Thursday, March 21, 2013

Two-Step Verification for Apple ID

Apple HT5570:

Your Apple ID is the key to many important things you do with Apple, such as purchasing from the iTunes and App Stores, keeping personal information up-to-date across your devices with iCloud, and locating, locking, or wiping your devices. Two-step verification is a feature you can use to keep your Apple ID as secure as possible.

This is much better than asking for a device serial number and should help against Mat Honan–type social engineering.

If you no longer have access to one of your devices, go to My Apple ID to remove that device from your list of trusted devices as soon as possible so that it can no longer be used to help verify your identity.

Of note, it does not appear that two-step verification is needed to remote wipe or to access FileVault-encrypted files on a locked but powered-on Mac. It seems more likely that someone would get my Apple ID password than that I would need to remote wipe or would forget my Mac’s password, so I don’t have Find My iPhone or login password recovery enabled. I wish there were a way to enable Find My iPhone without enabling remote wipe.

Update (2013-03-21): Rui Carmo:

I am clearly in the minority that thinks of two-factor auth in and by itself as security voodoo to appease the unwashed masses — especially if you don’t follow it up with privilege separation — and I’m going to stick to my guns on this one.

I’d also like to note that if you have a non-phone, you don’t have SMS, and so in order to use two-factor authentication you must enable Find My iPhone and its remote wipe feature.

Update (2013-03-22): Chris Welch (via Jordan Merrick):

Unfortunately, today a new exploit has been discovered that affects all customers who haven’t yet enabled the new feature. It allows anyone with your email address and date of birth to reset your password — using Apple’s own tools.

Update (2013-05-31): Dan Goodin quotes Vladimir Katalov:

“To me the story here is all about Apple offering a 2FA [two-factor authentication] solution that doesn’t really add much extra security for you (files, documents etc), but it protects them (and you) from unauthorized money transactions and changes to your account,” Per Thorsheim, a security consultant in Oslo, Norway, wrote in an e-mail to Ars. “People are not made aware of this at all, and it will be a false layer of security when people enable 2FA and put sensitive and secret documents into iCloud.”

Glenn Fleishman:

Apple has suffered enough security stumbles in the last few years that it shouldn’t lag in this regard. It has been behind the curve many times in ways that damage customers’ identities, online integrity, and safety. Apple needs to use its engineering prowess to solve this problem and solve it quickly. Google already has for its users.

Comments RSS · Twitter

Leave a Comment