Apple Makes Two-Factor Authentication Available For Apple IDs 63
wiredmikey writes "In an effort to increase security for user accounts, Apple on Thursday introduced a two-step verification option for Apple IDs. As the 'epic hacking' of Wired journalist Mat Honan proved, an Apple ID often carries much more power than the ability to buy songs and apps through Apple's App store. An Apple ID can essentially be the keys to the Kingdom when it comes to Apple devices and user maintained data, and as Apple explains, is the key to many important things you do with Apple, such as purchasing from the iTunes and App Stores, keeping personal information up-to-date across your devices with iCloud, and locating, locking, or wiping your devices.' 'After you turn [Two-step verification] on, there will be no way for anyone to access and manage your account at My Apple ID other than by using your password, verification codes sent your trusted devices, or your Recovery Key, a support entry announcing the new service explained."
Thats just great. (Score:1, Interesting)
But what happens when the trusted device is the iPhone thats just gone missing?
Re: (Score:2, Informative)
Then they warn you not to do that, to at the very least set up SMS which could theoretically point to another phone.
Re: (Score:2, Troll)
Easy solution: Have an Android phone handy for logging into Apple services. :P
Security through non-Apple Products. It should officially become a new form of security, like security by obscurity...
Re:Thats just great. (Score:5, Informative)
Re: (Score:3)
There is also a special "recovery key" that can be used to get in to reset the trusted devices.
And that could never cause a problem...
Major security hole allows Apple passwords to be reset with only email address, date of birth
http://www.theverge.com/2013/3/22/4136242/major-security-hole-allows-apple-id-passwords-reset-with-email-date-of-birth [theverge.com]
Re:Thats just great. (Score:5, Informative)
Re: (Score:2)
So, in other words, if a compromised computer is used to set this up it is trivial for the hacker to lock the user out of his account and take it over while at the same time making sure that it is nontrivial for the user to get it back?
Re: (Score:1)
Yes. If the computer is compromised that you are setting this up on you can still be e-injured. However, at that point they had your password anyways via a keylogger. For everyone else, this is a great bonus to their security except for those who it is already too late. In other words, verify checkums of all files you get off of websites, use adblock plus + scriptsafe in chrome / comodo dragon or whatever browser you use (noscript/adblock for firefox for example), malwarebytes clean your pc, virus scan your
Re: (Score:3)
But what happens when the trusted device is the iPhone thats just gone missing?
You can have multiple trusted devices, and choose which one you want to use at any point in time. And you can remove devices from that list if they are lost or stolen (or, for that matter, if you just sell it).
2 factor my ass (Score:1)
Is this like the 2 factor authentication which now that I do my banking on my Smartphone has become 1 factor authentication?
I.E
1. Login to netbank, issue payment on phone
2. Receive SMS authentication code (on the same device)
3. Key in the SMS authentication code in to the phone.
4. Bill paid?
What timing... (Score:2)
Already closed (Score:4, Informative)
If you follow your link back to the original Verge source, you'll see Apple already shut down the password reset tool, and is probably working on a fix.
The timing then would seem to be excellent as with two-factor enabled the security hole would not matter.
Re: (Score:2, Interesting)
This is interesting - went to set up two factor authentication; logged into the Apple site, then went to the passwords and security section, which asked for my two 'security questions' - which I never gave them. At this point, you can't get anywhere else. You're dumped to a KB article that is clearly incorrect and other than waiting online for an AppleDrone to tell me it's not really a problem (the usual Apple response to things), there is nothing else I can do.
Perhaps it's embroiled in this little issue.
Re: (Score:3)
Yeah, right, they just magically put in answers to your security questions for you.
Most likely you were prompted at some point to put them in, and being the clever but paranoid (and more than slightly annoyed at the time) geek that you are, you gave them bullshit responses (so that someone who knows you can't put in the info, like they are going to check which school you went to and who your childhood friend was, or whatever!). The only problem is that you didn't write them down and totally forgot about it.
Re: (Score:2)
Well, surely that explains it!
