Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Makes Two-Factor Authentication Available For Apple IDs

Posted by Soulskill on from the security-is-now-officially-hip dept.

wiredmikey writes "In an effort to increase security for user accounts, Apple on Thursday introduced a two-step verification option for Apple IDs. As the 'epic hacking' of Wired journalist Mat Honan proved, an Apple ID often carries much more power than the ability to buy songs and apps through Apple's App store. An Apple ID can essentially be the keys to the Kingdom when it comes to Apple devices and user maintained data, and as Apple explains, is the key to many important things you do with Apple, such as purchasing from the iTunes and App Stores, keeping personal information up-to-date across your devices with iCloud, and locating, locking, or wiping your devices.' 'After you turn [Two-step verification] on, there will be no way for anyone to access and manage your account at My Apple ID other than by using your password, verification codes sent your trusted devices, or your Recovery Key, a support entry announcing the new service explained."

63 comments

  1. Thats just great. by ninlilizi · · Score: 1, Interesting

    But what happens when the trusted device is the iPhone thats just gone missing?

    1. Re:Thats just great. by Anonymous Coward · · Score: 2, Informative

      Then they warn you not to do that, to at the very least set up SMS which could theoretically point to another phone.

    2. Re:Thats just great. by jsdcnet · · Score: 5, Informative

      The person who finds it would still need to know your password. You can have multiple trusted devices (I set up my phone and iPad). There is also a special "recovery key" that can be used to get in to reset the trusted devices.

      --
      no longer working for cnet
    3. Re:Thats just great. by glennrrr · · Score: 4, Informative

      You print out a recovery number when you set it up. To change your password you need 2 of 3 things: the current password, a trusted device, or a recovery number. You are supposed to print it out, and hide it somewhere safe.

    4. Re:Thats just great. by 93+Escort+Wagon · · Score: 2

      But what happens when the trusted device is the iPhone thats just gone missing?

      You can have multiple trusted devices, and choose which one you want to use at any point in time. And you can remove devices from that list if they are lost or stolen (or, for that matter, if you just sell it).

      --
      #DeleteChrome
    5. Re:Thats just great. by Opportunist · · Score: 1

      So, in other words, if a compromised computer is used to set this up it is trivial for the hacker to lock the user out of his account and take it over while at the same time making sure that it is nontrivial for the user to get it back?

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    6. Re:Thats just great. by Anonymous Coward · · Score: 1

      Yes. If the computer is compromised that you are setting this up on you can still be e-injured. However, at that point they had your password anyways via a keylogger. For everyone else, this is a great bonus to their security except for those who it is already too late. In other words, verify checkums of all files you get off of websites, use adblock plus + scriptsafe in chrome / comodo dragon or whatever browser you use (noscript/adblock for firefox for example), malwarebytes clean your pc, virus scan your shit (e.g. bitdefender/kaspersky), install qfx antikeylogger premium, use keepass (with certificate keyfile and a strong long password, don't reuse passwords, reset passwords regularly, use strong/long generated passwords you can't remember for all those forums etc and just let keepass remember), ids/firewall (e.g. comodo), and store it somewhere safe/encrypted (e.g. spideroak). Essentially, be paranoid to the point where when you set up this two-factor you're already reasonably secure. Also, set up two-factor on gmail as well, and store the printed backup codes in a bank safety deposit box along with Apple's recovery code. If you make it painful enough, you become less of a target. "Hackers" are generally looking for low hanging fruit.

    7. Re:Thats just great. by UltraZelda64 · · Score: 1, Troll

      Easy solution: Have an Android phone handy for logging into Apple services. :P
      Security through non-Apple Products. It should officially become a new form of security, like security by obscurity...

    8. Re:Thats just great. by ozmanjusri · · Score: 2

      There is also a special "recovery key" that can be used to get in to reset the trusted devices.

      And that could never cause a problem...

      Major security hole allows Apple passwords to be reset with only email address, date of birth

      http://www.theverge.com/2013/3/22/4136242/major-security-hole-allows-apple-id-passwords-reset-with-email-date-of-birth

      --
      "I've got more toys than Teruhisa Kitahara."
    9. Re:Thats just great. by Anonymous Coward · · Score: 0

      E-injured: when your virtual girlfriend kicks your e-peen.

  2. What timing... by Almonday · · Score: 1

    ...considering the pretty serious security hold in the Apple ID system that was reported earlier today.

