Sophos Cloud Optix
Has Apple really mandated the use of two-factor authentication (2FA) for beta users of macOS High Sierra iOS 11? And would such a thing matter anyway?
The short answer is no. Apple hasn’t made 2FA mandatory for everyone, but you can see why beta users already using the older two-step verification (2SV) technology could have misunderstood a recent email received from the company:
If you install the iOS 11 or macOS High Sierra public betas this summer and meet the basic requirements, your Apple ID will be automatically updated to use two-factor authentication.
This simply means that people already using 2SV will be upgraded to use 2FA instead while those who have never used 2SV at all will stay as they are.
Doubtless, a lot of users will be unclear as to the benefits up being upgraded from 2SV to new 2FA so let’s flesh them out.
Two-step verification has been available to Apple ID and iCloud accounts since 2013, while two-factor authentication appeared in 2015 for all users running OS X El Capitan or iOS 9 or later. Apple doesn’t say how many of its users run either of these but it’s sure to be a small minority.
Apple’s established 2SV is basically the same authentication security offered by web services such as Google, Twitter, PayPal and Facebook and involves the user registering a phone number and one or more devices in order to receive a one-time code that must be entered along with the Apple service password.
This design is vulnerable to man-in-the-middle attacks and SIM-swap frauds, which is why Apple wants to shunt users on to its two-factor authentication if it can.
In addition to sending users SMS codes in the style of 2SV (for added security, to all registered devices), this can also generate its own offline code using an integrated app. This sounds a lot like Google’s Authenticator app except that it’s more tightly integrated with the OS itself.
One interpretation of this is that Apple is, in effect, turning each Apple device into a hardware token capable of generating offline codes.
That’s probably an exaggeration because a true two-factor authentication token is always a dedicated object (e.g. the YubiKey or RSA SecurID) that can’t be written to. All true tokens do is generate codes to prove they are in the user’s possession while Apple’s technology emulates this design using software.
Google will probably also integrate Authenticator into Android at some point but its ambitions are to develop an authentication system for the whole of the web. Apple, by contrast, is focussed exclusively on its own users, which makes life a bit easier.
What Apple still has to do is to get its users to start thinking about authentication to defend against a range of attacks, including recent ransom attacks on iCloud.
At some point this layer will become mandatory, simply because it makes sense to do things that way. That moment has not arrived but the direction of travel is clear – Apple’s users should prepare themselves by upgrading now.
“Apple users should prepare themselves by upgrading now” to a non-apple product.
/troll (I’m a terrible person…)
Does anyone know if Apple is using their Secure Enclave for 2FA on devices that feature one? 2FA seems more secure than 2SV in the sense that it eliminates Security Questions, uses 6 digits (up from 4), and displays the rough location of the authentication request. It also can’t be disabled for new iCloud accounts.
Future support call.
U:Hello Apple support?, AS: Yes how can I help you. U: I lost my phone and am trying to use the Find my phone app, but I can’t log into my computer because it needs the two factor code sent to my phone. AS: Then how are you calling me? U: Land line. AS: Yeah right… Okay, I sent you a unlock code to your Email, just open it on your phone or computer, have a good day (click)….. U: (screams, and goes out to buy a PC and Android)
{disclaimer for those that don’t get it – this was sarcasm}
What about those of us who don’t need 2FA. How can we stop getting multiple push messages asking us to set it up. There is no option in settings for Never, only Later and then the reminders start again. It’s a tiny nuisance, but a nuisance non-the-less
Two factor authentication is a step up from two step authentication, but not all authentication methods are equally secure. The first factor is normally of the “something you know” variety (ie. username and password), and the second factor is typically a one-time password, but the simplest mechanism of OTP delivery (SMS message) whilst being the simplest is also the weakest (amongst other weaknesses it is vulnerable to sim swap attacks). OTP generated by authentication apps are an improvement, and hardware tokens (although more expensive) are probably the strongest of the means of generating an OTP. Alternatively FIDO keys provide a good defence against man-in-the-middle attacks, but may compromise your companies USB device connectivity policy.