Apple Increases Account Security With Optional Two-Step Verification System for Apple IDs

[audio_inside]

Agreed — and that app also works in situations where you can't get an SMS.

I know, 99.9% of the time you need to deal with verifying your Apple ID, you're going to have SMS access

Really? I have SMS access 0% of the time, since I don't own any mobile devices. I guess that leave me S.O.L. My partner's "device" has SMS access about 1% of the time, because there's no coverage where we live. So I guess she's out too.

If they supported SMS to Google Voice numbers we'd have a chance at making use of this, but the FAQ claims no support for VOIP.

 

[rMBP13]

Apple is beefing up its security.... Hinting the fingerprint scanning feature on the iPhone 5S?

 

[metsjetsfan]

Does anyone have any idea how this works if you have a separate icloud and itunes id?

 

[bozzykid]

So once again, I ask: Does the Google Authenticator app store your password for use of being passed to the site, or does the password have to be entered in each and every time in addition to this code that it supposedly gives out?

Again, for the millionth time... The Google Authenticator doesn't store, transmit, or do anything with any data. All it does is provide expiring codes on a rolling basis. It does not authenticate the user for anything.

 

[charlituna]

UGH! why in the world would i want to make it MORE difficult for myself. Less security, NOT more, please Apple!

Then don't use this totally optional step.

It was created for folks that are of the opposite opinion

----------

Hmm...I'd still like to see Apple giving us the option to consolidate/merge multiple Apple ID accounts. Or is that now completely off the table?

There are legal uses and mechanics to work out. Based on recent patent discoveries they are looking into the issue

----------

I was referring to icloud.com logins.

And those are apple IDs

Any combo of an email and password you have used to log into an Apple run system, iCloud included, is an Apple ID

----------

Apple is beefing up its security.... Hinting the fingerprint scanning feature on the iPhone 5S?

Or it's just 'hinting' that they are adding security options. Nothing more or less

 

[firewood]

Deleted.

 

[bradl]

I don't care about your career claims, they are unsubstantiated.

Whatever floats your boat. I tried offering some of my qualifications to show that I know what I am talking about. But if you don't like it, again, your problem. I'm not going to do something outlandish like post my resume to justify myself to you. To be frank, you don't deserve such justification.

I have made two posts.
1. Outlined how Two Factor works.
2. Provided reference material for you to learn how Google's Two Factor Authentication works.

And I have outlined how I have implemented it in an enterprise environment, using trusted controls and AES ciphers, ranging from SHA256 up to and including Twofish, Blowfish, and others.

You don't like it? that's on you, not me. If you don't understand the difference between consumer and enterprise, that again, is your problem.

And now, 3. defend my goal here of being helpful. Take it or leave it. I'm done.

Buh-bye.

BL.

 

[Tech198]

Very good security

This is good..... Too Good.....

"You must wait 3 days to enable two-step verification.
This waiting period helps ensure that no one other than the owner of this Apple ID can set up two-step verification. A notification email will be sent to all addresses we have on file. Thank you for your patience.

Please come back after 05:53 AM on March 25, 2013 (GMT) to continue setup."

Its better than Gmail at least. ...... oh well..

 

[Danyboy]

It's a shame they can't use the same authentication that I use on Google, Dropbox, Facebook, and Lastpass. The Google Authenticator app works for all of these sites...

Is Facebook working with Google Authenticator? I never knew that! How do I set it up?

 

[Oletros]

By all means. Show and prove me wrong about implementing two-factor authentication using SHA512, or AES encryption with certificate-based authentication.

I know what I do and do for a living each and every day, and I'll back myself by it each and every time. But so far this thread, you've done nothing but criticize/condemn/complain. If that is all you're going to do, then IMHO, you have no credibility to show to me that I know otherwise.

EDIT: It's obvious to me that you haven't realized how I've set this up for an enterprise environment, where you are thinking of this from a consumer perspective, as Negritude mentioned.

BL.

Do you know that it is irrelevant what you have deployed when the point is that you don't know how Google 2-pass authentication works and you don't want to know how it works?

You're only assuming and you're totally wrong about it

 

[bradl]

Do you know that it is irrelevant what you have deployed when the point is that you don't know how Google 2-pass authentication works and you don't want to know how it works?

You're only assuming and you're totally wrong about it

I never indicated that I know how authenticator works. I only showed how I implemented TFA in a PCI/DSS environment.

I asked how it worked, and got my answer. And as mentioned before, implementation in enterprise is different.

All due respect, you're behind. Keep up with the thread.

BL.

 

[iang1234]

I asked how it worked, and got my answer. And as mentioned before, implementation in enterprise is different.

Here's how it works. You activate the 2 way auth scheme and google will show you a key that you need to register in the authenticator tool (manually or by scanning QR code that is also shown). Based on time/counter and the key you registered, the tool will show you one time key that you need to enter when you login, after you type your own password.

Google uses RFC 4226 and RFC 6238 standard for its 2 way auth scheme. Since it follows a standard (and the tool supports multiple accounts), any site that uses the same standard for their 2 way auth, can make use the tool as well. Each site will have its own key, so the one time keys for each sites are always different.

You can check the tool yourself here http://code.google.com/p/google-authenticator/

Since this scheme require 2 steps for authentication, for applications that only support regular auth (e.g. Email, xmpp/gtalk clients, etc), we need to generate special password for each of these sites (appliction specific password). That way, you wont have risk giving your actual password to them. http://support.google.com/accounts/bin/answer.py?hl=en&answer=185833

 

[2499723]

In before the google lovers claim Android had this first.
Apple gets it right!