    --
    Posterity, my posterior.
  3. *in selected countries* by Anonymous Coward · · Score: 0

    great to know that security only matters for some countries :-/

  4. Stop asking for my password all the time by Mascot · · Score: 2

    If I didn't have to type my password all the freakin' time, I might generate an actually secure one. Granted, iOS has gotten somewhat better with the latest updates- at least it doesn't ask me for every app update anymore. But, still...

    1. Re:Stop asking for my password all the time by tlhIngan · · Score: 1

      If I didn't have to type my password all the freakin' time, I might generate an actually secure one. Granted, iOS has gotten somewhat better with the latest updates- at least it doesn't ask me for every app update anymore. But, still...

      Blame all the developers and users for that one then. Back in iOS 4 days, parents would download an app and then find their kids have spent thousands of dollars on smurfberries on their credit card bill, so parents demanded action. Apple went ahead and split the timer between app store purchases and in-app purchases.

      The timer can be set at least to two different values - 15 minutes (default) or immediately, which means it always asks for a password (Settings->General->Restrictions or parental controls or somesuch).

      And naturally, Apple was sued and forced to pay out for that as well, so they're here to stay. More telling is why it hasn't happened on Android to a significant extent - either people don't really use apps on Android, or in-app purchases aren't common?

    2. Re:Stop asking for my password all the time by fermion · · Score: 2
      Here is my thing. A secure password is needed to protect the user against a random attack, presumably coming from the interwebs. Except that security is hard and expensive, so there are always going to be attacks that are not password related. Social engineering, hacking a server, using the password reset mechanism. All these get passwords and the complexity is irrelevant. All that wasted personal effort to maintain good passwords with no benefit.

      I like this kind of thing because it is dead simple and relatively secure. A good password will keep the account somewhat secure. The one time pad decreases the chances of someone who has the password getting in undetected. They can log in partly and be recorded, but without the code will not be able to get in. Enough of these and it is clear someone has your password. Easier password, easy code, security.

      --
      "She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
    3. Re:Stop asking for my password all the time by PNutts · · Score: 2

      You don't want to use a password when you buy something? What are you talking about when you say "all the freakin' time". I go for weeks without using my password.

    4. Re:Stop asking for my password all the time by Mascot · · Score: 2

      Indeed, the last time I can remember having to enter my Google password for my Android phone, was when I bought it. And that's why it's a randomly generated password of some length (and two-factor protected). My AppleID is.... not.

      Apple could have solved this in so many ways that are more convenient. Like, god forbid, letting the user decide between several options. That way I could get one I would be happy with (a confirmation dialog to avoid accidental clicks), and parents could get one they are happy with (password required when doing something that costs money). Apple really does not like multiple choices though, so it is what it is.

    5. Re:Stop asking for my password all the time by Mascot · · Score: 1

      As I said, it has gotten better. But it's not that long since it asked for a password simply to update an already installed application.

      And, no, I don't want it to ask me for my password when I buy something on a device I have previously authenticated on. Tell me the price and ask for confirmation, yes, but ask me for password, no.

    6. Re:Stop asking for my password all the time by node+3 · · Score: 0

      As I said, it has gotten better. But it's not that long since it asked for a password simply to update an already installed application.

      Then what the fuck are you complaining about?

      And, no, I don't want it to ask me for my password when I buy something on a device I have previously authenticated on. Tell me the price and ask for confirmation, yes, but ask me for password, no.

      Tell that to parents who hand their iPhones to their kids, or hell, even just being around some asshole acquaintances that might think it's funny.

      Or losing your phone and some stranger finding it and going to town with your account.

      Not to mention yourself, accidentally clicking the "buy" button.

    7. Re:Stop asking for my password all the time by Mascot · · Score: 1

      I said *I* don't want. I'm not trying to impose my choice upon others. I'd much prefer Apple added a configurable option to cater both for people that hand their gear to kids, or people they don't know, or habitually misplace hundreds of dollars worth of kit, as well as for people like me that do not.

    8. Re:Stop asking for my password all the time by node+3 · · Score: 1

      Well, that's quite reasonable (if a bit on the far end of the curve).

      I think the main problem is that if that's even an option, far too many people would turn it on (either knowingly or unknowingly), only to later find themselves running afoul of one of the many scenarios a password-free purchasing system would allow.

      The part I don't quite get is, how often do you need to type your password? When you buy from the stores (and there's a timeout period during which you don't need to type it). This can't be all that often, even for the most voracious App/Book/Music/Movie/TV Show buyer, can it?

