Security experts applaud Apple's new two-factor authentication

Option locks Apple IDs, stymies account hijacking

Apple this week followed the lead of rivals like Facebook, Google and Microsoft, offering two-step authentication to help customers secure their Apple IDs against hacking.

The new feature is designed to block unauthorized changes to iCloud or iTunes accounts, and keep hackers who steal Apple IDs from purchasing digital content or hardware using the credit cards stored in customers' iTunes and Apple Store accounts.

iTunes users in particular have complained for years about security so lax that hackers have easily hijacked their accounts to run up big bills.

Security experts commended Apple, even though the company was slow pulling the trigger.

"Always exciting to see a major consumer-oriented service roll out some sort of two-factor authentication," said Jon Oberheide, co-founder and CTO of Duo Security, a developer of authentication software, in an email. "Rolling your own two-factor definitely isn't a trivial task, both from an upfront engineering cost and continued support and maintenance, despite the perceived ease from an external view."

Two-factor authentication -- sometimes called two-step verification -- is a more demanding method of locking an account than a password-only process. In enterprises, for instance, two-factor relies on hardware tokens that generate passcodes, which are valid for just moments and must be entered along with the usual password.

But Web services don't distribute tokens. Instead, they send a passcode to a mobile phone number the account owner has set earlier. The passcode is typically sent as an SMS (short message service) text.

Apple's optional two-factor authentication uses that same approach, but also will send the passcode to an iOS device -- iPhone or iPad -- via the Find My iPhone app's notification feature. Find My iPhone is normally used to, not surprisingly, help users locate lost, stolen or misplaced devices.

That drew accolades from the experts.

"I'd say [Apple's] is above-average for a consumer-oriented two-factor solution, particularly with respect to leveraging the Find My iPhone mobile application," said Oberheide in an email Friday. "Using a native app for two-factor authentication, like Find My iPhone, is a much better approach than simply relying on SMS, which has a number of security and reliability concerns."

SMS messages, for instance, can be faked, and receiving them requires that the user be in range of their carrier's signal. Find My iPhone, on the other hand, operates independently of the wireless carrier, letting iOS owners get passcodes when all that's available is Wi-Fi, or on tablets like the iPad and iPad Mini that lack cellular connectivity.

Andrew Storms, director of security operations at nCircle Security, had a different thought on Find My iPhone's advantage.

"It has some potential for good contextual awareness authentication," said Storms in an interview via instant messaging. "GPS could be used as the second factor of authentication. Are you really at the home address you already have on file with your iTunes account? If so, Apple could check your iPhone's GPS location to verify."

Apple now offers optional two-factor authentication to lock down iTunes, iCloud and Apple Store accounts.

There's no evidence that Apple is using such an approach, Storms acknowledged, but it could. "They own the infrastructure [for Find My iPhone] on the server side, the client side, the application, and so on," he noted.

Apple also took customer service out of the equation, instead providing a 14-character recovery key for password resets or when the iOS device assigned to receive passcodes has been lost or stolen.

That's important. Last summer the hack of Wired reporter Mat Honan Apple ID was commandeered when attackers convinced a company support representative to give them access to his account.

Several other well-known Web services have also recently added optional two-factor authentication to secure their users' accounts, often after their networks were breached.

Dropbox, for example, added two-factor last August after usernames and passwords were stolen from another website, then used to access accounts. Facebook debuted two-factor in 2011. And Evernote, which had to reset 50 million passwords earlier this month after a hack, promised to speed up work on two-factor authentication.

Apple, while not the last major technology company to add two-factor, was certainly not at the forefront. "They seem to be slow to implement all kinds of things that seem so obvious to everyone else," said Storms.

Even so, Storms acknowledged the company's expertise. "Two-factor is two-factor is two-factor. You either implement it correctly or it's not two-factor," said Storms. "What's going to make the difference is how convenient they make it for the end user. And as we know, Apple has a seriously-good history at making good user interfaces. If anyone can make two-factor so friendly that everyone wants to use it, Apple is the one to pull it off."

Apple's move came just in time to give customers a way to protect their accounts from a password-reset hack revealed Friday by The Verge, which had found instructions online that showed how to reset an Apple ID password using only a user's date of birth and the account's associated email address. By day's end, Apple had fixed the vulnerability and restored the iForgot password-reset site.

Apple will roll out two-factor authentication in the U.S., U.K., Australia, Ireland, and New Zealand, then add other countries down the line.

The company has also posted an FAQ with more information about its two-factor authentication.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is

See more by Gregg Keizer on

Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags AppleGoogleMicrosoftsecurityMac OS XMalware and VulnerabilitiesFacebook

More about Andrew Corporation (Australia)AppleDropboxEvernoteFacebookGoogleMicrosoftnCircleTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place