Apple Increases Account Security With Optional Two-Step Verification System for Apple IDs

[bradl]

And your point? You need your password and the time based code from the authenticator app to authenticate. The authentication is done on Google's servers not the 3rd party app. Time based rolling codes have been the standard for many years as it is very hard to break. And Google provides you with an interface for removing authentication for any app you give access to.

Bold for emphasis.

That is the problem. If your google authentication is compromised, your other accounts at Lastpass, Dropbox, etc. are all susceptible to be compromised. The more that is added that the app could do = how many that could also be compromised. So in this case, grabbing one single password leaves you open for compromise and identity theft for each and every site you visit that you use this app on.

That's a huge risk.

BL.

 

[bozzykid]

Bold for emphasis.

That is the problem. If your google authentication is compromised, your other accounts at Lastpass, Dropbox, etc. are all susceptible to be compromised.

Simply not true. If you compromise the authenticator app, you would still need your password to gain access to those apps again. Do you even know what the app does? All it does is show time based codes. It does absolutely nothing else. I'm very confused about what you are talking about. If time based authentication is not secure, then 2-factor authentication is completely unsecure because companies have been using this method for more than 10 years.

 

[writingdevil]

Nothing more productive than being pre annoyed by a possible future. Google is still optional on two step verification.

LOL BY "pre annoyed." That kind of thinking is exactly my old maid aunt would say, bless her lonely soul. She would get SO annoyed that the future would rain havoc on us because of _________ (you fill in the blanks.) Her favorite preamble to her doomsday rant was. "You just wait, you'll see!" I can't even imagine her reaction to this, if she actually used a computer.

 

[avanpelt]

Agreed — and that app also works in situations where you can't get an SMS.

I know, 99.9% of the time you need to deal with verifying your Apple ID, you're going to have SMS access — but there are conceivable situations where you wouldn't, like travelling overseas or where cell service isn't available. I guess you have to fall back on that backup code in that case?

I really do think that Authenticator app (or the Apple-supplied equivalent) would have been more convenient here.

For an iPhone or iPad, it doesn't appear to send an SMS unless you specifically request that.

When I tried it, I was given three options to send the code: iPhone, iPad, or SMS to iPhone. If you choose iPhone or iPad, it sends the code to your iOS device, but not via iMessage. It pops up with a notification that doesn't appear to be tied to a specific app. So, if you have access to Wi-Fi instead of cellular, you should be good.

Also, if you don't have access to Wi-Fi, you can save the "Recovery Key" that gets generated when you turn on two-step authentication somewhere handy and use that along with your Apple password to access your account.

 

[shurcooL]

I know very few people that even use a single verification key. I don't think they'll opt-in for using two of them.

You mean most people you know don't even use a password?

Just for reference, I will be all over this feature as soon as it comes to Canada.

I'd like to make my password easier to type without fear that someone will guess it and remote wipe all my devices.

 

[Xe89]

Lot of confusion about Google Authenticator in this thread. It doesn't store anything on Google's servers, it gives you one time codes. You need this code AND your account password to login. Just read the Wikipedia article about it.

It works with other services like Dropbox, Lastpass, Amazon Web Services and Facebook because it is based on some standard method of creating codes. You don't even have to use the official Google Authenticator app, there are several others like Authenticator for Windows Phone and a version for so called Java dumb phones.

Someone asked about Facebook and Google Authenticator. They are telling you to use their own code generator but they are really just using the same method as Google and Dropbox. Just click the help button when you are setting it up and look for a 16 digit code (or something), this you type in Google Authenticator and it will give you one time codes back. I can confirm this is working. Also, nothing stops you from using several devices with Google Authenticator (or third-party alternatives) as long as you set them up at the same time.

You should of course have auto lock enabled on your phone if you are using a phone application like Google Authenticator to create codes. And it is still a good idea, even with 2 step activated, to use a password manager to create passwords for most accounts and Diceware for accounts where you have to remember the password.


Too bad Apple did not choose to support Google Authenticator.

 

[ptb42]

1234.....how did Apple know my security code!!???

I have the same combination on my luggage!

 

[rdlink]

Can apple make it anymore annoying...geeez

What the heck are you talking about? It's optional.

