Apple introduces two-factor verification for Apple IDs

Filed Under: Apple, Data loss, Denial of Service, Featured, iOS

Apple has finally bitten the bullet and started offering two-factor authentication (2FA) for Apple ID users.

Good news!

If you have an Apple ID, you'll know that a lot is at stake if you lose control of your account.

That's because Apple IDs aren't just simple website logins, but make up the authenticational core of your entire digital relationship with Apple:

An Apple ID is the login you use for just about everything you do with Apple, including using iCloud to store your content, downloading apps from the App Store, and buying songs, movies, and TV shows from the iTunes Store.

The risk you're exposed to if a malcontent gets hold of the password for your Apple ID became globally obvious last year.

A neo-celebrity post-modern journalist named Mat Honan famously had his digital life owned and then laid waste by an internet ne'er-do-well who tricked Apple support staff into resetting Honan's Apple password.

As we reported about seven months ago, the person who attacked Honan's account wasn't happy just with breaching security at Apple.

The cracker also took the trouble of performing a remote wipe of Honan's iDevices, instantly turning the data on his iPhone, iPad and Macbook Air into digital shredded cabbage.

The crook was also able to take over Honan's Gmail account, his Twitter account and (through account linking) the Twitter account of Gizmodo, with whom Honan had a trusted journalistic relationship.

Protecting all of those assets with a single password that could be guessed, keylogged, stolen or simply changed by means of a social engineering phone call just wasn't enough.

A few months before Honan's digital wipeout, Apple introduced an additional layer of security for Apple IDs by pushing its users into adding a raft of answers to additional "security questions".

The theory behind this approach is that crooks will need to beg, steal or borrow more than just your password in order to masquerade as you, thus providing you with modest insurance against a poorly-chosen or stolen password.

→ I'm not a big fan of auxiliary security questions, sometimes called knowledge-based authentication, because I don't accept that you can make a guessable password strong by augmenting it with yet more guessable answers to questions you've chosen on your users' behalf. Worse still, users can't change the answers to absolute security questions like "what was your first car", which also naively presumes that everyone in the world has not only owned a car but also managed to keep its make a secret from everyone else, even their friends.

Now, Apple has gone an extra mile, making 2FA available, at least to some of its users. (At the moment, you have to be in the US, the UK, Australia, Ireland, or New Zealand.)

Actually, Apple doesn't call it 2FA, preferring instead the term two-step verification.

It works by sending an SMS to one of a number of mobile devices you have registered with Apple; the message contains a one-time passcode that you need in addition to your regular password:

By avoiding the name 2FA, Apple is actually making a slightly weaker, but more honest, security assertion.

That's because there is nothing to stop you getting Apple to send your SMS verification codes to the same device on which you actually use your Apple ID.

Indeed, I suspect that many users will use two-step verification this way, and it isn't really two factor authentication if the same factor - your iPhone, for instance - is used for both steps of the process.

That's because someone who controls your iPhone to the point that they can acquire your password can, probably with not much more complexity, acquire in real time the contents of SMSes sent to your iPhone.

Nevertheless, Apple's new security feature does the right thing: it introduces single-use, random passwords to the Apple ID login process.

Another neat thing Apple has done, even though it sounds at first blush like a user-unfriendly move, is to cut its own support staff entirely out of the password reset loop for anyone who enables two-step verification:

In addition, with two-step verification turned on, only you can reset your password, manage your trusted devices, or create a new recovery key.

Apple Support can help you with other aspects of your service, but they will not be able to update or recover these three things on your behalf.<

Yes, that puts all of the password recovery burden on your shoulders.

But it also provides a strong assurance against getting Honanised, because "can't" is a much stronger security situation that "shouldn't".

If Apple's staff cannot recover or reset your password, then even the Mitnickest social engineer in the world won't be able to talk them round.

So take Apple's advice, write down the 14-character emergency recovery key created when you enable two-step verification, and lock it away somewhere at home.

PS. Don't succumb to temptation. Take Apple's own advice that you "should not store your Recovery Key on your device or computer since that could give an unauthorized user instant access to it."

, , , , , ,

You might like

13 Responses to Apple introduces two-factor verification for Apple IDs

  1. John · 888 days ago

    What some people call "security questions" I tend to call "Facebook questions"...

    • Laurence Marks · 885 days ago

      Remember how Sarah Palin's Yahoo account was hacked? Security question: "Where did you go to high school?" Ask your self this: "In what small Alaskan town did Sarah Palin spend her entire youth?" and then see if you can guess the answer to the first question.

