bee and are attached at their centre of gravity so as not to affect their flight – would remain attached for their three-month expected lifespan.

They have only been fitted to worker bees, which do not mate.

“If an animal ate one, I guess it would have a tracker in its stomach,” Dr O’Neill said.

“But the attrition rate for field worker bees is very low. Most die of old age – they are very competent, and good at getting out of the way.”

Dr Sarah Barlow, a restoration ecologist from Kew Gardens, was involved in testing the as-yet unnamed trackers.

“These tags are a big step forward in radio technology and no one has a decent medium to long range tag yet that is suitable for flying on small insects,” she said.

“This new technology will open up possibilities for scientists to track bees in the landscape.

“This piece of the puzzle, of bee behaviour, is absolutely vital if we are to understand better why our bees are struggling and how we can reverse their decline.”

Encryption not the way to tackle DStv: DOC

Government should make better use of regulatory tools and legislation to foster a more competitive environment in South Africa’s pay-television industry rather than requiring that conditional access technology be included in state-subsidised set-top boxes.

That’s the view of Solly Mokoetle, the head of the digital migration project at the department of communications (DOC).

“The issue of control access is that of pay-TV operators,” says Mokoetle.

Government’s role in the digital migration process, he says, is to ensure that it happens as fast as possible so that the “digital dividend” spectrum can be released to telecommunications operators for the roll-out of broadband.

South Africa’s digital migration project has ground to a halt as broadcasters MultiChoice and the SABC on one side and e.tv on the other battle each other over whether the set-top boxes government intends subsidising for 5m poorer households contain an access control system based on encryption.

E.tv and many black-owned prospective set-top manufacturers are in favour of encryption. The broadcaster says it’s needed to ensure that free-to-air players can get access to the latest content to compete more effectively with MultiChoice’s dominant DStv platform; MultiChoice argues it’s the wrong choice for South Africa and would amount to unfair competition as it would allow pay-TV players an easier entry into the market.

Earlier this month, government abandoned its commitment to access control, saying broadcasters could use encryption but that it would not be a standard feature of the subsidised boxes.

Mokoetle tells TechCentral that the main priorities for digital migration are ensuring that concerns with interference on South Africa’s border areas are dealt with; expediting the manufacture of set-top boxes; ensuring that the Post Office is able to deliver boxes timeously; making certain that installers are trained to install antennae and boxes; and making sure that those who have the capacity to manufacture set-top boxes are appointed.

Mokoetle says the policy agreed to by cabinet in December 2013 — under former communications minister Yunus Carrim — was not the final policy.

That policy was put out for comment for 30 days and the comments received were meant to be taken into consideration in drawing up a policy to be sent to cabinet for approval, says Mokoetle.

The amended policy was gazetted last Wednesday by new communications minister Faith Muthambi and is final, says Mokoetle.

He says government has erred by focusing on the issue of set-top boxes for so long. “We are going to miss the 17 June deadline.”

In terms of that deadline, South Africa agreed with the International Telecommunication Union (ITU) that it would terminate analogue TV broadcasts by that date. After 17 June, the ITU will no longer protect South Africa from radio frequency spectrum interference from neighbouring countries.

“We are trying to understand the implications of the ITU directives. Practically, we have established that the spectrum plan on analogue will no longer be protected — it will be wiped out. If you have any services running on that frequency you may interfere with your neighbours’ signal or vice versa,” Mokoetle says.

“South Africa cannot do anything about this but they [our neighbours] will have recourse with the ITU. However, the truth of the matter is that many of those countries themselves are not ready to move on digital migration. The problem is not from government, but will come from mobile operators wanting to launch LTE broadband services. We have established that one of the mobile operators in Lesotho will affect our transmitter network.”

Mokoetle was appointed as chief operating officer of the SABC in 2001 and has been involved in the digital migration process since 2004.

He was initially behind the SABC’s support of an encryption system (to collect licence fees), but this was later slapped down.

Mokoetle was appointed chief content operator of Telkom Media in 2007 and CEO of SABC in 2010. Since then, he has worked within the digital migration environment across Africa, having been involved in projects in Ghana, Uganda and Lesotho.

Encryption today: how safe is it really?

When checking your email over a secure connection, or making a purchase from an online retailer, have you ever wondered how your private information or credit card data is kept secure?

