OFFICIAL SECURITY BLOG

We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

Apple introduces two-factor authentication

Published April 2nd, 2013 at 3:34 PM EST , modified April 2nd, 2013 at 3:36 PM EST

Back in August of last year, a journalist named Mat Honan had his Apple ID hacked, allowing the hackers to remotely wipe all his devices and trash all his iCloud data. Two weeks ago, Apple introduced a new two-factor authentication method for Apple IDs that would prevent future use of the technique used against Mr. Honan. Before you jump in and start using it, though, you’ll need to understand the advantages and disadvantages of doing so.

First, some of you may be asking what two-factor authentication is. The simple answer is that it is a security protocol that requires two different pieces of information for logging in to a particular account, usually a password plus some other information. In the case of the Apple ID, one factor is a password meeting certain requirements (length, inclusion of numeric characters as well as upper and lower case letters, etc). The other factor is a 4-digit one-time key that is sent to a trusted device, such as your cell phone. A third factor is also available – for use in cases where the password has been forgotten, for example. That factor is a recovery key.

It’s important to understand that the new two-factor authentication applies only to managing your Apple ID, not for logging in. You will still be able to do things like log in to iCloud, check your iCloud e-mail and make purchases in the iTunes or Mac App Stores with nothing more than your password. However, if you want to change the e-mail address associated with your Apple ID, reset the password or something similar, you will need to have access to two factors.

Once you have enabled two-factor authentication for your Apple ID, no Apple representative will be capable of resetting your password to give you access to your account. Since Mat Honan’s problem involved hackers gaining access to personal information that enabled them to convince an Apple representative to give them access to his account, the new authentication methods would have prevented that disaster. Unfortunately, this also means that, should you lose access to more than one of the factors giving you access to your account – which should be a fairly rare occurrence – you will lose administrative access to your account, permanently. If you lose the password, you will lose access to the account entirely.

What this means is that, if you enable two-factor authentication, there is a chance that some unusual circumstance could cause you to lose your Apple ID, and all purchases associated with it. In exchange, you greatly reduce the chances that a hacker could gain access to your Apple ID. However, if you don’t make that change, there is a greater chance that a hacker could access your Apple ID and wreak havoc with your devices and online data. After all, the security questions used by the old authentication system are not particularly secure, and it’s still remotely possible that an Apple representative could be tricked into giving someone access to your account.

If you decide to enable two-factor authentication, which will keep your account more secure, go to Apple’s Apple ID management site:

https://appleid.apple.com

Once there, click the “Manage your Apple ID” button and log in. Once there, click the Password and Security item and begin the process of enabling two-factor authentication. (You will need the answers to your security questions, so be sure you have them handy!)

You may be told that you will have to wait several days to complete the process. Some people seem not to have needed to do that, but I did. (And, of course, I started the process right before going out of town on a family vacation, so I couldn’t complete the process until I got back. I wasn’t willing to complete it while on an unencrypted, public wifi network!) The idea behind this is that, if someone other than you is initiating that process, you have several days of advance warning that someone is tampering with your account.

One final note: this security is less useful if someone gains access to one of your trusted devices. For example, if your iPad is a trusted device and someone steals it, and if they are also able to discover your Apple ID password or recovery key, they could log in to the Apple ID site and permanently lock you out of your account. Be sure to use a passcode lock on any iOS devices that you identify as trusted, don’t store either your Apple ID password or recovery key on those devices and be sure to enable Find My iPhone so that you can remotely lock or erase the device.

Tags: ,

One Comment

  • aalien says:

    This is awesome!!!

    I also very much like Google system were they detect the country and ip address and block your account with “Two-Step Authentication” requiring in case of suspicious activity a SMS to your cell phone.

    Google it’s awesome and let us administrate all of this in details in our account settings. I recently have the SMS to my cell phone always ON. In GMAIL (bottom right corner) you have a link to a page were they have all ip’s and country list from were your account has been opened.

    This is great for Apple. Every company/website/service should have this options of security. At least as options in case people wanted ON/OFF.

This post is more than 90 days old and has been locked. No further comments are allowed.