Slashdot Mirror
Apple To Force Users To 2FA On iOS 11, macOS High Sierra (onthewire.io)
Trailrunner7 quotes a report from On the Wire: With the upcoming releases of iOS 11 and macOS High Sierra later this year, Apple is planning to force many users to adopt two-factor authentication for their accounts. The company this week sent an email to customers who have the existing two-step verification enabled for their Apple IDs, informing them that once they install the public betas of the new operating systems they will be migrated to two-factor authentication automatically. Two-step verification is an older method of account security that Apple rolled out before full two-factor authentication was available. Apple is phasing that out and will be upgrading people with eligible devices automatically. "Once updated, you'll get the same extra layer of security you enjoy with two-step verification today, but with an even better user experience. Verification codes will be displayed on your trusted devices automatically whenever you sign in, and you will no longer need to keep a printed recovery key to make sure you can reset a forgotten password," the email from Apple says.
and the rest of my relatives asking me to fix it.
Serious question since I won't go to Windows 10 I may have to go to Apple. If I buy an Apple laptop or desktop, must I create an Apple account to use my machine? Can I not simply buy it, create an admin account and user account and go to work?
iTC still is just username and password. Access to apps, Developer portal - all just username and password. Get your shit together apple.
Can't wait to read about how this is a fucking awful thing that Apple is taking away choice from its user base, and forcing them into the Walled Garden.
Apple's current two-step authentication can be quite buggy at times. I have an iPhone and an iPad, both of which are trusted devices (only iOS devices can serve as trusted devices) - yet the approval codes don't always show up on whichever device I've selected.
I've set up new devices, logged into iCloud, added the iCloud Keychain... and had the (supposedly automatic) approval prompt not show up at all on any current devices. I've seen, on numerous occasions, Sierra installs randomly unable to connect to a my (or another user's) iCloud account.
Frankly, having seen the buggy mess that is Sierra - I don't have a lot of faith in Apple to get this "automatic" and "even better" 2FA system working consistently. I've been a Mac user since 2003. I used to look forward to seeing what Apple had up their sleeve, software-wise. Now I find myself just hoping they don't break something new or remove some existing feature.
The one saving grace (on the Mac side, anyway) is that Apple currently rolls out security patches for the three most current versions of OS X / macOS - so I can hopefully sit on my El Capitan install (I've tried Sierra twice, and given up on Sierra twice), munch on popcorn and watch the show unfold.
#DeleteChrome
... two fucking articles.
I have to explain everything.
It little behooves the best of us to comment on the rest of us.
Apple ID security update with iOS 11 and macOS High Sierra
Dear Bleh Bleh Bleh,
Thank you for using two-step verification to protect the security of your Apple ID.
If you install the iOS 11 or macOS High Sierra public betas this summer and meet the basic requirements, your Apple ID will be automatically updated to use two-factor authentication. This is our most advanced, easy-to-use account security, and itâ(TM)s required to use some of the latest features of iOS, macOS, and iCloud.
Once updated, youâ(TM)ll get the same extra layer of security you enjoy with two-step verification today, but with an even better user experience. Verification codes will be displayed on your trusted devices automatically whenever you sign in, and you will no longer need to keep a printed recovery key to make sure you can reset a forgotten password.
For more information, read Two-Factor Authentication for Apple ID. If you have additional questions, visit Apple Support.
Minimum threshold fixed. Thanks!
Is usually a codeword for "we want to know your cellphone number so we can track who you are".
People often have a bank account and personal ID associated with their cellphone number.
One thing that doesn't make sense to me is having 2FA enabled for an iPhone. If one tries to log in to one's iCloud account via one's iPhone, the 2FA code gets sent to the iPhone. What good is that?
If you reply, do so only to what I explicitly wrote. If I didn't write it, don't assume or infer it.
What if the Dede ice is not connected??
The latest update to Windows 10 is moving things forward on the Microsoft side with 2-factor authentication that's more "user friendly". Basically, in a domain on a network, you'd still create a username and a traditional password for the user account, but the machine won't ever make the person use that password to authenticate themselves. The 2 factors will be combinations of a 6 digit (or longer) PIN code they selected and a biometric authentication such as fingerprint reader or facial recognition using the webcam. Or lacking input devices like a webcam or fingerprint reader, the hardware itself could serve as the second factor. The PC could already be registered in an MDM on the server so it can disallow a login where the login isn't coming from the specific machine assigned to that user.
