Archive for February 14, 2019

Thursday, February 14, 2019

Developer Apple ID’s to Require Two-Factor Authentication

Apple (via e-mail):

In an effort to keep your account more secure, two-factor authentication will be required to sign in to your Apple Developer account and Certificates, Identifiers & Profiles starting February 27, 2019. This extra layer of security for your Apple ID helps ensure that you’re the only person who can access your account. If you haven’t already enabled two-factor authentication for your Apple ID, please learn more and update your security settings.

Brent Simmons:

I have two accounts — one for personal use, one for development use — and so do lots of developers.

I don’t know how to make this work. None of my devices are ever signed in to my developer account. That account exists purely for building and distributing apps.

It is possible, but Apple has not done a good job of explaining it.

Nick Heer:

To register an iOS device with two-factor authentication, you must sign out of your personal Apple ID at the system level, which means you’re signing out of iCloud. This is a highly disruptive action. On a Mac, it’s much easier, because you can associate different MacOS users with their own Apple ID. So, the best recourse to set up two-factor authentication is probably to create a separate user account on your Mac, set it up with your developer Apple ID, and then follow Apple’s directions.

James Thompson:

So, if my developer Apple ID is going to require 2FA in two weeks, how is that going to work mixed with my personal Apple ID? Am I right that a device like a phone can only be the trusted device for one Apple ID?

Ryan Booker:

It’s a great example of Apple not thinking things through. Custom system that doesn’t work with every other TFA system, no ability to get the prompts from multiple accounts, and no ability to merge accounts.

Dave Wood:

To put into perspective how much of a PITA Apple’s bad 2FA will be, I rec’d 14 of the “Teams and roles have been unified.” emails. I have a lot of developer accounts, tied to specific clients. I also often need to log in as the client because they have no clue how ASC works.

Kyle Seth Gray (tweet):

Here’s how you can add your developer account to your device to get authentication codes.

[…]

Despite the account being labeled as ‘inactive’ on that account screen, you have added your device as a “trusted” device capable of receiving two-factor authentication codes.

[…]

The one problem is enabling it in the first place - the easiest way is to create a temporary user on your Mac and enable it there, but damn if that isn’t a clunky solution.

I have not, as far as I recall, ever made a separate Mac account or used a dedicated device for my developer account, but somehow I was able, long ago, to enable 2FA using SMS. Some people are worried that Apple will stop allowing this and require an actual iOS device, but I haven’t seen any official indication of that. SMS is more convenient in a lot of situations but less secure.

Maxwell Swadling:

Never use consumer phone numbers, they are easily stolen. Most telcos only require a name and DOB to port. Get a number that doesn’t have a sim allocated and can’t be ported, such as twilio or google voice.

Maxwell Swadling:

1. get a dedicated google voice number on a dedicated google account
2. Disable text message forwarding
3. Put THAT account under U2F
4. Create a Mac VM
5. Sign in and activate with that number

I think this is the only decent approach

Tanner Bennett:

Lol what about company developer accounts that aren’t attached to any particular device, and thus, not tied to a phone number that can receive SMS?

See also: Cabel Sasser.

Update (2019-02-15): Simone Manganelli:

The SMS thing is “two-step” verification (as opposed to “two-factor”), and though it’s still supported, I dunno if you can activate it on newer devices.

Marco Arment:

This sudden requirement for 2FA on dev accounts feels rushed and ill-considered.

iCloud device-based 2FA doesn’t fit the way most iOS devs, big and small, use Apple IDs.

Apple should add support for TOTP (Authy, Authenticator, 1Password, etc.) before requiring 2FA.

Andrew Mayers:

I called dev support about it two days ago. They completely understood the problem and said they would look at my accounts and let me know the next day how to handle it. No response yet so I think they don’t have an answer yet.

Matthew Dicembrino:

Indie devs are now going to feel the pain us contractors have felt in last year. New dev accounts have been 2FA required for months. I use a google voice number to receive sms codes. Also reverse engineered the 2FA api calls to automate the process for my fastlane builds.

Gardner von Holt:

Marco, not publicized is that if you have no device to use for two factor auth, dev support can authorize your dev account to continue using Two Step auth, the 4 digit old method. Call dev support and explain the situation, you will get escalated to a sr. tech who has a process.

Nate Petersen:

Dev support got back to me: “At this time, two-factor authentication is only a requirement for the account holder role”. So you could have a separate account just to be the “account holder”. Still a huge pain though.

Konstantinos Kontos:

Since,I’m the senior iOS dev, but not the account owner, and since there are tasks that only the account owner can do, I know need to go ordinate with the US west time zone (10 hours difference to me) to perform tasks that I would otherwise do in a couple of minutes.

