Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple To Force Users To 2FA On iOS 11, macOS High Sierra (onthewire.io)

Posted by BeauHD on from the takes-two-to-tango dept.

Trailrunner7 quotes a report from On the Wire: With the upcoming releases of iOS 11 and macOS High Sierra later this year, Apple is planning to force many users to adopt two-factor authentication for their accounts. The company this week sent an email to customers who have the existing two-step verification enabled for their Apple IDs, informing them that once they install the public betas of the new operating systems they will be migrated to two-factor authentication automatically. Two-step verification is an older method of account security that Apple rolled out before full two-factor authentication was available. Apple is phasing that out and will be upgrading people with eligible devices automatically. "Once updated, you'll get the same extra layer of security you enjoy with two-step verification today, but with an even better user experience. Verification codes will be displayed on your trusted devices automatically whenever you sign in, and you will no longer need to keep a printed recovery key to make sure you can reset a forgotten password," the email from Apple says.

18 of 119 comments (clear)

  1. more tech support calls from my grandmother by turkeydance · · Score: 4, Insightful

    and the rest of my relatives asking me to fix it.

    1. Re:more tech support calls from my grandmother by Anonymous Coward · · Score: 5, Interesting

      Today I tried to help someone in verification code hell. She enters her Apple ID on new phone. The verification code is sent to the old phone. She can't read the code on the old phone because Apple wants her to verify something on the old phone but the duelling popups prevent her from accessing the item. Then the new phone re-initiates a verification code.

    2. Re:more tech support calls from my grandmother by msauve · · Score: 4, Interesting

      I'm with you. Just yesterday I had to help someone restore an Apple password (too many wrong tries on a single device). To quote Steve Jobs, the whole thing was "brain-dead."

      Bad tries on a single iThing resulted in a DOS for every other Apple device linked to the same account. To recover, there was an option which promised to take days, or you needed an IOS 10 (?) device. That somehow produced a code, which you were told in one place to append to the old password when logging into a different device, and elsewhere told to use as the full password. Oh, and before you got that code, up came a warning that an "unauthorized device" was trying to access the account from some remote city (their geoIP sucks, and the warning was clearly wrong).

      It was very, very much an exercise in frustration and too much time. Why not simply require a confirmation that things were good from some device other than the one with too many failed attempts, or worst case force a new existing password login then change from a different device? Because Think Different, and fuck you, we're Apple.

      --
      "National Security is the chief cause of national insecurity." - Celine's First Law
    3. Re:more tech support calls from my grandmother by bug_hunter · · Score: 3, Informative

      Are your family currently using two step authentication?

      The article was really unclear in it's description, but it just seems to be "Two step" is moving to "Two factor". Looks like regular authentication is still regular authentication.

      --
      It's turtles all the way down.
    4. Re:more tech support calls from my grandmother by turkeydance · · Score: 2

      any change, anything new or different and the calls start.

    5. Re:more tech support calls from my grandmother by arglebargle_xiv · · Score: 2

      Are your family currently using two step authentication?

      Tried it, but I kept stepping on my partner's feet. Currently I'm using foxtrot authentication, but I'm think of taking tango authentication lessons in the future.

      It does look odd when you're signing on to your account in public though. And doing it on a bus or train is a definite no-no.

    6. Re:more tech support calls from my grandmother by marklark · · Score: 2

      I did this, but for a lot shorter time. If you read the instructions, it asks you to enter your password _plus_ the verification code to log on.

  2. Re: Question about Apple machines by Anonymous Coward · · Score: 2, Informative

    No Apple account needed to use iOS or Mac devices or get os updates. Just need an account for the App Store. (And iCloud)

  3. Re:Question about Apple machines by DigiShaman · · Score: 2, Funny

    Yes. You can create a local account instead of linking it to Apple iCloud. But beware, a local only account means you're a lone ranger. You're on your own, and shunned from Apple until you embrace the cloud.

    --
    Life is not for the lazy.
  4. Re:Question about Apple machines by asjk · · Score: 2

    As of the last update for desktop OS there is an option to skip creation of or loggin into one's Apple account. I'm going to say it's not required. Additionally you should be able to use the Apple Mail and Messages apps without an Apple account.

  5. Re:Question about Apple machines by Andreas+Mayer · · Score: 2

    If I buy an Apple laptop or desktop, must I create an Apple account to use my machine?

    No, you don't have to.

    Can I not simply buy it, create an admin account and user account and go to work?

    Yes, you can.

    That said, there is support built into the system for several of Apple's services. And since the account itself doesn't cost you anything and you get some entry level services for free, there's really not much reason to not create one.