(And for a point of interest, only some of the LG retina models have a ghosting which is generally only found in contrived testing scenarios and not in normal use. That's still bad, but nothing so bad as many people (who don't even own one) like to portray it as.)
Stop asking for my password all the time (Score:3)
If I didn't have to type my password all the freakin' time, I might generate an actually secure one. Granted, iOS has gotten somewhat better with the latest updates- at least it doesn't ask me for every app update anymore. But, still...
Re: (Score:2)
Blame all the developers and users for that one then. Back in iOS 4 days, parents would download an app and then find their kids have spent thousands of dollars on smurfberries on their credit card bill, so parents demanded action. Apple went ahead and split the timer between
Re: (Score:3)
Indeed, the last time I can remember having to enter my Google password for my Android phone, was when I bought it. And that's why it's a randomly generated password of some length (and two-factor protected). My AppleID is.... not.
Apple could have solved this in so many ways that are more convenient. Like, god forbid, letting the user decide between several options. That way I could get one I would be happy with (a confirmation dialog to avoid accidental clicks), and parents could get one they are happy wit
Re: (Score:3)
I like this kind of thing because it is dead simple a
Re: (Score:3)
You don't want to use a password when you buy something? What are you talking about when you say "all the freakin' time". I go for weeks without using my password.
Re: (Score:2)
As I said, it has gotten better. But it's not that long since it asked for a password simply to update an already installed application.
And, no, I don't want it to ask me for my password when I buy something on a device I have previously authenticated on. Tell me the price and ask for confirmation, yes, but ask me for password, no.
Re: (Score:1)
As I said, it has gotten better. But it's not that long since it asked for a password simply to update an already installed application.
Then what the fuck are you complaining about?
And, no, I don't want it to ask me for my password when I buy something on a device I have previously authenticated on. Tell me the price and ask for confirmation, yes, but ask me for password, no.
Tell that to parents who hand their iPhones to their kids, or hell, even just being around some asshole acquaintances that might think it's funny.
Or losing your phone and some stranger finding it and going to town with your account.
Not to mention yourself, accidentally clicking the "buy" button.
Re: (Score:2)
I said *I* don't want. I'm not trying to impose my choice upon others. I'd much prefer Apple added a configurable option to cater both for people that hand their gear to kids, or people they don't know, or habitually misplace hundreds of dollars worth of kit, as well as for people like me that do not.
Re: (Score:2)
Well, that's quite reasonable (if a bit on the far end of the curve).
I think the main problem is that if that's even an option, far too many people would turn it on (either knowingly or unknowingly), only to later find themselves running afoul of one of the many scenarios a password-free purchasing system would allow.
The part I don't quite get is, how often do you need to type your password? When you buy from the stores (and there's a timeout period during which you don't need to type it). This can't be all
Re: (Score:2)
To be honest, if my password is a 30 character one that takes me several minutes to pull up on my computer's password safe and type in using a phone's keyboard, it doesn't take very often for that password to be dumbed down to something more convenient.
The problem is that password is not protecting the phone, but the account, accessible from anywhere. Dumbing down the password is a bad solution. I'd be equally happy with a middle ground, like a PIN code to purchase as opposed to the full password. Which, in
How Many Factors? (Score:2)
This may seem like a stupid question, but I'll ask it anyway.
When I count, I see the username and password as two factors. The factors, as I understand it, should be a combination of something you have (CAC, ATM card), know (username, password), and are (retina scan, fingerprint, voice pattern). Using that definition, username and password are two factors. It's quite possible to have a single factor, i.e. password only to log in on a device. A smart phone is a perfect example. You have your PIN, but no
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
"Multi-factor authentication (also Two-factor authentication, TFA, T-FA or 2FA) is an approach to authentication which requires the presentation of two or more of the three authentication factors: a knowledge factor ("something the user knows"), a possession factor ("something the user has"), and an inherence factor ("something the user is")." Wikipeda [wikipedia.org]
While a username and password are two "things," as you wrote yourself they are both things that you know so they only involve one authentication factor. So
Re: (Score:3, Insightful)
For the most common 2-factor authentication in place today (e.g. if you enable for Gmail) the authenticating entity sends a code to your device in order to tie this to something that you have (your phone) and thereby introduce the possession factor.
