Forgot your password?
typodupeerror
Desktops (Apple) Iphone Security The Internet Apple

Apple Makes Two-Factor Authentication Available For Apple IDs 63

Posted by Soulskill
from the security-is-now-officially-hip dept.
wiredmikey writes "In an effort to increase security for user accounts, Apple on Thursday introduced a two-step verification option for Apple IDs. As the 'epic hacking' of Wired journalist Mat Honan proved, an Apple ID often carries much more power than the ability to buy songs and apps through Apple's App store. An Apple ID can essentially be the keys to the Kingdom when it comes to Apple devices and user maintained data, and as Apple explains, is the key to many important things you do with Apple, such as purchasing from the iTunes and App Stores, keeping personal information up-to-date across your devices with iCloud, and locating, locking, or wiping your devices.' 'After you turn [Two-step verification] on, there will be no way for anyone to access and manage your account at My Apple ID other than by using your password, verification codes sent your trusted devices, or your Recovery Key, a support entry announcing the new service explained."
This discussion has been archived. No new comments can be posted.

Apple Makes Two-Factor Authentication Available For Apple IDs

Comments Filter:
  • Thats just great. (Score:1, Interesting)

    by ninlilizi (2759613)

    But what happens when the trusted device is the iPhone thats just gone missing?

    • Re: (Score:2, Informative)

      by Anonymous Coward

      Then they warn you not to do that, to at the very least set up SMS which could theoretically point to another phone.

      • Re: (Score:2, Troll)

        by UltraZelda64 (2309504)

        Easy solution: Have an Android phone handy for logging into Apple services. :P
        Security through non-Apple Products. It should officially become a new form of security, like security by obscurity...

    • Re:Thats just great. (Score:5, Informative)

      by jsdcnet (724314) on Friday March 22, 2013 @05:38PM (#43251917)
      The person who finds it would still need to know your password. You can have multiple trusted devices (I set up my phone and iPad). There is also a special "recovery key" that can be used to get in to reset the trusted devices.
    • Re:Thats just great. (Score:5, Informative)

      by glennrrr (592457) on Friday March 22, 2013 @05:39PM (#43251935)
      You print out a recovery number when you set it up. To change your password you need 2 of 3 things: the current password, a trusted device, or a recovery number. You are supposed to print it out, and hide it somewhere safe.
      • So, in other words, if a compromised computer is used to set this up it is trivial for the hacker to lock the user out of his account and take it over while at the same time making sure that it is nontrivial for the user to get it back?

        • by Anonymous Coward

          Yes. If the computer is compromised that you are setting this up on you can still be e-injured. However, at that point they had your password anyways via a keylogger. For everyone else, this is a great bonus to their security except for those who it is already too late. In other words, verify checkums of all files you get off of websites, use adblock plus + scriptsafe in chrome / comodo dragon or whatever browser you use (noscript/adblock for firefox for example), malwarebytes clean your pc, virus scan your

    • But what happens when the trusted device is the iPhone thats just gone missing?

      You can have multiple trusted devices, and choose which one you want to use at any point in time. And you can remove devices from that list if they are lost or stolen (or, for that matter, if you just sell it).

    • Is this like the 2 factor authentication which now that I do my banking on my Smartphone has become 1 factor authentication?

      I.E

      1. Login to netbank, issue payment on phone
      2. Receive SMS authentication code (on the same device)
      3. Key in the SMS authentication code in to the phone.
      4. Bill paid?

  • ...considering the pretty serious security hold in the Apple ID system that was reported earlier today. [mashable.com]
    • Already closed (Score:4, Informative)

      by SuperKendall (25149) on Friday March 22, 2013 @06:23PM (#43252401)

      If you follow your link back to the original Verge source, you'll see Apple already shut down the password reset tool, and is probably working on a fix.

      The timing then would seem to be excellent as with two-factor enabled the security hole would not matter.

      • Re: (Score:2, Interesting)

        by ColdWetDog (752185)

        This is interesting - went to set up two factor authentication; logged into the Apple site, then went to the passwords and security section, which asked for my two 'security questions' - which I never gave them. At this point, you can't get anywhere else. You're dumped to a KB article that is clearly incorrect and other than waiting online for an AppleDrone to tell me it's not really a problem (the usual Apple response to things), there is nothing else I can do.

        Perhaps it's embroiled in this little issue.

        • by node 3 (115640)

          Yeah, right, they just magically put in answers to your security questions for you.

          Most likely you were prompted at some point to put them in, and being the clever but paranoid (and more than slightly annoyed at the time) geek that you are, you gave them bullshit responses (so that someone who knows you can't put in the info, like they are going to check which school you went to and who your childhood friend was, or whatever!). The only problem is that you didn't write them down and totally forgot about it.

  • by Mascot (120795) on Friday March 22, 2013 @05:47PM (#43252017)

    If I didn't have to type my password all the freakin' time, I might generate an actually secure one. Granted, iOS has gotten somewhat better with the latest updates- at least it doesn't ask me for every app update anymore. But, still...

    • by tlhIngan (30335)

      If I didn't have to type my password all the freakin' time, I might generate an actually secure one. Granted, iOS has gotten somewhat better with the latest updates- at least it doesn't ask me for every app update anymore. But, still...

      Blame all the developers and users for that one then. Back in iOS 4 days, parents would download an app and then find their kids have spent thousands of dollars on smurfberries on their credit card bill, so parents demanded action. Apple went ahead and split the timer between

      • by Mascot (120795)

        Indeed, the last time I can remember having to enter my Google password for my Android phone, was when I bought it. And that's why it's a randomly generated password of some length (and two-factor protected). My AppleID is.... not.

        Apple could have solved this in so many ways that are more convenient. Like, god forbid, letting the user decide between several options. That way I could get one I would be happy with (a confirmation dialog to avoid accidental clicks), and parents could get one they are happy wit

    • by fermion (181285)
      Here is my thing. A secure password is needed to protect the user against a random attack, presumably coming from the interwebs. Except that security is hard and expensive, so there are always going to be attacks that are not password related. Social engineering, hacking a server, using the password reset mechanism. All these get passwords and the complexity is irrelevant. All that wasted personal effort to maintain good passwords with no benefit.

      I like this kind of thing because it is dead simple a

    • by PNutts (199112)

      You don't want to use a password when you buy something? What are you talking about when you say "all the freakin' time". I go for weeks without using my password.

      • by Mascot (120795)

        As I said, it has gotten better. But it's not that long since it asked for a password simply to update an already installed application.

        And, no, I don't want it to ask me for my password when I buy something on a device I have previously authenticated on. Tell me the price and ask for confirmation, yes, but ask me for password, no.

        • by node 3 (115640)

          As I said, it has gotten better. But it's not that long since it asked for a password simply to update an already installed application.

          Then what the fuck are you complaining about?

          And, no, I don't want it to ask me for my password when I buy something on a device I have previously authenticated on. Tell me the price and ask for confirmation, yes, but ask me for password, no.

          Tell that to parents who hand their iPhones to their kids, or hell, even just being around some asshole acquaintances that might think it's funny.

          Or losing your phone and some stranger finding it and going to town with your account.

          Not to mention yourself, accidentally clicking the "buy" button.

          • by Mascot (120795)

            I said *I* don't want. I'm not trying to impose my choice upon others. I'd much prefer Apple added a configurable option to cater both for people that hand their gear to kids, or people they don't know, or habitually misplace hundreds of dollars worth of kit, as well as for people like me that do not.

            • by node 3 (115640)

              Well, that's quite reasonable (if a bit on the far end of the curve).

              I think the main problem is that if that's even an option, far too many people would turn it on (either knowingly or unknowingly), only to later find themselves running afoul of one of the many scenarios a password-free purchasing system would allow.

              The part I don't quite get is, how often do you need to type your password? When you buy from the stores (and there's a timeout period during which you don't need to type it). This can't be all

              • by Mascot (120795)

                To be honest, if my password is a 30 character one that takes me several minutes to pull up on my computer's password safe and type in using a phone's keyboard, it doesn't take very often for that password to be dumbed down to something more convenient.

                The problem is that password is not protecting the phone, but the account, accessible from anywhere. Dumbing down the password is a bad solution. I'd be equally happy with a middle ground, like a PIN code to purchase as opposed to the full password. Which, in

  • This may seem like a stupid question, but I'll ask it anyway.

    When I count, I see the username and password as two factors. The factors, as I understand it, should be a combination of something you have (CAC, ATM card), know (username, password), and are (retina scan, fingerprint, voice pattern). Using that definition, username and password are two factors. It's quite possible to have a single factor, i.e. password only to log in on a device. A smart phone is a perfect example. You have your PIN, but no

    • by Lazere (2809091)
      Both username and password are something you know. Perhaps you can claim the username is something you have, but I'm pretty certain they mean physically with that. Also, I think it has to have two of the three things (ie. Something you know and something you have as opposed to two things you know). I may be wrong, but I think that's how it's measured...
    • by gorodish (788476)
      You are correct, technically, but the real value of these kind of two-factor authentication techniques is that they are immune to replay attacks. Someone listening in to the Apple login process can't re-use the transmitted SMS code, because Apple expects to see a different code each time you log in.
    • by jacinda (1875592)