Our information is kept away from prying eyes thanks to cryptographic algorithms, which scramble the message so no-one else can read it but its intended recipient. But what are these algorithms, how did they come to be widely used, and how secure really are they?

Coded messages

The first cryptographic methods actually go back thousands of years to the time of ancient Greece. Indeed, the word “cryptography” is a combination of the Greek words for “secret” and “writing”.

For example, the Spartans famously used a system where they wrapped a piece of papyrus around a staff of a certain girth, and wrote their message down the length of the staff. When the papyrus was unravelled, the message was jumbled until it reached its destination and was wrapped around another staff of the correct circumference.

Early encryption algorithms like these had to be applied manually by the sender and receiver. They typically consisted of simple letter rearrangement, such a transposition or substitution.

The most famous one is the “Caesar cipher”, which was used by the military commanders of the Roman emperor Julius Ceaser. Each letter in the message was replaced in the encrypted text – the ciphertext – by another letter, which was shifted several places forward in the alphabet.

But over time such simple methods have proved to be insecure, since eavesdroppers – called cryptanalysts – could exploit simple statistical features of the ciphertext to easily recover the plaintext and even the decryption key, allowing them to easily decypher any future messages using that system.

Modern computing technology has made it practical to use far more complex encryption algorithms that are harder to “break” by cryptanalysts. In parallel, cryptanalysts have adopted and developed this technology to improve their ability to break cryptosystems.

This is illustrated by the story of the Enigma cryptosystem used by the German military during the Second World War, as dramatised most recently in the movie The Imitation Game.

Enigma’s relatively complex encryption algorithm was implemented using electromechanical computing technology to make it practical for German military communications. An extension of the same technology was used by the “bombe” machines of the British cryptanalysts to make it practical to break the cipher.

Current cryptosystems

The cryptosystems in wide use today have their origins in the 1970s, as modern electronic computers started to come into use. The Data Encryption Standard (DES), was designed and standardised by the American government in the mid 1970s for industry and government use. It was intended for implementation on digital computers, and used a relatively long sequence transposition and substitution operations on binary strings.

But DES suffered a major problem: it had a relatively short secret key length (56 bits). From the 1970s to the 1990s, the speed of computers increased by orders of magnitudes making “brute force” cryptanalysis –- which is a simple search for all possible keys until the correct decryption key is found –- increasingly practical as a threat to this system.

Its successor, the Advanced Encryption Standard (AES), uses minimum 128-bit keys by contrast, and is currently the most popular cryptosystem used to protect internet communications today.

Key problem

The AES also has limitations. Like all earlier cryptosystems, it is known as a symmetric-key cryptosystem, where the secret key is known to both the sender who encrypts the message (lets call her Alice), and the receiver who decrypts the message (lets call him Bob).

The secret key, being secret, cannot simply be exchanged over a public communication channel like the internet. If that was intercepted, that would compromise all future encrypted messages. And if you want to encrypt the key, well that produces another problem of how to secure that encryption method.

So, Alice and Bob must first use a private communication channel, such as a private meeting in-person, to exchange the secret key before they can use the cryptosystem to communicate privately. This is a significant practical hurdle for internet communications, where Alice and Bob often have no such private communication means.

To overcome this hurdle – known as the key distribution problem – an ingenious different type of cryptosystem, called an asymmetric-key, or public-key, cryptosystem was devised in the 1970s.

In a public-key cryptosystem, the receiver Bob generates two keys: one is a secret key that Bob keeps to himself for decryption; while the second is a public encryption key that Bob sends to Alice over a public channel. Alice can use the public encryption key to encrypt her messages to Bob. But only Bob can decrypt it with his private key. It thus provides a solution to the key distribution problem of symmetric-key cryptosystems.

In practical applications, due to the higher computational demands of public-key systems compared to symmetric-key systems, both types of cryptosystems are used. A public-key cryptosystem is used only to distribute a key for a symmetric key system like AES, and then the symmetric key system is used to encrypt all susbequent messages.

Consequently, the resulting privacy depends on the security of both symmetric and public key cryptosysems in use. The most commonly used public-key cryptosystems in use today were devised in the 1970s by researchers from Stanford and MIT. They are known as the RSA cryptosystem (from the initials of the designers, Ron Rivest, Adi Shamir, and Len Adleman) and the Diffie-Hellman system, and make use of techniques from an area of mathematics known as number theory.