    • Wolf_Star · 885 days ago

      True, but then people who are stupid enough post their entire lives and every little bit of personal data on Facebook probably aren't very worried about security in the first place. That's like smearing yourself with honey and lying down on a Fire Ant nest and expecting the ants to ignore you.

  2. Despite being in the UK (one of the countries said to be supported by Apple's new two step verification) it's not giving me the option to enable it. :-(

    Have any other Naked Security readers been able to enable this yet?

    • Taz Wake · 888 days ago

      I havent been able to yet - no option is showing up. Maybe it is rolling out....

  3. Hawke · 888 days ago

    "That's because there is nothing to stop you getting Apple to send your SMS verification codes to the same device on which you actually use your Apple ID." is just a silly assertion.

    2FA does not consider the number of devices that you use, it has to do with the separate and distinct methods of authentication.

    Just because I'm typing a password into the same phone that recieved the SMS with the authentication code does not invalidate the password as something that I know or the phone from being something that I have.

    The reason that it's not /good/ 2FA is that a phone itself is not a secure device and they have a long history of being cloned, spoofed, and sniffed; SMS is not a secure protocol, and phones run other software provided by the carrier.

    • Paul Ducklin · 887 days ago

      It's not such a "silly assertion" that it didn't take you three paragraphs to explain how your interpretation of what constitutes a "second factor" :-)

      I consider two passwords entered on the same device to be "two factor authentication" as much as I consider a try and a conversion in rugby (or a touchdown and the extra point in American football) to be "scoring twice".

      I think the fact that you affirm that is "not good 2FA" is commensurate with me suggesting that it "doesn't really count" as 2FA.

      In short, we agree, and for the same reason...

  4. Cranston · 888 days ago

    I love the quote in the "sidebar" that states "Worse still, users can't change the answers to absolute security questions like "what was your first car", which also naively presumes that everyone in the world has not only owned a car but also managed to keep its make a secret from everyone else, even their friends."

    The problem is that over the years users have been given the impression that they have to answer such foolish "knowledge questions" honestly -- and I blame teh security community for this, as they rarely if ever properly explained the concept of this process correctly. Users should be told outright that the answers to any of these types of questions do not have to be truthful or real, that no one is going to check that they are, and that all that really has to happen is that when you are asked the question you can provide an answer that matches what is on file. For example for the ridiculous car question, you can answer "12345 ACB", "spot" or whatever -- it does NOT have to be the name of an actual car! As long as the person can match the answer expected, that's all that matters.

    • Phil · 885 days ago

      That's a fine idea - but it does lead to a couple of problems.

      Firstly you no longer have to remember your first car, but what you told this particular company was your first car when you answered the questions 5 years ago. (Been there, done that.)

      It's also not unknown (been here before, too) that you answer the pathetically insecure "mother's maiden name" with a false one when talking with First Co; and when you give another to Second Ltd you find they're both part of First&Second Inc and compare the answers. Not much hassle if it's just for account access - but embarrassing when you have to try to convince the bank you're trying to be secure, not attempting money laundering.

  5. Wolf_Star · 885 days ago

    It would be nice if there was a way to use a YubiKey with Apple products.

  6. Nigel · 885 days ago

    Good point about those prepackaged (so-called) security questions. In my case, there are many people who know (or can easily find out) my mother's maiden name, or the name of my high school, or even my first car. The idea behind answering those questions truthfully is that I don't have to keep track of a bunch of made-up answers that I'd otherwise forget...but of course the truthful answers, being discoverable, are far less secure.

    There are numerous companies that provide the option of writing my own security questions, and those are considerably more secure. For example... Q: "What was the name of your first pweebxgt?" A: "Romeyosh SchmyegnerDoont" (...not the real answer, or the real question, for that matter). I suspect it'll be a cold day in hell before someone guesses an answer like that.

  7. suwise3 · 885 days ago

    Ever since I've been with them, Bank Financial uses a password AND icon photo AND name with it. Very easy to use and impossible to guess, as you pick from among thousands of photos and YOU supply the text.

    Setting your own security questions is the best. Example: "Who was the first cat to walk on Mars?" or "Where do I hide the keys to my Maserati?" or even "On which arm did I have my hip replacement surgery?" Ridiculous questions you make yourself make it very easy to remember your unique answer.

  8. Ferret · 884 days ago

    I'd have thought that most Apple users will be too young to have owned a first car :-)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog