Apple Takes First Step Toward 2-Step Verification
Apple this week gave its account holders the option of two-step verification, a valuable feature that should go a long way toward preventing account takeovers.
The bad news is that the feature is available only for iTunes or App Store purchases, not iCloud's constellation of online services, including email and Find My iPhone.
Nevertheless, we recommend that all Apple account holders enable it. Two-step verification would have stopped the epic takeover of Wired writer Mat Honan's Apple and Google accounts last summer, and would have also ended the slow but steady epidemic of Apple account takeovers.
So far, Apple two-step verification is available only in five major English-speaking countries: Australia, Britain, Ireland, New Zealand and the United States. Canada is not included, possibly because many Canadians speak French instead.
Apple made no announcement about the addition of the feature. The news was broken yesterday (March 21) by the 9to5Mac blog.
How it works
With two-step verification enabled, each Apple Store user will need to enter both his password and a four-digit one-time code when logging in from a "new" computer or mobile device.
The one-time code is sent by Apple to a registered "trusted device," which can be a mobile phone, an iPad or an iPod touch.
Mobile phones will be able to receive verification codes via text message. Alternately, Apple-made iDevices running iOS, not all of which have cellular connectivity, can receive the codes through the Find My iPhone lost-device feature offered by Apple.
Once you've gone through the process on a specific device, such as a desktop, laptop or phone, you shouldn't have to do it again on the same device.
You can enable two-step authentication by going to the Apple ID website, clicking on "Manage your Apple ID" and signing in.
From there, answer your security questions. Then select "Two-Step Verification" and follow the instructions.
You'll also get a 14-digit "Recovery Key" which, as Apple says on its support page, "you can use to access your account if you ever forget your password or lose your device."
There's one big drawback: If you both forget your password and lose your Recovery Key, you're screwed. You'll be locked out of your account forever.
Only halfway there
This is a good security move by Apple, but the fact that Apple isn't bringing iCloud under the umbrella of two-step verification raises some questions about how well this procedure was thought through.
First, doing two-step verification only halfway leaves some open holes.
If the Find My iPhone app is set up by the user to receive verification codes, but is not itself (as part of iCloud) protected by two-step authentication, then it might be possible for an attacker to circumvent two-step authentication entirely.
An attacker would only need to know, guess or crack the Apple account password to intercept or redirect verification codes sent to the Find My iPhone app on "trusted devices." Once that was achieved, full account takeover should be possible.
Second, Apple email accounts will still be vulnerable to hijackers using guessed or cracked passwords. Email account hijacks aren't as financially damaging as iTunes account takeovers, but can be annoying or distressing, as many Yahoo Mail users can attest to.
A survey released yesterday by the Boston market-research firm Strategy Analytics found that iCloud was the most widely used cloud-storage service in the U.S., with a market penetration of 27 percent of American Web users.
Presumably, most of those people simply have iPhones and don't think of their iCloud account as a storage service.
Third, the one-time verification codes sent by Apple may be too short. Apple's using only four digits, which implies 10,000 possible combinations, child's play for any computer to run through.
It's likely that Apple will lock users out temporarily if there are too many unsuccessful login attempts, but dogged attackers can often find a way around that security feature.
By contrast, Google's one-time verification codes have six digits. With a million possibilities, they're a bit tougher to crack. Far better would be a combination of letters and numbers — six such characters would have more than 2 billion permutations.
Catching up with the competition
Apple's move is also somewhat overdue. Google, Facebook and Yahoo have had text-message-based two-step authentication available for some time. (Yahoo offers it only for its email services.) Other online services, including Dropbox, use Google's Authenticator mobile app instead.
Among large online service providers, Twitter is still the big holdout, though it recently put out a want ad for a two-step authentication expert.
Twitter account takeovers are rampant, both because of lousy user passwords and because of Twitter's use of the OAuth standard, which grants third-party Twitter apps unlimited, password-free access to Twitter accounts.
Here's hoping Twitter enables the feature soon — and that Apple extends two-step protection to all its online services.