iOS 9 enhances two factor authentication, introduces 6-digit passcodes

Apple. Image courtesy of Lester Balajadia/Shutterstock

Amid the vast array of changes announced for iOS 9, Apple has included two enhancements for security – the introduction of 6-digit “simple passcodes”, as well as two factor authentication (2FA) that is built into the operating system.

The change from 4-digit passcodes (which can still be used, even though we wouldn’t suggest it) to the lengthier alternative is significant because it greatly increases the number of possible combinations, raising the total from just 10,000 to a far healthier 1 million, a change Apple says will make passcodes “a lot tougher to crack”.

While brute-forcing an iOS device sounds unlikely, it is possible, as we learned back in March with the news of a Black Box designed for doing exactly that.

With the ability to power down an iPhone before it could add to the failed passcode attempt count (you can set your iDevice to erase itself after 10 failed attempts), the device could endlessly guess passcodes until it found the correct one.

As part of the article we wrote at the time, Paul Ducklin explained how a determined cracker could break a 4-digit passcode in less than 5 days, assuming that the device didn’t erase itself along the way. 

With a 6-digit passcode increasing that one hundredfold, the amount of time required would increase to more than a year, which is probably sufficient to dissuade all but the most determined of PIN bashers.

Nevertheless, as part of our 10 tips for securing your smartphone guide, we suggest treating 6 digits as an absolute minimum, and we also recommend that you consider a passphrase (allowing you to use both letter and numbers for greater variety) instead.

→ We explain how to choose and set passcodes (and the equally important lock-screen timeouts) in our recent article Why you shouldn’t worry about privacy and security on your phone.

Besides passcodes, Apple will also be improving two-factor authentication with the release of iOS 9, saying:

A password alone is not always enough to keep your account secure. With two-factor authentication, when you sign in from a new browser or on a new device, you’ll be prompted for a verification code. This code is automatically displayed on your other Apple devices or sent to your phone. Enter the code and you’re quickly signed in — and any unauthorized users are kept out.

The company originally introduced 2FA in March 2013 – but only for some types of accounts – before later adding support for iCloud and subsequently also for iMessage and FaceTime.

Further details are sketchy right now but the company has revealed that two-factor authentication will be integrated within both iOS 9 and OS X 10.11 El Capitan.

Beyond enhanced passcodes and two-factor authentication it looks as though Apple will also be introducing at least one other interesting feature.

An image on the iOS 9 preview page shows a pop-up box warning warning the user that their iPhone Apple ID is being used to sign in from another device – in this case another iPhone – and gives the option to allow or block it. The prompt also advises which account is being accessed as well as providing a map to show where the second login is coming from, too.

Apple screenshot

Such a scheme could be useful for parents who allow their children to share their accounts, allowing them to quickly determine whether the attempted account access is coming from a person and device they trust or a potentially malicious third party.

Interestingly, these changes come at a time when governments and civil rights groups continue to debate the topic of encryption and how it applies to devices such as those manufactured and marketed by Apple.

Politicians such as US President Obama and British Prime Minister David Cameron appear to want to do away with consumer-level encryption, complaining that it makes tracking terrorists and criminals that much harder.

Meanwhile, the tech industry continues to lobby for the rights of its customers, something Apple itself began championing last year when it published a new privacy promise in which it declared it no longer had the ability to bypass the passcode on any of its devices running iOS 8 or later.

Image of Apple logo courtesy of Lester Balajadia /