Archive for March 21, 2013

Thursday, March 21, 2013

Two-Step Verification for Apple ID

Apple HT5570:

Your Apple ID is the key to many important things you do with Apple, such as purchasing from the iTunes and App Stores, keeping personal information up-to-date across your devices with iCloud, and locating, locking, or wiping your devices. Two-step verification is a feature you can use to keep your Apple ID as secure as possible.

This is much better than asking for a device serial number and should help against Mat Honan–type social engineering.

If you no longer have access to one of your devices, go to My Apple ID to remove that device from your list of trusted devices as soon as possible so that it can no longer be used to help verify your identity.

Of note, it does not appear that two-step verification is needed to remote wipe or to access FileVault-encrypted files on a locked but powered-on Mac. It seems more likely that someone would get my Apple ID password than that I would need to remote wipe or would forget my Mac’s password, so I don’t have Find My iPhone or login password recovery enabled. I wish there were a way to enable Find My iPhone without enabling remote wipe.

Update (2013-03-21): Rui Carmo:

I am clearly in the minority that thinks of two-factor auth in and by itself as security voodoo to appease the unwashed masses — especially if you don’t follow it up with privilege separation — and I’m going to stick to my guns on this one.

I’d also like to note that if you have a non-phone, you don’t have SMS, and so in order to use two-factor authentication you must enable Find My iPhone and its remote wipe feature.

Update (2013-03-22): Chris Welch (via Jordan Merrick):

Unfortunately, today a new exploit has been discovered that affects all customers who haven’t yet enabled the new feature. It allows anyone with your email address and date of birth to reset your password — using Apple’s own tools.

Update (2013-05-31): Dan Goodin quotes Vladimir Katalov:

“To me the story here is all about Apple offering a 2FA [two-factor authentication] solution that doesn’t really add much extra security for you (files, documents etc), but it protects them (and you) from unauthorized money transactions and changes to your account,” Per Thorsheim, a security consultant in Oslo, Norway, wrote in an e-mail to Ars. “People are not made aware of this at all, and it will be a false layer of security when people enable 2FA and put sensitive and secret documents into iCloud.”

Glenn Fleishman:

Apple has suffered enough security stumbles in the last few years that it shouldn’t lag in this regard. It has been behind the curve many times in ways that damage customers’ identities, online integrity, and safety. Apple needs to use its engineering prowess to solve this problem and solve it quickly. Google already has for its users.

“Send to Kindle” Button


Have you ever encountered news, blogs, articles and other content on the web that you want to read but don’t have time to do so immediately? The Send to Kindle Button lets you easily send that content to your Kindle to read later, at your convenience. Just send once and read everywhere on any of your Kindle devices or free Kindle reading apps for iPhone, iPad and Android phones or tablets. No more hunting around for that website or blog that caught your eye—just open your Kindle and all the content you sent is right there.

Good idea, but it’s plug-in based and doesn’t work in Safari. Why couldn’t they just use a bookmarklet like Instapaper?

The Return of NetNewsWire

Daniel Pasco:

As far as sync is concerned, we knew we would likely need an alternative to Google Reader as early as last year. At the time, the option that seemed to make the most sense was to embrace iCloud and Core Data as the new sync solution of choice. We spent a considerable amount of time on this effort, but iCloud and Core Data syncing had issues that we simply could not resolve.

It’s good to hear that they’re trying a new strategy that’s more under their control. And it’s unfortunate that iCloud has held back updates, even though not all NetNewsWire users need syncing.

Update (2013-03-30): Brent Simmons:

If you’re writing an RSS reader, you can’t ask iCloud to download feeds.

iCloud can’t poll Twitter to see if your follower count has gone up or down. iCloud can’t generate weather forecasts. iCloud can’t track ships.

There are all kinds of services that make sense on the server side. You could do some of them on a client, but at the expense of timeliness and battery life. If it’s a good idea, and you don’t do it on a server, your competition just has to write a server that does it, and your app is finished.


Javier Soto’s JSErrorStackTrace is a “category on NSError that stores the stack trace of the creation of the NSError object for later retrieval” (via Romain Briche). It’s very useful to have this attached to an error object. He swizzles the initializer and gets the stack trace using -[NSThread callStackSymbols]. That method wasn’t available when I wrote my code, which adds stack frames to the error’s user info as it’s propagated.