My gmail account (Google apps with a personal domain) was being accessed from numerous countries all around the world. I changed the password several times, and it took no time to have it start up again. I put two-factor authentication in place, and it hasn't happened once since then.

 

[shurcooL]

Are you saying that this system by Apple is ONLY authenticated by SMS, so when they say "device" they really just mean only iPhone?

Gary

No, Apple gives you two options: either use their Find My iPhone notifications (the Find My iPhone setting must be turned on in iCloud) or use SMS.

You don't have to use SMS, it's one of two options.

 

[rick snagwell]

I have the same combination on my luggage!

too late. check out page #1

 

[firewood]

UGH! why in the world would i want to make it MORE difficult for myself. Less security, NOT more, please Apple!

I can't wait to see how fast you change your mind after your account is stolen and your credit card or gift card drained, repeatedly.

What happens if your trusted device is stolen?

You use your password and recovery key to deauthorize your stolen device and authorize your new one.

The authentication is done on Google's servers not the 3rd party app.

Thus if someone steals all the stuff required to get into your google account, they also get into your Facebook account (etc.). But they still can't get into your Apple account.

 

[64Mario64]

As long as it's not like Google's ridiculous mess that nags you about 1/3 of the time you log in to give them your phone number and stuff, I'm fine. It had better get out of my way when I say "no" the first time.

Oh yeah, and Google's code verification thing doesn't even work every time. RIP, 2 accounts with names that I wanted that got locked forever and took up the names. It's like Google has hired the system design team from AOL or something.

----------

What the heck are you talking about? It's optional.

My gmail account (Google apps with a personal domain) was being accessed from numerous countries all around the world. I changed the password several times, and it took no time to have it start up again. I put two-factor authentication in place, and it hasn't happened once since then.

It's weird that anyone got into a GOOGLE account. Did you put a really bad password? 100% of the time I've been attacked by the Google security team accusing me of being a hacker, not by hackers.

 

[Tech198]

Finally !!

At long last, i was sending feedback to Apple regarding this for a while...

This may have helped Matt Honan, but its good to see Apple is finally using their 'brain' for once to increase security.

Better than laster, than none at all..

I'm just glad .... Everyone, go and switch this on

Besides, for those of you are using simple passwords, i hate to say this, but you deserve to get hacked .... It will teach you a lesson for using more secure passwords ..... Better coming from me now than finding out the hard way later on.

I use 2 step on Gmail too, so i welcome this on Apple too.

Now, we'll get the angry users who phone up Apple complaining they have lost their "trusted" device and can't confirm and/or can't access their email on file.

 

[bozzykid]

Thus if someone steals all the stuff required to get into your google account, they also get into your Facebook account (etc.). But they still can't get into your Apple account.

How are they going to steal "all the stuff" to get into your Google account? Just like Apple, if a trusted device is stolen, you can disable the device and you can disable Google authenticator. If someone is able to steal your device, they still need your password. This is exactly the same as Apple's system. And if it happened with your Apple ID, they could make purchases. So, either way, it is the same issue.

 

[64Mario64]

Seriously? Google introduces two-step verification and everyone goes gaga.

Apple introduces two-step verification and people complain.

Really sick of the anti-Apple everything happening these days. Sheesh.

If it makes you feel any better, Google's account security causes me massive frustration. It's horrible.

----------

Besides, for those of you are using simple passwords, i hate to say this, but you deserve to get hacked .... It will teach you a lesson for using more secure passwords ..... Better coming from me now than finding out the hard way later on.

I'm still waiting for that lesson. My Google account has always had a simple password that is both a combination of two dictionary words and contains no numbers or capital letters. I've never been hacked, and that account is very old; it was before Google had any restrictions on what a user's password could be. And if I get hacked, the only thing I'll lose is my account with an easy-to-type password.

 

[charlituna]

Good start.....need to push this out to iCloud logins too.

Apple IDs are iCloud logins

----------

When are we all going to stop messing with passwords and start using our thumbs.

And then apple will be blamed for the rash of thumb snatchings

 

[Tankmaze]

Havent got a chance to try this but cool implementation.

 

[Negritude]

But the problem there is single point of failure. If the Authenticator app gets compromised, Everything you have is compromised. You only have one layer of authentication there, which gets you into everything you have.

That is the problem that Apple has resolved.

Wow. Dumbest comment of the year so far.