    9. Re:Stop asking for my password all the time by Mascot · · Score: 1

      To be honest, if my password is a 30 character one that takes me several minutes to pull up on my computer's password safe and type in using a phone's keyboard, it doesn't take very often for that password to be dumbed down to something more convenient.

      The problem is that password is not protecting the phone, but the account, accessible from anywhere. Dumbing down the password is a bad solution. I'd be equally happy with a middle ground, like a PIN code to purchase as opposed to the full password. Which, incidentally, is exactly how people would avoid someone picking up their phone and "prank buying" in the first place (current security drama with regards to the lock screen notwithstanding).

      Having said that, my Android phone has not asked me for my password since I bought it, and I am not bankrupt yet, nor can I remember seeing articles about people having issues.

  5. How Many Factors? by SavoWood · · Score: 1

    This may seem like a stupid question, but I'll ask it anyway.

    When I count, I see the username and password as two factors. The factors, as I understand it, should be a combination of something you have (CAC, ATM card), know (username, password), and are (retina scan, fingerprint, voice pattern). Using that definition, username and password are two factors. It's quite possible to have a single factor, i.e. password only to log in on a device. A smart phone is a perfect example. You have your PIN, but no user name. On your computer, typically you have to put in your username (first factor) and your password (second factor). Adding a biometric like thumbprint, voice, retina, etc. would be an additional factor, making it three factor authentication.

    Maybe I'm just being thick, or have completely misunderstood what's going on here with the naming, but this seems like they're looking at three factor authentication. Since initially writing this, after hitting the preview button, I've looked at the wikipedia page on 2FA/MFA/TFA and find the moniker to still be incorrect in this application.

    Am I thinking too hard about this? Is it really simpler than I think it is? (Please be kind in your application of the clue bat.)

    --
    Plant a tree in a developing country.
    1. Re:How Many Factors? by Lazere · · Score: 1

      Both username and password are something you know. Perhaps you can claim the username is something you have, but I'm pretty certain they mean physically with that. Also, I think it has to have two of the three things (ie. Something you know and something you have as opposed to two things you know). I may be wrong, but I think that's how it's measured...

    2. Re:How Many Factors? by gorodish · · Score: 2

      You are correct, technically, but the real value of these kind of two-factor authentication techniques is that they are immune to replay attacks. Someone listening in to the Apple login process can't re-use the transmitted SMS code, because Apple expects to see a different code each time you log in.

    3. Re:How Many Factors? by jacinda · · Score: 2

      "Multi-factor authentication (also Two-factor authentication, TFA, T-FA or 2FA) is an approach to authentication which requires the presentation of two or more of the three authentication factors: a knowledge factor ("something the user knows"), a possession factor ("something the user has"), and an inherence factor ("something the user is")." Wikipeda

      While a username and password are two "things," as you wrote yourself they are both things that you know so they only involve one authentication factor. So even if you required 3 passwords per login, that's still only single-factor authentication.

      For the most common 2-factor authentication in place today (e.g. if you enable for Gmail) the authenticating entity sends a code to your device in order to tie this to something that you have (your phone) and thereby introduce the possession factor.

    4. Re:How Many Factors? by Anonymous Coward · · Score: 2, Informative

      Not really. There are two issues:
      1) Two factor authentication is generally (always?) accepted as being two factors of different types (ie, you cannot have two things you know, two things you are, or two things you have...the two things must be from different categories). This is more secure because it means the two factors must be attacked through completely different channels (if you had two passwords, the same attack to steal the first password could be used to steal the second password). It is analogous to encrypting something twice using XOR...if I XOR something with k1 and k2, it is no better than XORing it with the value of k1 XOR k2.
      2) Your username is generally considered "public"...it is an identifier, not an authenticator. It is generally not protected (you will pretty much always see it in plaintext, while passwords are *supposedly* hashed/encrypted). In combination with a secret (ie, your password), you actually have authentication. The pair is just one factor. Similarly, your username (the identifier) is used in combination with the other factor (token, biometric, whatever) to actually authenticate you.

    5. Re:How Many Factors? by Anonymous Coward · · Score: 0

      To address the phone example, that is still authentication using one factor, but no identifier is required. That is because it is not a shared resource (there are not multiple users on a phone...if there are, you would need to specify an identifier as well). The phone doesn't need to determine who it is authenticating...it just needs to know if you are authorized (which is determined by you providing the correct pin).

