Apple’s two-step verification has a good security backup
I was quite excited when I awoke this morning to find news that Apple has released 2 Factor authentication for Apple ID. Apple seems to have done a good thing and built this into a “trusted device” upon which you use a feature in the Find My iPhone app, or receive an SMS each time you try to log-in. Sounds like a great approach, and it doesn’t surprise me that Apple chose not to use the Google Authenticator.
Following the attempted hack on Evernote, I made a determination that online service I use for personal/private/confidential “stuff” should support 2 factor authentication. Heck, if Facebook could do it, what was stopping Evernote and Apple. Very quickly App.net rolled out 2 factor support, and today was Apple’s turn. This was all part of my (perhaps peremptory decision to return to return to Google, something that following this and the GReadier debacle I am quickly reconsidering.
I went to the Apple ID site to set up two-step verification, and immediately was asked to answer security questions. It’s been a while, and for some reason I didn’t record these in 1Password. Having had more than 1 best pal at school, I went for the backup plan, and had a password reset sent out to my alternate email address.
Of course, I setup new security questions, and then went in and changed my alternate email address to one that is not linked or forwarding to any other email address I have. I took the opportunity to really tighten the hatches.
Next I went back to complete the setup of the two-step verification process, and almost immediately received a block telling me to wait three days. They also mass emailed every linked email address I had.
I guess that I had just changed a lot of security settings, and this raised an alarm at Apple that perhaps I might be hacking, and potentially locking someone else out from their account, a la the Mat Honan saga. So I think that Apple has paid a good bit of attention to the process to ensure that unintended consequences are minimised. Three days gives plenty of time for a real owner to get an email and intervene if necessary.
So at this stage I can’t provide a full review, but one thing that I noted from Katie Floyd’s post is that the two-step verification doesn’t (yet) support iCloud services, such as Documents, Calendar, email, etc. I assume (hope) these will come shortly, but will require a lot of apps to be updated. Today’s initial release was a good test for Apple, as the only app that needed to be updated was Find My iPhone.
Don’t forget to check out my list of web services that support 2 factor authentication.
This blog does not support direct comments, but it does support Web Mentions. Reply on Micro.blog or Twitter, and link from your own site and these mentions will be displayed below