Craig Hockenberry:

Just removed an Apple ID from an old Mac mini and got a barrage of alerts on phones, watches, Macs about FaceTime being used on a new device that’s not new. Also signed out of the iTunes Store.

If anyone at Apple is wondering why developers are worried about 2FA, see above.

[…]

So let’s recap: I decided (stupidly) to do a little cleanup on my Apple ID. Now I can’t buy anything from Apple. I can’t renew my developer account, get a WWDC ticket, or buy some hardware.

We see fragility in Apple’s backend service a lot more than most customers. And worry.

My fear at this point is that all of these declines is going to trigger something that locks my account and really screws my business up.

See also: Scripting OS X.

Update (2019-02-18): See also: Reddit.

Dave Wood:

Apple’s forced 2FA is going to go really well. Here’s one of my dev accounts, now completely locked out (unrelated to 2FA). One site says I need to update the country associated with the account, the other says I can’t update it. Now what?…

Update (2019-02-20): Apple:

If your personal Apple ID is different from the Apple ID associated with your Apple Developer account, you can configure your device to allow verification codes to be received for both Apple IDs.

[…]

If your Apple ID has two-step verification enabled and two-factor authentication is available in your country or region, you will need to update to two-factor authentication for increased security.

[…]

You can assign the same trusted phone number to multiple Apple IDs that you use.

[…]

If you previously enabled two-step verification with a recovery key on your account and you sign in on a device running iOS 11 or macOS High Sierra, your Apple ID is automatically updated to two-factor authentication. After your account is updated, you have the option to generate a new recovery key. This option is only available if you are updating an account from two-step verification to two-factor authentication.

Eric Slivka:

But their suggestion to set it up by signing out of iCloud on your phone is pretty nuts. That’s a painful process to go through when your phone starts trying to delete all of your synced iCloud content.

Update (2019-02-26): See also: Accidental Tech Podcast.

Update (2019-03-05): It turns out that my Apple ID did not have 2FA enabled, so today I was forced to choose between logging out of iCloud on my phone and creating a new dummy user.

Stealing High-Value Instagram Accounts

Joseph Cox (tweet):

Usually when you think of someone taking over an Instagram account, you probably imagine a hacker breaking in with an unearthed password, or tricking the victim into giving up their credentials. But Instagram scammers have another, sometimes more effective method too: just asking Instagram to hand over the account.

Scammers do this by creating fake companies and trademarks to convince Instagram they should be the legitimate owner of a username in question, with fraudsters using “trademarking,” as the technique is known, to get ahold of sought-after, valuable handles, according to posts and evidence of the process in action obtained by Motherboard. The scammers can then keep these handles as digital mementos, brag about their acquisition, or resell them at a profit in a thriving underground community.

Update (2019-02-15): Isaiah Carew:

i’ve had my instagram account “isaiah” stolen 3 times. they used “sim flipping”, social engineering, and a loophole in 2-factor.

iTunes U and iBooks Author Are Suffering From Software Rot

Bradley Chambers:

Google has been ridiculed over creating and shutting down various applications over the years, but when it comes to enterprise software applications, I would prefer that over letting things die a slow agonizing death. Apple, on the other hand, has done the latter with two of its K–12 focused software applications: iBooks Author and iTunes U.

[…]

[iBooks Author is] largely the same application that it was when it was released in 2012. Is iBooks Author an app that schools are supposed to build around? If so, what promise do they have that it will be compatible with anything in the future?

[…]

The last major [iTunes U] feature was released in 2015. […] Sadly, iTunes U doesn’t even support split screen on the iPad yet. The Apple Pencil support is bare bones. It would be hard for me to recommend iTunes U as a platform for anyone at this point.

Previously:

Most Security Bugs Are Memory Safety Issues

Catalin Cimpanu (via Hacker News):

Speaking at the BlueHat security conference in Israel last week, Microsoft security engineer Matt Miller said that over the last 12 years, around 70 percent of all Microsoft patches were fixes for memory safety bugs.

The reason for this high percentage is because Windows has been written mostly in C and C++, two “memory-unsafe” programming languages that allow developers fine-grained control of the memory addresses where their code can be executed. One slip-up in the developers’ memory management code can lead to a slew of memory safety errors that attackers can exploit with dangerous and intrusive consequences --such as remote code execution or elevation of privilege flaws.

Kara Swisher Interview of Jack Dorsey

Dan Luu (tweet, Hacker News):

This is a transcript of the Kara Swisher / Jack Dorsey interview from 2/12/2019, made by parsing the original Tweets because I wanted to be able to read this linearly. There’s a “moment” that tries to track this, but since it doesn’t distinguish between sub-threads in any way, you can’t tell the difference between end of a thread and a normal reply.

Mostly, I think this demonstrates how hard it is to read collections of tweets on Twitter itself.