New bugs uncovered in encryption software

New bugs in the widely used encryption software known as OpenSSL were disclosed on Thursday, though experts say do not pose a serious threat like the “Heartbleed” vulnerability in the same technology that surfaced a year ago.

“Heartbleed” triggered panic throughout the computer industry when it was reported in April 2014. That bug forced dozens of computers, software and networking equipment makers to issue patches for hundreds of products, and their customers had to scour data centers to identify vulnerable equipment.

Cybersecurity watchers had feared the new round of bugs would be as serious as “Heartbleed,” according to experts who help companies identify vulnerabilities in their networks. The concerns surfaced after the OpenSSL Project, which distributes OpenSSL software, warned several days ago that it planned to release a batch of security patches.

“You need to take all vulnerabilities seriously, but I’m kind of disappointed. There’s been a week building up to this,” said Cris Thomas, a strategist with cybersecurity firm Tenable Network Security Inc.

The OpenSSL project released updates for four versions of the software, covering 12 security fixes for vulnerabilities reported to them in recent months by several cybersecurity researchers. The threats include one that makes affected systems vulnerable to so-called denial-of-service attacks that disrupt Web traffic, though none threaten the “crypto” technology used to encrypt data, Ristic said.

Ivan Ristic, director of application security with Qualys Inc, said he was not too concerned about the new bugs because most involved programming errors in a new version of OpenSSL, which is not widely used.

“It doesn’t seem a big story,” Ristic said. “I think people feared it would be bad, which is where all the hype came from.”

Yahoo Rolls Out End-To-End Encryption For Email

Back in 2012 (pre-Snowden!), we wrote about why Google should encrypt everyone’s emails using end-to-end encryption (inspired by a post by Julian Sanchez saying the same thing. Since then, securing private communications has become increasingly important. That’s why we were happy to see Google announce that it was, in fact, working on a project to enable end-to-end encryption on Gmail, though it was still in the early stages. In December of last year, Google moved that project to Github, showing that it was advancing nicely. As we noted at the time, one interesting sidenote on this was that Yahoo’s Chief Security Officer, Alex Stamos, was contributing to the project as well.

Thus it’s not surprising, but still great to see, that Stamos has now announced the availability of an end-to-end encryption extension for Yahoo Mail (also posted to Yahoo’s Github repository). It appears to function similarly to existing third-party extensions (like Mailvelope), but it’s still good to see the big webmail providers like Yahoo and Google taking this issue more seriously. It’s still not ready for prime time, and it’s unlikely that either provider is going to make this a default option any time soon, but offering more, better (and more user friendly) options to give everyone at least the option of doing end-to-end encryption is a very good sign.

It also raises a separate issue that I think is important: many have argued that companies like Yahoo and especially Google would never actually push for end-to-end encryption of emails, because it takes away the ability of those companies to do contextual advertising within those emails. But that’s an exceptionally short-sighted view. If Google, Yahoo and others don’t do enough to protect their users’ privacy, those users will go elsewhere, and then it won’t matter whether or not the emails are encrypted, because they won’t see them anyway. Focusing on the user first is always going to be the right solution, and that includes encrypting emails, even if it means slightly less ad revenue in the short term. Hopefully, Google, Yahoo and others remember this simple fact.

Can software-based POS encryption improve PCI compliance?

In the wake of the recent Verizon report that shows that 80 percent are out of PCI DSS compliance between audits, some vendors are urging the PCI Council to consider approving software-based point-to-point encryption, in addition to the current hardware-based standard.

PCI-approved, hardware-based P2PE allows merchants to drastically shrink the systems subject to compliance, reducing both risks and costs, and will make it easier to stay compliant.

Self-destructing hardware is a “security bonus,” but in general, hardware-based P2PE technology is not as useful for merchants, says Shift4 CEO Dave Oder, whose company is one of the largest software-based P2PE providers.

MORE ON CSO: What is wrong with this picture? The NEW clean desk test

“The vast majority of retailers who have P2PE in use today are using a software-based decryption method provided by Shift4 or one of our competitors,” he said.

According to Oder, software-based P2PE, combined with tokenization, is a secure alternative to hardware-based encryption, and should be allowed under the PCI DSS standard.”The trouble is, PCI is refusing to validate certain types of security solutions even though they are more secure and more useful to merchants than what is currently validated,” he said.

Hardware-based encryption creates a potential single point of failure and is not designed to handle the level of transaction volume and uptime required in the payments industry, he said.

