Apple has finally bitten the bullet and started offering two-factor authentication (2FA) for Apple ID users.
If you have an Apple ID, you’ll know that a lot is at stake if you lose control of your account.
That’s because Apple IDs aren’t just simple website logins, but make up the authenticational core of your entire digital relationship with Apple:
An Apple ID is the login you use for just about everything you do with Apple, including using iCloud to store your content, downloading apps from the App Store, and buying songs, movies, and TV shows from the iTunes Store.
The risk you’re exposed to if a malcontent gets hold of the password for your Apple ID became globally obvious last year.
A neo-celebrity post-modern journalist named Mat Honan famously had his digital life owned and then laid waste by an internet ne’er-do-well who tricked Apple support staff into resetting Honan’s Apple password.
As we reported about seven months ago, the person who attacked Honan’s account wasn’t happy just with breaching security at Apple.
The cracker also took the trouble of performing a remote wipe of Honan’s iDevices, instantly turning the data on his iPhone, iPad and Macbook Air into digital shredded cabbage.
The crook was also able to take over Honan’s Gmail account, his Twitter account and (through account linking) the Twitter account of Gizmodo, with whom Honan had a trusted journalistic relationship.
Protecting all of those assets with a single password that could be guessed, keylogged, stolen or simply changed by means of a social engineering phone call just wasn’t enough.
A few months before Honan’s digital wipeout, Apple introduced an additional layer of security for Apple IDs by pushing its users into adding a raft of answers to additional “security questions”.
The theory behind this approach is that crooks will need to beg, steal or borrow more than just your password in order to masquerade as you, thus providing you with modest insurance against a poorly-chosen or stolen password.
→ I’m not a big fan of auxiliary security questions, sometimes called knowledge-based authentication, because I don’t accept that you can make a guessable password strong by augmenting it with yet more guessable answers to questions you’ve chosen on your users’ behalf. Worse still, users can’t change the answers to absolute security questions like “what was your first car”, which also naively presumes that everyone in the world has not only owned a car but also managed to keep its make a secret from everyone else, even their friends.
Now, Apple has gone an extra mile, making 2FA available, at least to some of its users. (At the moment, you have to be in the US, the UK, Australia, Ireland, or New Zealand.)
Actually, Apple doesn’t call it 2FA, preferring instead the term two-step verification.
It works by sending an SMS to one of a number of mobile devices you have registered with Apple; the message contains a one-time passcode that you need in addition to your regular password:
By avoiding the name 2FA, Apple is actually making a slightly weaker, but more honest, security assertion.
That’s because there is nothing to stop you getting Apple to send your SMS verification codes to the same device on which you actually use your Apple ID.
Indeed, I suspect that many users will use two-step verification this way, and it isn’t really two factor authentication if the same factor – your iPhone, for instance – is used for both steps of the process.
That’s because someone who controls your iPhone to the point that they can acquire your password can, probably with not much more complexity, acquire in real time the contents of SMSes sent to your iPhone.
Nevertheless, Apple’s new security feature does the right thing: it introduces single-use, random passwords to the Apple ID login process.
Another neat thing Apple has done, even though it sounds at first blush like a user-unfriendly move, is to cut its own support staff entirely out of the password reset loop for anyone who enables two-step verification:
In addition, with two-step verification turned on, only you can reset your password, manage your trusted devices, or create a new recovery key.
Apple Support can help you with other aspects of your service, but they will not be able to update or recover these three things on your behalf.<
Yes, that puts all of the password recovery burden on your shoulders.
But it also provides a strong assurance against getting Honanised, because “can’t” is a much stronger security situation that “shouldn’t”.
If Apple’s staff cannot recover or reset your password, then even the Mitnickest social engineer in the world won’t be able to talk them round.
So take Apple’s advice, write down the 14-character emergency recovery key created when you enable two-step verification, and lock it away somewhere at home.
PS. Don’t succumb to temptation. Take Apple’s own advice that you “should not store your Recovery Key on your device or computer since that could give an unauthorized user instant access to it.”