Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Makes Two-Factor Authentication Available For Apple IDs

Posted by Soulskill on from the security-is-now-officially-hip dept.

wiredmikey writes "In an effort to increase security for user accounts, Apple on Thursday introduced a two-step verification option for Apple IDs. As the 'epic hacking' of Wired journalist Mat Honan proved, an Apple ID often carries much more power than the ability to buy songs and apps through Apple's App store. An Apple ID can essentially be the keys to the Kingdom when it comes to Apple devices and user maintained data, and as Apple explains, is the key to many important things you do with Apple, such as purchasing from the iTunes and App Stores, keeping personal information up-to-date across your devices with iCloud, and locating, locking, or wiping your devices.' 'After you turn [Two-step verification] on, there will be no way for anyone to access and manage your account at My Apple ID other than by using your password, verification codes sent your trusted devices, or your Recovery Key, a support entry announcing the new service explained."

18 of 63 comments (clear)

  1. Re:Thats just great. by Anonymous Coward · · Score: 2, Informative

    Then they warn you not to do that, to at the very least set up SMS which could theoretically point to another phone.

  2. Re:Thats just great. by jsdcnet · · Score: 5, Informative

    The person who finds it would still need to know your password. You can have multiple trusted devices (I set up my phone and iPad). There is also a special "recovery key" that can be used to get in to reset the trusted devices.

    --
    no longer working for cnet
  3. Re:Thats just great. by glennrrr · · Score: 4, Informative

    You print out a recovery number when you set it up. To change your password you need 2 of 3 things: the current password, a trusted device, or a recovery number. You are supposed to print it out, and hide it somewhere safe.

  4. Stop asking for my password all the time by Mascot · · Score: 2

    If I didn't have to type my password all the freakin' time, I might generate an actually secure one. Granted, iOS has gotten somewhat better with the latest updates- at least it doesn't ask me for every app update anymore. But, still...

    1. Re:Stop asking for my password all the time by fermion · · Score: 2
      Here is my thing. A secure password is needed to protect the user against a random attack, presumably coming from the interwebs. Except that security is hard and expensive, so there are always going to be attacks that are not password related. Social engineering, hacking a server, using the password reset mechanism. All these get passwords and the complexity is irrelevant. All that wasted personal effort to maintain good passwords with no benefit.

      I like this kind of thing because it is dead simple and relatively secure. A good password will keep the account somewhat secure. The one time pad decreases the chances of someone who has the password getting in undetected. They can log in partly and be recorded, but without the code will not be able to get in. Enough of these and it is clear someone has your password. Easier password, easy code, security.

      --
      "She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
    2. Re:Stop asking for my password all the time by PNutts · · Score: 2

      You don't want to use a password when you buy something? What are you talking about when you say "all the freakin' time". I go for weeks without using my password.

    3. Re:Stop asking for my password all the time by Mascot · · Score: 2

      Indeed, the last time I can remember having to enter my Google password for my Android phone, was when I bought it. And that's why it's a randomly generated password of some length (and two-factor protected). My AppleID is.... not.

      Apple could have solved this in so many ways that are more convenient. Like, god forbid, letting the user decide between several options. That way I could get one I would be happy with (a confirmation dialog to avoid accidental clicks), and parents could get one they are happy with (password required when doing something that costs money). Apple really does not like multiple choices though, so it is what it is.

  5. Re:How Many Factors? by gorodish · · Score: 2

    You are correct, technically, but the real value of these kind of two-factor authentication techniques is that they are immune to replay attacks. Someone listening in to the Apple login process can't re-use the transmitted SMS code, because Apple expects to see a different code each time you log in.

  6. Re:How Many Factors? by jacinda · · Score: 2

    "Multi-factor authentication (also Two-factor authentication, TFA, T-FA or 2FA) is an approach to authentication which requires the presentation of two or more of the three authentication factors: a knowledge factor ("something the user knows"), a possession factor ("something the user has"), and an inherence factor ("something the user is")." Wikipeda

    While a username and password are two "things," as you wrote yourself they are both things that you know so they only involve one authentication factor. So even if you required 3 passwords per login, that's still only single-factor authentication.