    6. Re:How Many Factors? by Anonymous Coward · · Score: 0

      I forgot to mention the particular case of the phone:
      No identifier is required there because it is a single user system. The authentication mechanism doesn't need to determine who it is authenticating...there is only one entity. They just need the correct credential (ie, the pin). If they ever come out with phones intended for multiple users, they would need a way of specifying the identifier in addition to the credential(s).

    7. Re:How Many Factors? by noh8rz10 · · Score: 3, Insightful

      For the most common 2-factor authentication in place today (e.g. if you enable for Gmail) the authenticating entity sends a code to your device in order to tie this to something that you have (your phone) and thereby introduce the possession factor.

      I would say the most common 2-factor authentication is at the ATM, where you need to present your ATM card and enter your pin.

    8. Re:How Many Factors? by Anonymous Coward · · Score: 0

      showing your face to camera
        showing your fingerprint to a scanner
        demonstrating your weight to a scale

      Basically, something that requires you personally to be present; handing over a keycard or telling someone a username/password doesn't qualify.

    9. Re:How Many Factors? by Anonymous Coward · · Score: 0

      Because he gets answers like this when he asks in a semi-technical forum? Now off your your Linux forum.

    10. Re:How Many Factors? by cbhacking · · Score: 4, Insightful

      Yep, that's a good example of 2FA. Calling "username and password" two factors is foolish; your username isn't even an authentication credential at all in most cases (that is, it's typically at least semi-public information). It's an identifier, not a credential.

      However, even if the username is treated as a second password, then you don't really have two passwords; you have one long password with a break in the middle. There's no meaningful difference between them at that point.

      --
      There's no place I could be, since I've found Serenity...
    11. Re:How Many Factors? by Opportunist · · Score: 1

      Well, the confusion is understandable as "two factor" has been applied (wrongfully) to two very different and distinct security paradigms. First, the one you describe where the "factors" are having/knowing/being. The other one determines the "factor" by the paths information takes to negotiate between the two parties involved.

      In this specific case, where "factor" is used somewhat incorrectly IMO, a more appropriate designation would be "multi-channel", one "factor" is the link through the computer, the other one being the link through the text message channel. Two channel security increases overall security considerably since compromising one system is not enough to get the process compromised altogether. The classic MITM doesn't work out since you would have to sit in the middle of two distinct and independent channels.

      Now, of course this only works if both channels give you sufficient information to verify that the other channel has not been compromised. Banks use a similar system for internet banking, where you enter the information of the transaction planned, then you receive a text message with account data and amount to be transferred, which allows you to verify that the information you entered matches the information that arrived at the bank (i.e. a MITM attack changing the data between you and bank is thwarted), and you also receive a confirmation number that you have to enter to authorize the transaction.

      Note that the account information is CRITICAL in this setup. Just sending you a text message with "please acknowledge the transfer, your super-secret code is 1234" does NOT increase security AT ALL.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    12. Re:How Many Factors? by Opportunist · · Score: 1

      That's like saying when I log in to my mail account it's two factor, too, because I need something I know (my email credentials) and a computer to type it in (which is something I need to have). Sorry, but that doesn't constitute a two factor authorization yet.

      The "something you have" must be sufficiently unique that duplication is nontrivial or (preferably) impossible. What may make it "something you have" is in this case the fact that there is only one phone with this phone number, not the fact that you get it sent to your phone.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    13. Re:How Many Factors? by Anonymous Coward · · Score: 0

      The root of the problem is that username and password are not two factors, the user name does not count as a factor. Because, a factor is something you know that no one else does. However, everyone can find out your username it shows up in forums, friend requests, etc. I've been of the belief for a long time now that, like in mmos, your user account name that you use to login should be completely different than your public name. This would protect accounts against password resets because the user resetting it would have to know your login name which they wouldn't know. However, the imbeciles at all of these companies don't get this very simple concept, so we're left with just one factor - the password. Hence, they generate this extra code now to give you two factors. Three factors would be nice like a private user account name, password, and the SMS code. That'd be a lot harder to crack, I long for that day. Also, your credit card/atm card are also easy to find out, heck you hand them to people when you purchase things in public so they're not really private. And, all of these companies store the numbers plaintext in their databases, and these databases get stolen so you're info is probably already out there. Fingerprints are easy to fake, and make a horrible factor same goes for retina and voice all of these can be recorded and "played back". Anyways a great example of this is that you've posted as SavoWood on slashdot, I now know your account name I can begin social engineering/attacking your account until I get in. Do you really consider your username a factor now knowing this? How safe do you feel that I can't just guess your gmail/amazon/me.com/icloud accounts based on that name, break into one of those services, and ask /. to reset your password. Walked over your grave kind of feeling right?