      "Multi-factor authentication (also Two-factor authentication, TFA, T-FA or 2FA) is an approach to authentication which requires the presentation of two or more of the three authentication factors: a knowledge factor ("something the user knows"), a possession factor ("something the user has"), and an inherence factor ("something the user is")." Wikipeda [wikipedia.org]

      While a username and password are two "things," as you wrote yourself they are both things that you know so they only involve one authentication factor. So

      • Re: (Score:3, Insightful)

        by noh8rz10 (2716597)

        For the most common 2-factor authentication in place today (e.g. if you enable for Gmail) the authenticating entity sends a code to your device in order to tie this to something that you have (your phone) and thereby introduce the possession factor.

        I would say the most common 2-factor authentication is at the ATM, where you need to present your ATM card and enter your pin.

      • That's like saying when I log in to my mail account it's two factor, too, because I need something I know (my email credentials) and a computer to type it in (which is something I need to have). Sorry, but that doesn't constitute a two factor authorization yet.

        The "something you have" must be sufficiently unique that duplication is nontrivial or (preferably) impossible. What may make it "something you have" is in this case the fact that there is only one phone with this phone number, not the fact that you g

    • Re: (Score:2, Informative)

      by Anonymous Coward

      Not really. There are two issues:
      1) Two factor authentication is generally (always?) accepted as being two factors of different types (ie, you cannot have two things you know, two things you are, or two things you have...the two things must be from different categories). This is more secure because it means the two factors must be attacked through completely different channels (if you had two passwords, the same attack to steal the first password could be used to steal the second password). It is analogous

    • Well, the confusion is understandable as "two factor" has been applied (wrongfully) to two very different and distinct security paradigms. First, the one you describe where the "factors" are having/knowing/being. The other one determines the "factor" by the paths information takes to negotiate between the two parties involved.

      In this specific case, where "factor" is used somewhat incorrectly IMO, a more appropriate designation would be "multi-channel", one "factor" is the link through the computer, the othe

  • Seems that anyone can reset your password knowing your email and birthdate [theverge.com] for the ones not using the two-factor authentication. And that option is available in just a few countries.

    Hopely it gets fixed in very short time or could get a massive impact in all the world.

  • I tried to set mine up, and now Apple is saying I need to wait 3 days before the process can be completred. I'm in no hurry, but this feels kind of arbitrary, when other popular services (Google, Blizzard, et al) can set this form of authentication up instantly.
    • by Macman408 (1308925) on Friday March 22, 2013 @07:03PM (#43252813)

      See the next-to-last answer in the FAQ here: http://support.apple.com/kb/HT5570 [apple.com]

      If you've reset your password or changed your security questions, they make you wait first. This prevents somebody from stealing your account, changing the password, and then turning on two-factor authentication preventing you from ever getting it back. As they also note in that article, if you use two-factor authentication, they become unable to reset your password. If you ever lose two of the three things needed to log in (your password, your verified device(s), and your recovery key), then you cannot make any changes to your account. (And if you lose all three, you can't even log in from an already-trusted device.)

      • Hmm, while that does make sense, I'm afraid I did none of those things. Ah well, better to err on the side of caution.
  • Only available in USA and selected european countries.

  • Dissapointing. As someone with only one mobile device (i.e. the one I want to protect) this is not very useful. Would be a lot better with a security token similar to those used by banks. However I'll probably enable it anyway as in my particular case I'm more worried about someone I know getting into the account, which this DOES protect from even though it'll make me more vulnerable if my phone is stolen.

    (Disclaimer: I only own an iPhone as I inherited it. I don't particually enjoy getting screwed by Apply

  • Since Apple refuses to allow merging of Apple IDs, I have multiple IDs: iCloud, iTunes and other. The way Apple implemented this, you have to use the Find My IPhone app or SMS. The Find My iPhone app is tied to iCloud so it can only be used with an iCloud account, making it useless for a separate iTunes account which is where my devices are registered. That leaves SMS, which also has issues since the same phone number can't be used for different accounts. Plus many people, myself included, don't pay for

    • by Ash-Fox (726320)

      Plus many people, myself included, don't pay for SMS so it costs them 20 cents per validation.

      That is really only an issue in the states. This doesn't effect the majority of people.

  • Great news from Apple then, this will make Apple users feel more safe.

"Right now I feel that I've got my feet on the ground as far as my head is concerned." -- Baseball pitcher Bo Belinsky

Working...