Apple to auto-update devices to two-factor authentication

Has Apple really mandated the use of two-factor authentication (2FA) for beta users of macOS High Sierra iOS 11? And would such a thing matter anyway?

The short answer is no. Apple hasn’t made 2FA mandatory for everyone, but you can see why beta users already using the older two-step verification (2SV) technology could have misunderstood a recent email received from the company:

If you install the iOS 11 or macOS High Sierra public betas this summer and meet the basic requirements, your Apple ID will be automatically updated to use two-factor authentication.

This simply means that people already using 2SV will be upgraded to use 2FA instead while those who have never used 2SV at all will stay as they are.

Doubtless, a lot of users will be unclear as to the benefits up being upgraded from 2SV to new 2FA so let’s flesh them out.

Two-step verification has been available to Apple ID and iCloud accounts since 2013, while two-factor authentication appeared in 2015 for all users running OS X El Capitan or iOS 9 or later. Apple doesn’t say how many of its users run either of these but it’s sure to be a small minority.

Apple’s established 2SV is basically the same authentication security offered by web services such as Google, Twitter, PayPal and Facebook and involves the user registering a phone number and one or more devices in order to receive a one-time code that must be entered along with the Apple service password.

This design is vulnerable to man-in-the-middle attacks and SIM-swap frauds, which is why Apple wants to shunt users on to its two-factor authentication if it can.

In addition to sending users SMS codes in the style of 2SV (for added security, to all registered devices), this can also generate its own offline code using an integrated app. This sounds a lot like Google’s Authenticator app except that it’s more tightly integrated with the OS itself.

One interpretation of this is that Apple is, in effect, turning each Apple device into a hardware token capable of generating offline codes.

That’s probably an exaggeration because a true two-factor authentication token is always a dedicated object (e.g. the YubiKey or RSA SecurID) that can’t be written to. All true tokens do is generate codes to prove they are in the user’s possession while Apple’s technology emulates this design using software.

Google will probably also integrate Authenticator into Android at some point but its ambitions are to develop an authentication system for the whole of the web. Apple, by contrast, is focussed exclusively on its own users, which makes life a bit easier.

What Apple still has to do is to get its users to start thinking about authentication to defend against a range of attacks, including recent ransom attacks on iCloud.

At some point this layer will become mandatory, simply because it makes sense to do things that way. That moment has not arrived but the direction of travel is clear – Apple’s users should prepare themselves by upgrading now.