    For the most common 2-factor authentication in place today (e.g. if you enable for Gmail) the authenticating entity sends a code to your device in order to tie this to something that you have (your phone) and thereby introduce the possession factor.

  7. Re:How Many Factors? by Anonymous Coward · · Score: 2, Informative

    Not really. There are two issues:
    1) Two factor authentication is generally (always?) accepted as being two factors of different types (ie, you cannot have two things you know, two things you are, or two things you have...the two things must be from different categories). This is more secure because it means the two factors must be attacked through completely different channels (if you had two passwords, the same attack to steal the first password could be used to steal the second password). It is analogous to encrypting something twice using XOR...if I XOR something with k1 and k2, it is no better than XORing it with the value of k1 XOR k2.
    2) Your username is generally considered "public"...it is an identifier, not an authenticator. It is generally not protected (you will pretty much always see it in plaintext, while passwords are *supposedly* hashed/encrypted). In combination with a secret (ie, your password), you actually have authentication. The pair is just one factor. Similarly, your username (the identifier) is used in combination with the other factor (token, biometric, whatever) to actually authenticate you.

  8. Already closed by SuperKendall · · Score: 3, Informative

    If you follow your link back to the original Verge source, you'll see Apple already shut down the password reset tool, and is probably working on a fix.

    The timing then would seem to be excellent as with two-factor enabled the security hole would not matter.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
    1. Re:Already closed by node+3 · · Score: 2

      Yeah, right, they just magically put in answers to your security questions for you.

      Most likely you were prompted at some point to put them in, and being the clever but paranoid (and more than slightly annoyed at the time) geek that you are, you gave them bullshit responses (so that someone who knows you can't put in the info, like they are going to check which school you went to and who your childhood friend was, or whatever!). The only problem is that you didn't write them down and totally forgot about it.

      That, or, yeah, somehow those questions just got magically entered by a ghost or something...

  9. Re:How Many Factors? by noh8rz10 · · Score: 3, Insightful

    For the most common 2-factor authentication in place today (e.g. if you enable for Gmail) the authenticating entity sends a code to your device in order to tie this to something that you have (your phone) and thereby introduce the possession factor.

    I would say the most common 2-factor authentication is at the ATM, where you need to present your ATM card and enter your pin.

  10. Re:Thats just great. by 93+Escort+Wagon · · Score: 2

    But what happens when the trusted device is the iPhone thats just gone missing?

    You can have multiple trusted devices, and choose which one you want to use at any point in time. And you can remove devices from that list if they are lost or stolen (or, for that matter, if you just sell it).

    --
    #DeleteChrome
  11. Re:How Many Factors? by cbhacking · · Score: 4, Insightful

    Yep, that's a good example of 2FA. Calling "username and password" two factors is foolish; your username isn't even an authentication credential at all in most cases (that is, it's typically at least semi-public information). It's an identifier, not a credential.

    However, even if the username is treated as a second password, then you don't really have two passwords; you have one long password with a break in the middle. There's no meaningful difference between them at that point.

    --
    There's no place I could be, since I've found Serenity...
  12. Re:72 Hour Waiting Period by Macman408 · · Score: 3, Informative

    See the next-to-last answer in the FAQ here: http://support.apple.com/kb/HT5570

    If you've reset your password or changed your security questions, they make you wait first. This prevents somebody from stealing your account, changing the password, and then turning on two-factor authentication preventing you from ever getting it back. As they also note in that article, if you use two-factor authentication, they become unable to reset your password. If you ever lose two of the three things needed to log in (your password, your verified device(s), and your recovery key), then you cannot make any changes to your account. (And if you lose all three, you can't even log in from an already-trusted device.)

  13. Re:Exploits already by thetoadwarrior · · Score: 2

    The reset tool isn't available so that issue doesn't exist now.

  14. Re:Thats just great. by ozmanjusri · · Score: 2

    There is also a special "recovery key" that can be used to get in to reset the trusted devices.

    And that could never cause a problem...

    Major security hole allows Apple passwords to be reset with only email address, date of birth

    http://www.theverge.com/2013/3/22/4136242/major-security-hole-allows-apple-id-passwords-reset-with-email-date-of-birth

    --
    "I've got more toys than Teruhisa Kitahara."