Apple's 2 factor is really inconvenient, with its simplistic idea that it can send a push notification to one of your registered devices OTHER than the one you're using, to prove that you're really you. That's absolutely terrible when your other device(s) aren't with you and you need to enter the confirmation data that was just sent to one of them, back at your house while you're at work or on a trip or what-not.
Apple's App Store will still allow downloading the security and OS updates without you being signed in with a particular iCloud user account. You just need that for anything else you want to download.
The spammers are onto it already. Just got a call warning not to use my mac until I call 1-888-320-8649.
I hope to hell this doesn't make it more difficult for me to use my android phone with my mac. It already requires some sort of emulator to work.
Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
I typically only have one trusted device at a time. What makes you think I trust my cellphone?
Your ad here. Ask me how!
So does that mean there will be a flood of iOS devices with support only for less than iOS 11 on the used market from people who can no longer install apps on them because their Apple Account update lockes them out? Might be a good opportunity for 'the rest of us' to get a mid-year iPad for a low low price.
Do you have any iDevices? :(
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
I got an email a few weeks back from Apple, too. Emphasis mine.
Dear (SeaFox),
Beginning on June 15, app-specific passwords will be required to access your iCloud data using thirdparty apps such as Microsoft Outlook, Mozilla Thunderbird, or other mail, contacts, and calendar services not provided by Apple.
If you are already signed in to a thirdparty app using your primary Apple ID password, you will be signed out automatically when this change takes effect. You will need to generate an app-specific password and sign in again.
To generate an app-specific password, turn on two-factor authentication for your Apple ID and then follow the instructions below:
Sign in to your Apple ID account page (https://appleid.apple.com)
Go to App-Specific Passwords under Security
Click Generate Password
For more information, read Using App-Specific Passwords. If you need additional help, visit Apple Support.
Apple Support
So now I have to set up a separate email password for my main computer (which is Windows 8.1, using Thunderbird), my email client on my Android phone, the address book app on my phone (which syncs to iCloud), the Calendar app (which also syncs to iCloud) -- maybe another one because I have a Thunderbird install on my tablet (Win 8.1), oh, and my Thunderbird install on my actual Apple laptop.
That's six fucking passwords I have to generate for what I could do with just one before, just because I don't want to sync my contacts and calendaring data through a provider that will definitely be data-mining my info.
Is Apple also going to upgrade their CSRs to resist social engineering to have 2FA turned off?
With PayPal, all you had to do to get around 2FA was call them up and social engineer your way into a password reset, which would also turn off 2FA. In other words, 2FA was so easy to bypass, it was of almost no actual security value.
A gate with a super advanced padlock is not secure if you can simply go around the gate. And that's WAY too easy to do with nearly every 2FA implementation. There is always a way around it or a way in. Always. And anyone determined enough to get in, because they WANT to do something malicious, would, of course KNOW the ways around it.
Sig for hire.
Something you know (password), and something you own (the bloody phone itself!). So that's two.
Oh, and I'm already terrified about losing my phone, but the more "security codes" it sends to me, the worse it gets...
I wish vendors would cease false 2FA advertisements because the security claims are unfair and misleading to users.
Actual multifactor authentication requires two dissimilar factors... generally what you know *AND* what you have.
What everyone is doing effectively amounts to what you know *OR* what you have. The second factor adds as much security to the system as an obvious password reset question...In other words it isn't additive...it actually reduces effective security of the system.
The goal has never been security. It's getting people to stop saying "I forgot my password".
Apple 2FA is a pain in the ass.
you do not have to use 2fa at all if you choose not to!
I don't need two-step, two-factor, or whatever the fuck you call it. Apple can suck it.
This 2FA is similar to that in gmail, yahoo mail, ms mail etc. Essentially, they force you to enter a valid cellphone number, so now they can track your internet email activity to you. But that's just emails. With Apple's 2FA, they can track your entire computer activity to you. No more anonymously using the computer without some corporation spying on all your activities.
