Apple To Force Users To 2FA On iOS 11, macOS High Sierra (onthewire.io) 119
Trailrunner7 quotes a report from On the Wire: With the upcoming releases of iOS 11 and macOS High Sierra later this year, Apple is planning to force many users to adopt two-factor authentication for their accounts. The company this week sent an email to customers who have the existing two-step verification enabled for their Apple IDs, informing them that once they install the public betas of the new operating systems they will be migrated to two-factor authentication automatically. Two-step verification is an older method of account security that Apple rolled out before full two-factor authentication was available. Apple is phasing that out and will be upgrading people with eligible devices automatically. "Once updated, you'll get the same extra layer of security you enjoy with two-step verification today, but with an even better user experience. Verification codes will be displayed on your trusted devices automatically whenever you sign in, and you will no longer need to keep a printed recovery key to make sure you can reset a forgotten password," the email from Apple says.
more tech support calls from my grandmother (Score:5, Insightful)
Re:more tech support calls from my grandmother (Score:5, Interesting)
Today I tried to help someone in verification code hell. She enters her Apple ID on new phone. The verification code is sent to the old phone. She can't read the code on the old phone because Apple wants her to verify something on the old phone but the duelling popups prevent her from accessing the item. Then the new phone re-initiates a verification code.
Re: (Score:1)
You could use the alternate verification method - it will call or text your phone number with the code.
Re: (Score:1)
Yep, had the same kind of problem. Gave in to Apple's nagging, enabled TFA, all devices asked for confirmation codes but none received any. Finally managed to get one code somewhere after many attempts with different methods, logged in, disabled TFA right away. Some devices kept nagging for a code, but a couple of resets later all was OK.
Also, what happens if two of my devices get stolen? Can't the thief then lock me out of my own account? "Hey, Apple, I 'forgot' the password for the iPhone and iPad I just
Re: (Score:1)
Re: (Score:2)
Re: (Score:3)
I did this, but for a lot shorter time. If you read the instructions, it asks you to enter your password _plus_ the verification code to log on.
Re: (Score:2)
Re: (Score:2)
This was my problem. I did the TFA thing, but when it asked for the code, they never sent it.
Re:more tech support calls from my grandmother (Score:5, Interesting)
Bad tries on a single iThing resulted in a DOS for every other Apple device linked to the same account. To recover, there was an option which promised to take days, or you needed an IOS 10 (?) device. That somehow produced a code, which you were told in one place to append to the old password when logging into a different device, and elsewhere told to use as the full password. Oh, and before you got that code, up came a warning that an "unauthorized device" was trying to access the account from some remote city (their geoIP sucks, and the warning was clearly wrong).
It was very, very much an exercise in frustration and too much time. Why not simply require a confirmation that things were good from some device other than the one with too many failed attempts, or worst case force a new existing password login then change from a different device? Because Think Different, and fuck you, we're Apple.
Re: (Score:2)
You use your Mac.
Re: (Score:2)
I recently ran into a similar problem when visiting my parents recently.
I wanted to update my mother's Mac to the latest version of macOS, but she was apparently logged out from her Apple account, so clicking the Get button in the Mac App Store to initiate the download resulted in a login prompt before it could start. I punched in her credentials, saw it spin for a bit, and then was given a cryptic error message that yielded no fruitful results in a quick search. Trying again resulted in more of the same: a
Re: (Score:2)
Re:more tech support calls from my grandmother (Score:4, Informative)
The article was really unclear in it's description, but it just seems to be "Two step" is moving to "Two factor". Looks like regular authentication is still regular authentication.
Re: (Score:2)
Carry on.
Re: (Score:3)
Are your family currently using two step authentication?
Tried it, but I kept stepping on my partner's feet. Currently I'm using foxtrot authentication, but I'm think of taking tango authentication lessons in the future.
It does look odd when you're signing on to your account in public though. And doing it on a bus or train is a definite no-no.
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
Helping grandma beats trying to recover an Apple ID.
When I first got an iPod I created an Apple ID with an old email address. Never bought anything on it, never even put real contact info or credit card information on it. A few weeks ago I got an email that my security questions were changed. I called up Apple, apparently the only way they verify someone is the owner of an account is through those security questions so they couldn't do anything to help me.
TLDR: Make sure you have a strong password, because
Question about Apple machines (Score:2)
Serious question since I won't go to Windows 10 I may have to go to Apple. If I buy an Apple laptop or desktop, must I create an Apple account to use my machine? Can I not simply buy it, create an admin account and user account and go to work?