 

[ugahairydawgs]

Apple IDs are iCloud logins

I was referring to icloud.com logins.

 

[bradl]

Simply not true. If you compromise the authenticator app, you would still need your password to gain access to those apps again. Do you even know what the app does?

No, I don't, which is why I asked:

Is Google's two factor auth the same as the Google Authenticator app being talked about above?

All it does is show time based codes. It does absolutely nothing else.

Good to know.

I'm very confused about what you are talking about. If time based authentication is not secure, then 2-factor authentication is completely unsecure because companies have been using this method for more than 10 years.

Time-based codes still aren't the problem here. in actuality, it's rather irrelevant. It is the use of the app to be able to get the codes that is the problem.

If someone gets your app, not anyone else's, but your app, they could generate codes to get into your accounts, bypassing the two-factor authentication altogether, because they have one of your levels compromised. The second, being the codes, I am assuming would get you logged into the other services. That defeats the purpose of two-factor authentication altogether.

Here is what my job has set up for a particular PCI/DSS-based environment:

1. we log into our internal network, using Active Directory-based authentication (assume we are physically at our office). This is level 1 of TFA.
2. to access the PCI/DSS environment, we use a key fob, which holds a SHA512 encrypted cert that is passed to our second-level server, as well as the password to unlock the fob so the cert could be read. That satisfies level 2 of TFA.
3. once those two are met, we are able to use the server we connected to as the springboard to connect to the other servers in the PCI/DSS environment. logins to there are local or AD-based, though not listening on any office network-accessible NIC. That makes for 3 sets of authentication, though the first 2 are what passes for true TFA.

Using something that does level 2 for you completely defeats the purpose of TFA, even if time-based, because that software could be compromised (read: copied off, with your information still intact, as far as the app goes).

Wow. Dumbest comment of the year so far.

as a 20-year Unix sysadmin and ISO, I challenge you to prove me wrong.

BL.

 

[Negritude]

I really wish I could install the Google Authenticator on another device too. Right now it appears it'll only run on one device.

It does work on multiple devices. The trick is, you have to authenticate them at the same time.

 

[firewood]

This is exactly the same as Apple's system..

Nope. Even if someone managed to steal all my Apple credentials, they wouldn't get access to my farcebork or dropbox account. With Authenticator they would get immediate access to all my other accounts tied in.

This is why company B does not allow me to use the security key I have for company A (even though nearly identical devices), nor vice versa.

 

[bradl]

Nope. Even if someone managed to steal all my Apple credentials, they wouldn't get access to my farcebork or dropbox account. With Authenticator they would get immediate access to all my other accounts tied in.

EXACTLY.

This is why company B does not allow me to use the security key I have for company A (even though nearly identical devices), nor vice versa.

Again, this is exactly my point, yet I've been told I've made the 'dumbest comment of the year', by someone who more than likely doesn't know what he is talking about at all.

BL.

 

[Negritude]

Using something that does level 2 for you completely defeats the purpose of TFA, even if time-based, because that software could be compromised (read: copied off, with your information still intact, as far as the app goes).

Finally, you are starting to make some coherent sense.

First of all, the use of the Google Authenticator app is entirely optional. Google's 2-factor authentication works with expiring SMS codes sent to a trusted device as well. The app is for convenience and speed, especially when used with multiple accounts.

Second, the assumption that if the app on my phone could be copied to another phone or to a virtual environment and still generate codes that would work for my accounts, is one I'd need to see evidence for it's possibility from a security expert and/or Google. I'm not saying that Google couldn't have missed this, but someone has to have thought of the possibility of the app itself being compromised or moved.

Lastly, it's called 2-factor for a reason. Someone would need to theoretically compromise the authenticator app AND steal your passwords, in order to access any of your accounts. That's a very high barrier to entry for hacking the average person, and would only be worthwhile if say, you wanted to read the emails of General David Petraeus. %-)

 

[bozzykid]

Nope. Even if someone managed to steal all my Apple credentials, they wouldn't get access to my farcebork or dropbox account.

You mean unless they restore from iCloud using your apple id (it's easy to reset the other accounts passwords since you now have access to your apple email). I'm sorry but letting 3rd party apps authenticate using Google and their 2-factor authentication system is great for me. That way I do not have to trust 3rd parties with my login data. I have zero fear anyone can obtain access to my account.