Apple Introduces Two-Factor Verification for Apple IDs
Apple Introduces Two-Factor Verification for Apple IDs.
Apple has finally bitten the
bullet and started offering two-factor authentication (2FA) for Apple ID users.
Good news!
If you have an Apple ID, you'll know that a lot is at stake if
you lose control of your account.
That's because Apple IDs aren't just simple website logins, but
make up the authenticational core of your entire digital relationship with
Apple:
The risk you're exposed to if a
malcontent gets hold of the password for your Apple ID became globally obvious
last year.
A neo-celebrity post-modern journalist
named Mat Honan famously had his digital life owned and then laid waste by
an internet ne'er-do-well who tricked Apple support staff into resetting
Honan's Apple password.
As we reported about seven months ago, the
person who attacked Honan's account wasn't happy just with breaching security at Apple.
The cracker also took the trouble of performing a remote wipe of
Honan's iDevices, instantly turning the data on his iPhone, iPad and Macbook
Air into digital shredded cabbage.
The crook was also able to take over Honan's Gmail account, his
Twitter account and (through account linking) the Twitter account of Gizmodo,
with whom Honan had a trusted journalistic relationship.
Protecting all of those assets with a single password that could
be guessed, keylogged, stolen or simply changed by means of a social
engineering phone call just wasn't enough.
A few months before Honan's digital wipeout,
Apple introduced an additional layer of security for Apple IDs by pushing its users
into adding a raft of answers to additional "security questions".
The theory behind this approach is that crooks will need to beg,
steal or borrow more than just your password in order to masquerade as you,
thus providing you with modest insurance against a poorly-chosen or stolen
password.
Now, Apple has gone an extra mile, making 2FA available, at least
to some of its users. (At the moment, you have to be in the US, the UK,
Australia, Ireland, or New Zealand.)
Actually, Apple doesn't call it 2FA,
preferring instead the term two-step verification.
It works by sending an SMS to one of a number of mobile devices
you have registered with Apple; the message contains a one-time passcode that
you need in addition to your regular password:
By avoiding the name 2FA, Apple
is actually making a slightly weaker, but more honest, security assertion.
That's because there is nothing to stop you getting Apple to
send your SMS verification codes to the same device on which you actually use
your Apple ID.
Indeed, I suspect that many users will use
two-step verification this way, and it isn't really two factor authentication if the same factor -
your iPhone, for instance - is used for both steps of the process.
That's because someone who controls your iPhone to the point
that they can acquire your password can, probably with not much more
complexity, acquire in real time the contents of SMSes sent to your iPhone.
Nevertheless, Apple's new security feature does the right thing:
it introduces single-use, random passwords to the Apple ID login process.
Another neat thing Apple has done, even though it sounds at
first blush like a user-unfriendly move, is to cut its own support staff
entirely out of the password reset loop for anyone who enables two-step verification:
Comments