Re: Question about Apple machines (Score:2, Informative)
No Apple account needed to use iOS or Mac devices or get os updates. Just need an account for the App Store. (And iCloud)
Re: Question about Apple machines (Score:1, Insightful)
Everything you mentioned requires an Apple ID. 2FA will be required before long. I work for Apple Care. It's an unmitigated disaster from a user experience perspective. Massive call driver.
Re: Question about Apple machines (Score:1)
LOL I login to and use my phone and computer everyday without any active Apple accounts. Nice try tho.
To download from the AppStore, you do need an account.
Re: Question about Apple machines (Score:1)
Re: Question about Apple machines (Score:5, Insightful)
You're an AC that works at Teleperformance or some other call center, and you think you know what you're talking about. No Apple ID is required to create an account on a Mac or to download updates.
Update (iOS and MacOS) are available here [apple.com], no App Store required.
As he stated, you do need an Apple ID for the App Store and iCloud features.
Re: (Score:1)
Not too bright, are ya? You can download the current macOS and iOS updates without having an AppleID account from https://support.apple.com/en_U... [apple.com].
How do you then install it? Genuinely curious.
Double-click?
Re: (Score:2)
And you are required to use iCloud. I fought this battle for months, and finally just got a Dell Precision with Ubuntu, because it was time to upgrade anyway.
I did everything I could to disable iCloud, but I could never escape the random pop-ups in OSX telling me that I needed to enter my iCloud password. It was fucking ridiculous. Almost as ridiculous as the Android bug where Gmail tells you you can't use it because Google Play doesn't have the microphone and body sensors allowed....
Re: (Score:3, Funny)
Re: (Score:2)
I'm curious. Which part of the GP's post do you consider to be FUD?
Re: (Score:1)
I'm curious. Which part of the GP's post do you consider to be FUD?
That entire line. There's a large number of us that have only logged into iCloud to test it out and found it wanting. Apple's data and privacy security is better than the competition, but it still falls far short of what it needs to be, IMHO. With the exception of Keychain, I don't believe any other data is encrypted by default, a major privacy and security failure. If you
Re: (Score:3)
Re: (Score:3)
If I buy an Apple laptop or desktop, must I create an Apple account to use my machine?
No, you don't have to.
Can I not simply buy it, create an admin account and user account and go to work?
Yes, you can.
That said, there is support built into the system for several of Apple's services. And since the account itself doesn't cost you anything and you get some entry level services for free, there's really not much reason to not create one.
Re: (Score:2)
It's worth pointing out here that if you don't use an Apple ID then you won't be able to use the App Store and, consequently, won't get security updates.
A very courageous design decision there.
Incorrect, sir .... (Score:3)
Apple's App Store will still allow downloading the security and OS updates without you being signed in with a particular iCloud user account. You just need that for anything else you want to download.
Re:Question about Apple machines (Score:5, Informative)
You aren't required to have an Apple account, but you'll probably want to. Having an Apple ID allows you to do a cloud backup of any iOS devices you might get. It allows you to access the app stores for both MacOS and iOS. It lets you use "Find my Mac" to track or remote-wipe your computer if you lose it, and "Back to my Mac", which gives you file sharing and remote screen access to your other Macs without needing a VPN, if you have multiple of them, even if they're behind a firewall. If you want to buy anything from iTunes, you'll need an Apple ID. It's even the sign-on if you want to order anything directly from Apple's website. If you want to anything that connects to Apple, you'll want an Apple ID.
That doesn't mean you need to get one. You don't need to link it to your local sign-on. You don't even need to use Apple's domain (e.g. you can have the Apple ID use a Gmail address or whatever) unless you want to get a free email account with it.
It's ultimately not that onerous. They don't try to railroad you into to the degree that Microsoft does.
Re: (Score:2)
apple
Re: (Score:2)
Yeah, pretty much.
Re: (Score:2)
And yet iTunes Connect doesn't have MFA (Score:2)
I got that generic email (Score:2)
Apple's current two-step authentication can be quite buggy at times. I have an iPhone and an iPad, both of which are trusted devices (only iOS devices can serve as trusted devices) - yet the approval codes don't always show up on whichever device I've selected.
I've set up new devices, logged into iCloud, added the iCloud Keychain... and had the (supposedly automatic) approval prompt not show up at all on any current devices. I've seen, on numerous occasions, Sierra installs randomly unable to connect to a m
What about iOS? (Score:2)
Do you have any iDevices? :(
2FA ... (Score:2)
... two fucking articles.
I have to explain everything.
Email I got with 2FA enabled. (Score:2)
Apple ID security update with iOS 11 and macOS High Sierra
Dear Bleh Bleh Bleh,
Thank you for using two-step verification to protect the security of your Apple ID.
