Apple Makes Two-Factor Authentication Available For Apple IDs

wiredmikey writes "In an effort to increase security for user accounts, Apple on Thursday introduced a two-step verification option for Apple IDs. As the 'epic hacking' of Wired journalist Mat Honan proved, an Apple ID often carries much more power than the ability to buy songs and apps through Apple's App store. An Apple ID can essentially be the keys to the Kingdom when it comes to Apple devices and user maintained data, and as Apple explains, is the key to many important things you do with Apple, such as purchasing from the iTunes and App Stores, keeping personal information up-to-date across your devices with iCloud, and locating, locking, or wiping your devices.' 'After you turn [Two-step verification] on, there will be no way for anyone to access and manage your account at My Apple ID other than by using your password, verification codes sent your trusted devices, or your Recovery Key, a support entry announcing the new service explained."

Re:Thats just great.

Then they warn you not to do that, to at the very least set up SMS which could theoretically point to another phone.

Re:Thats just great.

[jsdcnet]

The person who finds it would still need to know your password. You can have multiple trusted devices (I set up my phone and iPad). There is also a special "recovery key" that can be used to get in to reset the trusted devices.

Re:Thats just great.

[glennrrr]

You print out a recovery number when you set it up. To change your password you need 2 of 3 things: the current password, a trusted device, or a recovery number. You are supposed to print it out, and hide it somewhere safe.

Re:How Many Factors?

Not really. There are two issues:
1) Two factor authentication is generally (always?) accepted as being two factors of different types (ie, you cannot have two things you know, two things you are, or two things you have...the two things must be from different categories). This is more secure because it means the two factors must be attacked through completely different channels (if you had two passwords, the same attack to steal the first password could be used to steal the second password). It is analogous to encrypting something twice using XOR...if I XOR something with k1 and k2, it is no better than XORing it with the value of k1 XOR k2.
2) Your username is generally considered "public"...it is an identifier, not an authenticator. It is generally not protected (you will pretty much always see it in plaintext, while passwords are *supposedly* hashed/encrypted). In combination with a secret (ie, your password), you actually have authentication. The pair is just one factor. Similarly, your username (the identifier) is used in combination with the other factor (token, biometric, whatever) to actually authenticate you.

Already closed

[SuperKendall]

If you follow your link back to the original Verge source, you'll see Apple already shut down the password reset tool, and is probably working on a fix.

The timing then would seem to be excellent as with two-factor enabled the security hole would not matter.

Re:72 Hour Waiting Period

[Macman408]

See the next-to-last answer in the FAQ here: http://support.apple.com/kb/HT5570

If you've reset your password or changed your security questions, they make you wait first. This prevents somebody from stealing your account, changing the password, and then turning on two-factor authentication preventing you from ever getting it back. As they also note in that article, if you use two-factor authentication, they become unable to reset your password. If you ever lose two of the three things needed to log in (your password, your verified device(s), and your recovery key), then you cannot make any changes to your account. (And if you lose all three, you can't even log in from an already-trusted device.)