    14. Re:How Many Factors? by Anonymous Coward · · Score: 0

      Oh and "security questions" (your mother's maiden name, for example) is a 4th factor "Something Everyone Knows".

  6. Exploits already by gmuslera · · Score: 1

    Seems that anyone can reset your password knowing your email and birthdate for the ones not using the two-factor authentication. And that option is available in just a few countries.

    Hopely it gets fixed in very short time or could get a massive impact in all the world.

    1. Re:Exploits already by Anonymous Coward · · Score: 0

      I reset my password 2-3 days ago using my email address alone. It did not asked for a dob, since I had never provided one for apple. At least, it was easy to recover from a lost password.

    2. Re:Exploits already by thetoadwarrior · · Score: 2

      The reset tool isn't available so that issue doesn't exist now.

    3. Re:Exploits already by AmiMoJo · · Score: 1

      Except that you have not been able to reset your password for months. Solve one problem by creating another.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  7. 72 Hour Waiting Period by Secret+Agent+Man · · Score: 1

    I tried to set mine up, and now Apple is saying I need to wait 3 days before the process can be completred. I'm in no hurry, but this feels kind of arbitrary, when other popular services (Google, Blizzard, et al) can set this form of authentication up instantly.

    1. Re:72 Hour Waiting Period by Macman408 · · Score: 3, Informative

      See the next-to-last answer in the FAQ here: http://support.apple.com/kb/HT5570

      If you've reset your password or changed your security questions, they make you wait first. This prevents somebody from stealing your account, changing the password, and then turning on two-factor authentication preventing you from ever getting it back. As they also note in that article, if you use two-factor authentication, they become unable to reset your password. If you ever lose two of the three things needed to log in (your password, your verified device(s), and your recovery key), then you cannot make any changes to your account. (And if you lose all three, you can't even log in from an already-trusted device.)

    2. Re:72 Hour Waiting Period by Secret+Agent+Man · · Score: 1

      Hmm, while that does make sense, I'm afraid I did none of those things. Ah well, better to err on the side of caution.

  8. Already closed by SuperKendall · · Score: 3, Informative

    If you follow your link back to the original Verge source, you'll see Apple already shut down the password reset tool, and is probably working on a fix.

    The timing then would seem to be excellent as with two-factor enabled the security hole would not matter.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
    1. Re:Already closed by ColdWetDog · · Score: 1, Interesting

      This is interesting - went to set up two factor authentication; logged into the Apple site, then went to the passwords and security section, which asked for my two 'security questions' - which I never gave them. At this point, you can't get anywhere else. You're dumped to a KB article that is clearly incorrect and other than waiting online for an AppleDrone to tell me it's not really a problem (the usual Apple response to things), there is nothing else I can do.

      Perhaps it's embroiled in this little issue. I suppose I'll wait a bit to see what happens.

      --
      Faster! Faster! Faster would be better!
    2. Re:Already closed by node+3 · · Score: 2

      Yeah, right, they just magically put in answers to your security questions for you.

      Most likely you were prompted at some point to put them in, and being the clever but paranoid (and more than slightly annoyed at the time) geek that you are, you gave them bullshit responses (so that someone who knows you can't put in the info, like they are going to check which school you went to and who your childhood friend was, or whatever!). The only problem is that you didn't write them down and totally forgot about it.

      That, or, yeah, somehow those questions just got magically entered by a ghost or something...

    3. Re:Already closed by Anonymous Coward · · Score: 0

      That, or, yeah, somehow those questions just got magically entered by a ghost or something...

      Haven't you head? The mac book pro has problems with ghosts

    4. Re:Already closed by node+3 · · Score: 1

      Well, surely that explains it!

      (And for a point of interest, only some of the LG retina models have a ghosting which is generally only found in contrived testing scenarios and not in normal use. That's still bad, but nothing so bad as many people (who don't even own one) like to portray it as.)

    5. Re:Already closed by Anonymous Coward · · Score: 0

      > which asked for my two 'security questions' - which I never gave them.