I would say the most common 2-factor authentication is at the ATM, where you need to present your ATM card and enter your pin.
Re:How Many Factors? (Score:5, Insightful)
Yep, that's a good example of 2FA. Calling "username and password" two factors is foolish; your username isn't even an authentication credential at all in most cases (that is, it's typically at least semi-public information). It's an identifier, not a credential.
However, even if the username is treated as a second password, then you don't really have two passwords; you have one long password with a break in the middle. There's no meaningful difference between them at that point.
Re: (Score:2)
That's like saying when I log in to my mail account it's two factor, too, because I need something I know (my email credentials) and a computer to type it in (which is something I need to have). Sorry, but that doesn't constitute a two factor authorization yet.
The "something you have" must be sufficiently unique that duplication is nontrivial or (preferably) impossible. What may make it "something you have" is in this case the fact that there is only one phone with this phone number, not the fact that you g
Re: (Score:2, Informative)
Not really. There are two issues:
1) Two factor authentication is generally (always?) accepted as being two factors of different types (ie, you cannot have two things you know, two things you are, or two things you have...the two things must be from different categories). This is more secure because it means the two factors must be attacked through completely different channels (if you had two passwords, the same attack to steal the first password could be used to steal the second password). It is analogous
Re: (Score:2)
Well, the confusion is understandable as "two factor" has been applied (wrongfully) to two very different and distinct security paradigms. First, the one you describe where the "factors" are having/knowing/being. The other one determines the "factor" by the paths information takes to negotiate between the two parties involved.
In this specific case, where "factor" is used somewhat incorrectly IMO, a more appropriate designation would be "multi-channel", one "factor" is the link through the computer, the othe
Exploits already (Score:2)
Seems that anyone can reset your password knowing your email and birthdate [theverge.com] for the ones not using the two-factor authentication. And that option is available in just a few countries.
Hopely it gets fixed in very short time or could get a massive impact in all the world.
Re: (Score:3)
Re: (Score:2)
Except that you have not been able to reset your password for months. Solve one problem by creating another.
72 Hour Waiting Period (Score:2)
Re:72 Hour Waiting Period (Score:4, Informative)
See the next-to-last answer in the FAQ here: http://support.apple.com/kb/HT5570 [apple.com]
If you've reset your password or changed your security questions, they make you wait first. This prevents somebody from stealing your account, changing the password, and then turning on two-factor authentication preventing you from ever getting it back. As they also note in that article, if you use two-factor authentication, they become unable to reset your password. If you ever lose two of the three things needed to log in (your password, your verified device(s), and your recovery key), then you cannot make any changes to your account. (And if you lose all three, you can't even log in from an already-trusted device.)
Re: (Score:2)
Apples two factor authentication availability (Score:1)
Only available in USA and selected european countries.
No security token... (Score:1)
Dissapointing. As someone with only one mobile device (i.e. the one I want to protect) this is not very useful. Would be a lot better with a security token similar to those used by banks. However I'll probably enable it anyway as in my particular case I'm more worried about someone I know getting into the account, which this DOES protect from even though it'll make me more vulnerable if my phone is stolen.
(Disclaimer: I only own an iPhone as I inherited it. I don't particually enjoy getting screwed by Apply
Poorly implemented for multiple Apple IDs (Score:2)
Since Apple refuses to allow merging of Apple IDs, I have multiple IDs: iCloud, iTunes and other. The way Apple implemented this, you have to use the Find My IPhone app or SMS. The Find My iPhone app is tied to iCloud so it can only be used with an iCloud account, making it useless for a separate iTunes account which is where my devices are registered. That leaves SMS, which also has issues since the same phone number can't be used for different accounts. Plus many people, myself included, don't pay for
Re: (Score:2)
That's good news (Score:1)