Apple steps up security with native two-factor and 6-digit passcodes in iOS 9

Nestled in the middle of iOS 9 announcements were two security-related bumps: Apple now suggests you sete a six-digit passcode instead of a four-digit one; and two-factor authentication becomes a built-in part of iOS (and OS X) rather than an afterthought.

Orders of magnitude harder

The first change is easier to explain. It's up to 100 times harder to crack a truly random six-digit code (that is, not a pattern like "111111" or "123456") than the same four-digit code. While brute forcing 10,000 codes into an iOS device seems unlikely, a set of researchers recently exploited a power-off issue in iOS devices to create an automated four-digit cracking system. Breaking the code takes from 6 seconds to 17 hours, they say.

The new passcode prompt is for six characters. For newer iOS devices with Touch ID, the majority of what Apple now sells, one has to enter a passcode only occasionally if fingerprint recognition is enabled. Apple does let people backslide. Tap Passcode Options, and you can pick the older 4-Digit Numeric Code. Most people never tap for options, however.

If the same cracking routine could work with a new version of iOS, then the upper bound of cracking would be from 6 seconds to...nearly seven months.

Factor that into your experience

Apple added two-step verification to some kinds of accounts in March 2013, and extended it to additional services, including iCloud over the next 18 months. Right now, Apple relies on notifications and the Find My iPhone conduit for providing users a four-digit token to enter to confirm they're legitimate. And two steps aren't required everywhere. I can log into my developer account still with just my Apple ID and no second check of identity.

Apple clearly aims to step up its game by integrating as a function of iOS 9 and OS X 10.11 El Capitan, though full details are yet to emerge. Apple confirmed that El Capitan will also feature integrated two-factor support. (Note that Apple said "two-factor" not "two-step"; that might be a tiny bit significant.)

In the new system, it looks like more sophisticated options will be used. In a screen capture on the iOS 9 preview page, a user is prompted on an iPad to tap Don't Allow or Allow when an Apple ID login is being attempted from another device. The inset modal dialog box not only tells the user the requesting device name and account, but also the device's location on a map.

Making it more straightforward, graphical, and informative could prompt more people to adopt it than the current method. A similar improvement was made a few releases ago in OS X and iOS in pairing Bluetooth devices. Rather than enter a code displayed on one member of the pair on the other, a user needed to just confirm both codes were the same.

Two-step systems aren't a panacea for all security breaches. Rather, they deter phishing, in which someone is fooled into giving up a password. The password and the second factor by themselves are both useless: gain one and the other is still required. It also helps when passwords are stolen from other sites at which people have accounts that they re-use the same credentials elsewhere: the same email and password used for multiple sites. It shifts the point of attack typically from the whole world to physical proximity, reducing exposure by means and likelihood.

Apple has consistently used the term two-step verification before, as its system didn't require that the code was sent to a device other than the one you were using. A code can be sent via SMS to any number as well as to any registered iOS device, but not any OS X device. SMS isn't precisely secure, and because of SMS forwarding with Continuity starting in Yosemite and iOS 8.1, you might log in on a computer to which an confirming token sent via SMS appears onscreen. (I wrote about this in depth in an October 2014 Private I column.)

Two-factor authentication includes the benefit of two-step verification, deterring remote-only attacks. But it also helps with ones in which someone has physical proximity to equipment or devices. To qualify as separate factors, an element like a password (something you know), a phone (something you own), or a biometric measurement (something you are) shouldn't be stored together or accessible in the same way. If someone gains access to one thing--hopefully not your fingertip!--they can't access the others, too.

On its iOS 9 preview page, Apple shows both what appears to be its new method, described above, and an iPhone screen in which a six-digit code has to be entered (also up from four digits as today). Its text description doesn't explain the new method, nor why they picked a new term. We should start learning more about this soon, but it's a good sign.

Any improvement in two-step or two-factor identity proofs that increases the number of people who enable it, the less susceptible they are to exploitation, identity theft, and worse.

Join the CSO newsletter!

Error: Please check your email address.

Tags iOS 9AppleOptionwwdcpasswordssecurityNestle

More about Apple

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Glenn Fleishman

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place