      Why do so many large companies decide to do that? The database that Paychex got their information from is wrong. I'm from a town with a single high school. How did they get the name of my high school wrong? Bank of America's database they purchased is also just as broken. They misspelled my grandmother's first name. Even worse is Wells Fargo that asked two insulting questions. The first is "What year did your first child start school?" I don't have children. The next is worse. It is, "What is the profession of your paternal grandfather?" My grandmother was raped by Polish solders and doesn't even know who he is. Wells Fargo is being incredibly insensitive by claiming to know that information.

  9. Fail by Anonymous Coward · · Score: 0

    Well I just tried it. Sat for about five minutes, waiting for the SMS. Got bored, and gave up.

    And I did verify that my SMS is working, and that my cellco isn't just borked. Google had no problem pinging my phone in a matter of seconds. Tried to have Apple do it, gave up after five times. I even tried Apple to SMS my Google Voice number, which should forward the SMS to me via email. Still nothing.

    Apple fail.

  10. 2 factor my ass by oztiks · · Score: 0

    Is this like the 2 factor authentication which now that I do my banking on my Smartphone has become 1 factor authentication?

    I.E

    1. Login to netbank, issue payment on phone
    2. Receive SMS authentication code (on the same device)
    3. Key in the SMS authentication code in to the phone.
    4. Bill paid?

  11. Apples two factor authentication availability by LiquidPaper · · Score: 1

    Only available in USA and selected european countries.

  12. No security token... by Visserau · · Score: 1

    Dissapointing. As someone with only one mobile device (i.e. the one I want to protect) this is not very useful. Would be a lot better with a security token similar to those used by banks. However I'll probably enable it anyway as in my particular case I'm more worried about someone I know getting into the account, which this DOES protect from even though it'll make me more vulnerable if my phone is stolen.

    (Disclaimer: I only own an iPhone as I inherited it. I don't particually enjoy getting screwed by Apply constantly.)

  13. Poorly implemented for multiple Apple IDs by mkraft · · Score: 1

    Since Apple refuses to allow merging of Apple IDs, I have multiple IDs: iCloud, iTunes and other. The way Apple implemented this, you have to use the Find My IPhone app or SMS. The Find My iPhone app is tied to iCloud so it can only be used with an iCloud account, making it useless for a separate iTunes account which is where my devices are registered. That leaves SMS, which also has issues since the same phone number can't be used for different accounts. Plus many people, myself included, don't pay for SMS so it costs them 20 cents per validation.

    So Apple's whole 2 steps authentication fails as it has for most companies. Some, like Yahoo, can't even get it to work at all. I've never received a single verification SMS from Yahoo, no matter how many I request. Yahoo simply refuses to send it to me, despite my carrier being on their approved list. Yahoo's 2-factor implementation is rock bottom.

    On the other end of the spectrum is Google, who is among only a handful of companies who have got 2-factor authentication right. With Google's one app, I can verify any number of Google and even Dropbox accounts. Other companies like Blizzard and Paypal (Verisign) use the same method.

    Personally, I think all companies should use Google's authentication app of something similar. Implementing 2-factor authentication requiring SMS or an active Internet connection is simply a fail.

    1. Re:Poorly implemented for multiple Apple IDs by Ash-Fox · · Score: 1

      Plus many people, myself included, don't pay for SMS so it costs them 20 cents per validation.

      That is really only an issue in the states. This doesn't effect the majority of people.

      --
      Change is certain; progress is not obligatory.
  14. Remeber You Need 2 out of 3 MINIMUM by Anonymous Coward · · Score: 0

    Please people keep in mind that if you enable 2 step verification you NEED to keep the recovery code. If you do not have 2 of the three items (password, recovery code, trusted device)

    1. Re:Remeber You Need 2 out of 3 MINIMUM by Anonymous Coward · · Score: 0

      ack, doublepost, like I was saying 2 out of 3. Otherwise no one, including apple will be able to recover your account, ever. As a mobile repair guy I spend a lot of time on the phone with apple fixing peoples accounts that come into my store. Your average person doesn't know the questions, or the appleID currently. So Two Step makes me very wary.

  15. That's good news by DeoRip · · Score: 1

    Great news from Apple then, this will make Apple users feel more safe.

  16. Hard to get folks to use 2FA or OTP by Anonymous Coward · · Score: 0

    Why is it so hard to get people to use Two Factor Authentication (2FA)?

    We are looking for non profit server owners to deploy our FREE 2FA One Time Password (OTP) app URQUi.com. URQUi works with ALL cell phones. It is available now at iTunes, BlacBerry World & Google Play