If you install the iOS 11 or macOS High Sierra public betas this summer and meet the basic requirements, your Apple ID will be automatically updated to use two-factor authentication. This is our most advanced, easy-to-use account security, and itâ(TM)s required to use some of the latest features of iOS, macOS, and iCloud.
Once updated, youâ
Re: (Score:3)
Is usually a codeword for "we want to know your cellphone number so we can track who you are".
People often have a bank account and personal ID associated with their cellphone number.
I hear this a lot, and it's generally proof that the speaker is a total idiot.
Big online companies want your cellphone number so that when you forget your password, or when your account is taken by someone else, the big online company has a fighting chance of restoring the account to the correct person. If you don't use 2FA and you don't give Apple/Google/Facebook some secure-ish way to contact you, then you are SOL.
Sadly, with the various cell-stealing methods this is becoming less useful, but it's still
Re: (Score:3)
hehe.. big?
it's not only big companies that do this now.
some companies require a number to get an authentication code to start using something, like a trial of sw or whatever. ..then you get a sales call. then you get another sales call. thanks to skypeout you'll get them no matter what country.
also, maybe news for you, but I have had more cases to help where they have LOST access to a sim/phonenumber and cannot retrieve account because of that.
(following applies to if phone number is used as a trusted, req
Re: (Score:2)
also, maybe news for you, but I have had more cases to help where they have LOST access to a sim/phonenumber and cannot retrieve account because of that.
Hardly; I've done the same. I didn't say that phone numbers were a good method for account recovery, just that they are better than just about any other method. Do you have a suggestion for a better method?
I mean, if a Korean man loses his account on an American website, could he maybe email them a picture of a notarized letter from another email account? How would a company with less resources than Apple authenticate or even read such a thing? A phone number is very changeable, but it's still more stab
Failure to send 2FA code to a landline (Score:2)
Big online companies want your cellphone number so that when you forget your password, or when your account is taken by someone else, the big online company has a fighting chance of restoring the account to the correct person.
Then why does entering my landline number give messages to the effect "There was an error sending a code to that number" more often than it results in a voice call to confirm my landline number? Twitter, for example, doesn't seem to support voice recovery or voice 2FA.
Re: (Score:2)
I know that Google can use phone calls to verify a phone number and (later) to use it to demonstrate your identity. I don't know how many other companies can do that, though. Text messages are cheap and easy, so most want a cell phone (or other SMS-capable number) so they can interact with you via text messages.
I mean, what nefarious reason do *you* think they have for wanting SMS-capable numbers? How does wanting SMS-capable numbers disprove my point?
0.10 USD per received text message (Score:2)
Text messages are cheap and easy
They're not cheaper than free. U.S. landline providers do not meter incoming calls. By contrast, U.S. cellular providers meter incoming voice calls and text messages. T-Mobile USA's pay-as-you-go plan, for example, charges 0.10 USD per outgoing or incoming voice minute or text message. At that price, receiving a code to log in to multiple services every day can become expensive for a user. Even on a cell phone, voice can prove cheaper than text because the equivalent of more than one text message can fit in
Re: (Score:2)
When I tried to use my cellphone number with Blizzard to 'secure' my extremely valuable World of Warcraft account, they refused to accept my number. Because, I guess, I use a Virgin Mobile phone* so my balls aren't cinched into enough of a vice (a cellphone contract) for them to consider it a 'valid' number.
(*it's $35 a month for an Android smartphone with lots of data)
2FA on the same device? (Score:2)
Re: (Score:2)
It sounds to me like you can get your second factor on your OS-X computer. If you have an OS-X computer.
Since I use macbooks but also android and chromebooks, and no iOS devices, this seems like a not-so-good design to me. But I don't understand the details of the system yet, so I'll withhold judgement for now.
Re: (Score:2)
Yes, you can; but that does nobody any good if you're nowhere near your computer. The 2FA code is sent to all your iOS and logged-in macOS devices.
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
Microsoft may actually be doing this better, now? (Score:2)
The latest update to Windows 10 is moving things forward on the Microsoft side with 2-factor authentication that's more "user friendly". Basically, in a domain on a network, you'd still create a username and a traditional password for the user account, but the machine won't ever make the person use that password to authenticate themselves. The 2 factors will be combinations of a 6 digit (or longer) PIN code they selected and a biometric authentication such as fingerprint reader or facial recognition using
Android? (Score:2)
Re: (Score:2)
Bad news. You're going to be forced to make special passwords [slashdot.org] just for those apps on the Android phone that interface with iCloud.
Re: (Score:2)
Yep, already forced to do that with Thunderbird.
Re: (Score:2)
To a "trusted" device? (Score:2)
I typically only have one trusted device at a time. What makes you think I trust my cellphone?