  6. Re:Question about Apple machines by nine-times · · Score: 5, Informative

    You aren't required to have an Apple account, but you'll probably want to. Having an Apple ID allows you to do a cloud backup of any iOS devices you might get. It allows you to access the app stores for both MacOS and iOS. It lets you use "Find my Mac" to track or remote-wipe your computer if you lose it, and "Back to my Mac", which gives you file sharing and remote screen access to your other Macs without needing a VPN, if you have multiple of them, even if they're behind a firewall. If you want to buy anything from iTunes, you'll need an Apple ID. It's even the sign-on if you want to order anything directly from Apple's website. If you want to anything that connects to Apple, you'll want an Apple ID.

    That doesn't mean you need to get one. You don't need to link it to your local sign-on. You don't even need to use Apple's domain (e.g. you can have the Apple ID use a Gmail address or whatever) unless you want to get a free email account with it.

    It's ultimately not that onerous. They don't try to railroad you into to the degree that Microsoft does.

  7. Re: Question about Apple machines by jerk · · Score: 4, Insightful

    You're an AC that works at Teleperformance or some other call center, and you think you know what you're talking about. No Apple ID is required to create an account on a Mac or to download updates.

    Update (iOS and MacOS) are available here, no App Store required.

    As he stated, you do need an Apple ID for the App Store and iCloud features.

  8. Incorrect, sir .... by King_TJ · · Score: 2

    Apple's App Store will still allow downloading the security and OS updates without you being signed in with a particular iCloud user account. You just need that for anything else you want to download.

  9. Re:"Two-factor authentication" by kqs · · Score: 2

    Is usually a codeword for "we want to know your cellphone number so we can track who you are".

    People often have a bank account and personal ID associated with their cellphone number.

    I hear this a lot, and it's generally proof that the speaker is a total idiot.

    Big online companies want your cellphone number so that when you forget your password, or when your account is taken by someone else, the big online company has a fighting chance of restoring the account to the correct person. If you don't use 2FA and you don't give Apple/Google/Facebook some secure-ish way to contact you, then you are SOL.

    Sadly, with the various cell-stealing methods this is becoming less useful, but it's still better than almost any other recovery method for 99% of the people out there.

    And yeah, I know, you're too smart, nobody will ever steal your account, blah blah blah. The support forums are full of similar geniuses who are SO MAD that incompetent Apple/Google/Facebook cannot restore their stolen account. I've worked in computer security, and I know I'm not immune. Hackers can fail 99.99% of the time, but I just need to fail once for my digital life to be miserable.

  10. Re:"Two-factor authentication" by gl4ss · · Score: 2

    hehe.. big?

    it's not only big companies that do this now.

    some companies require a number to get an authentication code to start using something, like a trial of sw or whatever. ..then you get a sales call. then you get another sales call. thanks to skypeout you'll get them no matter what country.

    also, maybe news for you, but I have had more cases to help where they have LOST access to a sim/phonenumber and cannot retrieve account because of that.

    (following applies to if phone number is used as a trusted, required, thing in the chain)

    instead of having one thing to lose you now have two things and another one of those is a physical tangible item you need to carry around with you everywhere. plenty of times(3rd world) you cannot get another sim with your old number. so if you lose that it's bye bye account...

    --
    world was created 5 seconds before this post as it is.
  11. Not just for iOS/High Sierra. Anything non-Apple. by SeaFox · · Score: 3, Informative

    I got an email a few weeks back from Apple, too. Emphasis mine.

    Dear (SeaFox),

    Beginning on June 15, app-specific passwords will be required to access your iCloud data using thirdparty apps such as Microsoft Outlook, Mozilla Thunderbird, or other mail, contacts, and calendar services not provided by Apple.

    If you are already signed in to a thirdparty app using your primary Apple ID password, you will be signed out automatically when this change takes effect. You will need to generate an app-specific password and sign in again.

    To generate an app-specific password, turn on two-factor authentication for your Apple ID and then follow the instructions below:

      Sign in to your Apple ID account page (https://appleid.apple.com)
      Go to App-Specific Passwords under Security
      Click Generate Password

    For more information, read Using App-Specific Passwords. If you need additional help, visit Apple Support.

    Apple Support

    So now I have to set up a separate email password for my main computer (which is Windows 8.1, using Thunderbird), my email client on my Android phone, the address book app on my phone (which syncs to iCloud), the Calendar app (which also syncs to iCloud) -- maybe another one because I have a Thunderbird install on my tablet (Win 8.1), oh, and my Thunderbird install on my actual Apple laptop.

    That's six fucking passwords I have to generate for what I could do with just one before, just because I don't want to sync my contacts and calendaring data through a provider that will definitely be data-mining my info.

  12. Misleading advertising by WaffleMonster · · Score: 2

    I wish vendors would cease false 2FA advertisements because the security claims are unfair and misleading to users.

    Actual multifactor authentication requires two dissimilar factors... generally what you know *AND* what you have.

    What everyone is doing effectively amounts to what you know *OR* what you have. The second factor adds as much security to the system as an obvious password reset question...In other words it isn't additive...it actually reduces effective security of the system.

    The goal has never been security. It's getting people to stop saying "I forgot my password".