“The PCI Council has not released a software-based P2PE standard that would allow for both decryption and key management outside of a hardware security module,” he said. “Much of the industry is waiting for that and the delay is harming merchants.”

According to Shift4 marketing manager Nathan Casper, merchants with no encryption at all have a self-assessment questionnaire with more than 280 requirements. Merchants with hardware-based encryption have one with just 19 questions. Merchants with software-based encryption get the 280-question form — but only answer those same 19 and put “not applicable” to the rest.

“The part that makes this frustrating to these large merchants is that they are almost always required to employ the assistance of a Qualified Security Assessor to oversee their assessment,” he said. That’s tens of thousands of dollars, or more, spent on someone checking the same “N/A” box 261 times.

Another vendor promoting a software-based encryption alternative is Irvine, Calif.-based Secure Channels, Inc., which offers both hardware and software-based solutions.

“There are software based solutions where the decryption key is hidden in the packet,” said Secure Channels CEO Richard Blech. “There are means contained in the software to have a secure key exchange that completely bypasses the need for a hardware security module. Merchants are being harmed without this solution.”

However, according to Sam Pfanstiel, director of solutions at Atlanta-based Bluefin Payment Systems LLC, there is an excellent reason to stick with the hardware-based requirement.

“Through software-based encryption, you’re performing encryption in memory, and that memory is highly susceptible to memory scraping,” he said. “That is a vector of attack that has been used in almost every cardholder data breach of the last 18 months.”

Hardware-based encryption, by comparison, puts the encryption mechanism — the plain text data — inside a hardware security module that self-destructs if tampered with.

“Bluefin stands firmly on the belief that only hardware-based encryption provides adequate controls to address the attack vectors prevalent in the industry today,” he said.

Bluefin used to be on the other side, he added.

“When the PCI standard was first released, we had a software-based solution in place, and had to look at what PCI was recommending,” he said. “We decided that the new standard represented better cardholder protection.”

Two and a half years and several million dollars of investment later, Bluefin has replaced its software-based encryption with hardware.

“Ease of deployment is only a concern for encryption providers who fail to comply with the new standards and continue to use older technology to perform their encryption and decryption,” said Pfanstiel.

Today, there are currently over 160 validated devices that support hardware-based encryption, he said. “And the list grows every day.”

Tired of forgetting your password? Yahoo says you don’t need one any more

Tired of forgetting your password? Yahoo says you don't need one any more

Passwords: easily forgotten, but also easily guessed. It’s a bitter irony that minutes can be spent racking brains trying to remember whether a required security question answer is a pet’s name, first school or place of birth – meanwhile a cyber-criminal is merrily typing in a person’s favourite colour and relieving bank accounts of hard-earned wages.

Well, now Yahoo might have made the process easier – at least when it comes to accessing email.

The Californian tech giant is rolling out “on-demand” email passwords, based around phone notifications, and eliminating entirely the need to memorise a fixed password.

Yahoo Mail now offers a service similar to “two-step verification”, a security measure employed by other email providers, but the difference is the removal of the first step.

The password system is opt-in and can be accessed from Yahoo Mail’s landing page. Photograph: Yahoo screengrab

Two step verification works by a user logging in with their usual fixed password, after which the email provider sends a unique code to their mobile phone, which is then entered on the login screen, allowing the user to access their email account.

Yahoo’s new security process will remove the need for users to enter a fixed password first, and instead just send a four-letter password to a user’s phone via text.

Unveiling the service at the South by Southwest festival in Austin, Texas, Yahoo’s vice president of product management for consumer platforms Dylan Casey said: “This is the first step to eliminating passwords. I don’t think we as an industry has done a good enough job of putting ourselves in the shoes of the people using our products.”

A blog post written by the company’s director of product manager, Chris Stoner, explains the steps:

1. Sign in to your Yahoo.com account.

2. Click on your name at the top right corner to go to your account information page.

3. Select “Security” in the left bar.

4. Click on the slider for “On-demand passwords” to opt-in.

5. Enter your phone number and Yahoo will send you a verification code.

6. Enter the code and voila!

The “on-demand” password service is opt-in and currently only available in the US.

Also announced at the festival was Yahoo’s forthcoming project on end-to-end encryption. Based on Google’s alpha Chrome PGP encryption plugin, Yahoo hopes to make the service available in autumn 2015.