Not just for iOS/High Sierra. Anything non-Apple. (Score:4, Informative)
I got an email a few weeks back from Apple, too. Emphasis mine.
Dear (SeaFox),
Beginning on June 15, app-specific passwords will be required to access your iCloud data using thirdparty apps such as Microsoft Outlook, Mozilla Thunderbird, or other mail, contacts, and calendar services not provided by Apple.
If you are already signed in to a thirdparty app using your primary Apple ID password, you will be signed out automatically when this change takes effect. You will need to generate an app-specific password and sign in again.
To generate an app-specific password, turn on two-factor authentication for your Apple ID and then follow the instructions below:
Sign in to your Apple ID account page (https://appleid.apple.com)
Go to App-Specific Passwords under Security
Click Generate Password
For more information, read Using App-Specific Passwords. If you need additional help, visit Apple Support.
Apple Support
So now I have to set up a separate email password for my main computer (which is Windows 8.1, using Thunderbird), my email client on my Android phone, the address book app on my phone (which syncs to iCloud), the Calendar app (which also syncs to iCloud) -- maybe another one because I have a Thunderbird install on my tablet (Win 8.1), oh, and my Thunderbird install on my actual Apple laptop.
That's six fucking passwords I have to generate for what I could do with just one before, just because I don't want to sync my contacts and calendaring data through a provider that will definitely be data-mining my info.
Re: (Score:2)
I only use my iPad to access my iCloud email: anything else gets accessed from this TrueOS laptop. I have one iPhone, one Lumia, one iPad, one Verizon Ellipsis, one MotoX and 2 laptops. I use the laptops for emails, so don't access those from the iPad. I use the Ellipsis for Gmail, and all my personal stuff - banking, credit cards & so on. I use the iPhone to FaceTime w/ family, iPad for games (actually, it gets used more by the kids), Lumia for any office calls (and checking my hotmail email) and
Re: (Score:2)
On the Flipside... when fantastical gets hacked (my preferred Calendar app - and yes I have it on it's own password), you only lose only that data. The rest of your Apple account, and iCloud data is intact and safe. Personally, since I use a different variation of my password on every website, taking that same template to each app is no bother.
Are you really someone who uses the same password across the board???? yikes! It's modern times. Get 1Pass and be done with it.
Re: (Score:2)
Are you really someone who uses the same password across the board???? yikes! It's modern times. Get 1Pass and be done with it.
I was referring to six different apps that all access the same iCloud account, therefore they are all using the same credentials to access said single account right now.
I wonder if you see the irony in your suggestion is to use a password manager -- taking all your individual, unique passwords and making them all accessible with one master account while telling me using the "same password" across the board is a bad idea. And it's a paid service too! Yessir, lemme pay for the venerability of having all my cr
Re: (Score:2)
"That's six fucking passwords I have to generate for what I could do with just one before, just because I don't want to sync my contacts and calendaring data through a provider that will definitely be data-mining my info."
If you sync with Google and turn on 2FA, you have to use app-specific passwords anyway.
So Apple is also upgrading their CSRs to resist? (Score:2)
Is Apple also going to upgrade their CSRs to resist social engineering to have 2FA turned off?
With PayPal, all you had to do to get around 2FA was call them up and social engineer your way into a password reset, which would also turn off 2FA. In other words, 2FA was so easy to bypass, it was of almost no actual security value.
A gate with a super advanced padlock is not secure if you can simply go around the gate. And that's WAY too easy to do with nearly every 2FA implementation. There is always a way ar
Isn't it already two factor? (Score:2)
Something you know (password), and something you own (the bloody phone itself!). So that's two.
Oh, and I'm already terrified about losing my phone, but the more "security codes" it sends to me, the worse it gets...
Misleading advertising (Score:3)
I wish vendors would cease false 2FA advertisements because the security claims are unfair and misleading to users.
Actual multifactor authentication requires two dissimilar factors... generally what you know *AND* what you have.
What everyone is doing effectively amounts to what you know *OR* what you have. The second factor adds as much security to the system as an obvious password reset question...In other words it isn't additive...it actually reduces effective security of the system.
The goal has never been security. It's getting people to stop saying "I forgot my password".
The obvious flaw (Score:2)
2FA is a PITA (Score:1)
FakeTimCook (Score:1)
Re: (Score:2)
So does that mean there will be a flood of iOS devices with support only for less than iOS 11 on the used market from people who can no longer install apps on them because their Apple Account update lockes them out? Might be a good opportunity for 'the rest of us' to get a mid-year iPad for a low low price.
Re: (Score:1)
Re: (Score:2)