How come no /. poster has mentioned this? Instead they go on about the inconvenience of 2FA, like a bunch of sheep.
Jealous?
is that using 2FA to verify your login doesn't help much if the authentication device is what you're logging in. So if you only have an iPhone, there isn't much point.
You've already failed. Remember, that anything "in the cloud" really means available for data-mining by the provider. If you don't want to be data-mined, you shouldn't be using cloud services.
See also the fallacy of using Apple (or anyone else for that matter) as a go between (proxy) for remote desktop services. (Google does this as well with their Chromebooks.) Anyone at Apple can intercept your remote session. Sure they say that they can't, but we all know it's *wink* *wink* *nudge* *nudge* and the alphabet soup agencies will try their hardest to get a backdoor put in if it's not there already. It's too much of a juicy and centralized target for them not to.
I only use my iPad to access my iCloud email: anything else gets accessed from this TrueOS laptop. I have one iPhone, one Lumia, one iPad, one Verizon Ellipsis, one MotoX and 2 laptops. I use the laptops for emails, so don't access those from the iPad. I use the Ellipsis for Gmail, and all my personal stuff - banking, credit cards & so on. I use the iPhone to FaceTime w/ family, iPad for games (actually, it gets used more by the kids), Lumia for any office calls (and checking my hotmail email) and MotoX for any social media (w/ an imaginary/assumed name, and no phone#). That way, I don't have all my accounts everywhere.
This isn't what I read. If you already have two factor authentication on, then yes the upgrade will keep that. But if you have it off, I read that they weren't forcing it on you just yet.
Actually, as I understand it apple solution to the social engineering issue is to simply have the system set up so that nobody in support can turn off two factor.
On the Flipside... when fantastical gets hacked (my preferred Calendar app - and yes I have it on it's own password), you only lose only that data. The rest of your Apple account, and iCloud data is intact and safe. Personally, since I use a different variation of my password on every website, taking that same template to each app is no bother.
Are you really someone who uses the same password across the board???? yikes! It's modern times. Get 1Pass and be done with it.
I tried it and it's flaky at best. I have spotty cell reception in my office (two x 1/4 inch panes of glass do that) and it can take a while to get a text or other notification.
"That's six fucking passwords I have to generate for what I could do with just one before, just because I don't want to sync my contacts and calendaring data through a provider that will definitely be data-mining my info."
If you sync with Google and turn on 2FA, you have to use app-specific passwords anyway.
Big online companies want your cellphone number so that when you forget your password, or when your account is taken by someone else, the big online company has a fighting chance of restoring the account to the correct person.
Then why does entering my landline number give messages to the effect "There was an error sending a code to that number" more often than it results in a voice call to confirm my landline number? Twitter, for example, doesn't seem to support voice recovery or voice 2FA.
This asshole spams all Apple threads praising everything apple and defending all their fuckups. What's the defence on this one, FakeTimCook?
Are you really someone who uses the same password across the board???? yikes! It's modern times. Get 1Pass and be done with it.
I was referring to six different apps that all access the same iCloud account, therefore they are all using the same credentials to access said single account right now.
I wonder if you see the irony in your suggestion is to use a password manager -- taking all your individual, unique passwords and making them all accessible with one master account while telling me using the "same password" across the board is a bad idea. And it's a paid service too! Yessir, lemme pay for the venerability of having all my credentials in one place, so there's only one target that needs to be compromised.
Text messages are cheap and easy
They're not cheaper than free. U.S. landline providers do not meter incoming calls. By contrast, U.S. cellular providers meter incoming voice calls and text messages. T-Mobile USA's pay-as-you-go plan, for example, charges 0.10 USD per outgoing or incoming voice minute or text message. At that price, receiving a code to log in to multiple services every day can become expensive for a user. Even on a cell phone, voice can prove cheaper than text because the equivalent of more than one text message can fit into one voice minute.
I mean, what nefarious reason do *you* think they have for wanting SMS-capable numbers?
Presumably because a user whose primary number is SMS-capable is more likely to have substantial disposable income than a user whose number is not, and users with substantial disposable income are more valuable to a service's sponsors. Or common ownership between users of cellular 2FA and the major cellular carriers.