My first exposure to this kind of two-step login process was with Gmail. I'd say Google beat Apple to the punch on this one.

 

[Xe89]

Is Facebook working with Google Authenticator? I never knew that! How do I set it up?

This explains it:

http://mbmccormick.com/2013/01/use-...hentication-with-third-party-totp-generators/

 

[Menel]

This explains it:

http://mbmccormick.com/2013/01/use-...hentication-with-third-party-totp-generators/

Thank you!

 

[gnasher729]

Apple is beefing up its security.... Hinting the fingerprint scanning feature on the iPhone 5S?

What makes you think that fingerprint scanning is safe?

With the four digit key code, a thief must spend many hours to crack the code (and it's easy to use a five, six or 20 digit key code on iOS devices). With a fingerprint scanner, the thief just needs two dozen friends who each try until someone succeeds.

----------

Are terrorists going to purchase rap on my iTunes account? What nonsense.

Actually... People who want money think of ways to get it. Terrorists just as much as ordinary crooks. One potential way to get money is to put an app (or an album of rap songs) on the App Store, then hack into people's accounts, make them purchase the app or the music, Apple sends the money out, and hopefully (for the criminal) by the time this is discovered, they are gone with the money.

Think about it: How else could a criminal move money from your iTunes account into their account? Only Apple can move the money, so they have to do something that convinces Apple to do so. And hacking into your account is probably a lot easier than hacking into Apple's servers.

 

[Smigit]

Hmm...I'd still like to see Apple giving us the option to consolidate/merge multiple Apple ID accounts. Or is that now completely off the table?

I'm guessing it is off the table. A great number of people likely have multiple accounts so they can buy from different App store regions. Combining the accounts provides an Apple backed way to get around their own region restrictions. They may as well remove pricing barriers in the App Store and the need for many to have multiple accounts will go away...but that seems unlikely to me as content providers would have a fit.

----------

Has anyone actually used this ?

I can't .... Firstly the phone number field is just an (area code) + 9-digit phone field.

This is too short for mobile numbers. And mobile numbers don't care about area codes anyway.

If it helps, I'm Australia based. If your mobile number like mine is of the form "04 XXXX XXXX", then in the area code enter "4". I tried it as '04' and had no success, but dropping the '0' worked. The trailing 8 digits are then the number.

Not the first time I've hit a service that doesn't accept the "04", often you end up with "4XXXXXXXX" or "+614XXXXXXXX"

 

[freejazz-man]

I never indicated that I know how authenticator works. I only showed how I implemented TFA in a PCI/DSS environment.

I asked how it worked, and got my answer. And as mentioned before, implementation in enterprise is different.

All due respect, you're behind. Keep up with the thread.

BL.

what does your unique tfa implementation have to do with what everyone else is talking about?

yes, two factor authentication tied to a SSO credential becomes a 'master key' but only in such an environment (i.e. the one of your implementation, as opposed to consumer uses). so your attitude is really off the wall and your points are misplaced.


are they actually only using 4 digit codes?

 

[scoobydoo99]

The password has to be alphanumeric, and at least one upper-case letter, so his math is correct (I think?)

Well he said "8 letters", so I calculated based upon that.

 

[curmudgeon32]

Are you saying that this system by Apple is ONLY authenticated by SMS, so when they say "device" they really just mean only iPhone?

Looks like I was mistaken about this, as some other commenters have pointed out. You can also get an authentication code without SMS, sent directly to your iPhone. I guess it's a kind of push notification? If that's the case, you would only need some kind of Internet access on your iPhone. Which presumably you would have if you're trying to do stuff on the Internet in the first place.

They do also give you the option of adding other S MS capable devices for verification. So, if you have lost your iPhone, but have access to, say, your wife's phone that you have registered, you can still get the code that way.

 

[tbrinkma]

So once again, I ask: Does the Google Authenticator app store your password for use of being passed to the site, or does the password have to be entered in each and every time in addition to this code that it supposedly gives out? If it stores the password and passes it on your behalf after the code is entered, you have a problem if the app gets compromised. If it doesn't, then you don't. It all boils down to how the password is kept and passed, which I mentioned that I do not know how that part of that app works.

The answer to your question is, "No."

The Google Authenticator app does nothing more than present your one-time code to you so you can key it in to the login page. It never has access to your password in the first place.

When third-party sites utilize Google's account verification, the third-party site doesn't actually see your Google login information, either. That's sent between the user's device and Google's servers over a secure connection. The third party simply gets an encoded verification of whether the particular login attempt succeeded or failed that they use to determine whether to let you in or not.

 

[tigres]

Looks like this process may be forced sooner rather than later:

From the the verge-
"Apple yesterday rolled out two-step verification, a security measure that promises to further shield Apple ID and iCloud accounts from being hijacked. Unfortunately, today a new exploit has been discovered that affects all customers who haven't yet enabled the new feature. It allows anyone with your email address and date of birth to reset your password — using Apple's own tools. We've been made aware of a step-by-step tutorial (which remains available as of this writing) that explains in detail how to take advantage of the vulnerability. The exploit involves pasting in a modified URL while answering the DOB security question on Apple's iForgot page. It's a process just about anyone could manage, and The Verge has confirmed the glaring security hole firsthand. Out of security concerns, we will not be linking to the website in question. We've reached out to Apple and will update this post accordingly upon the company's reply."

 

[Soulstorm]

I cannot find the two-step verification process option in my account. Does anyone know why?

 

[Oletros]

I cannot find the two-step verification process option in my account. Does anyone know why?

Only USA, UK, and some other countries. Greece or Spain doesn't have the option to enable it

 

[freedevil]

The two step thinger forces me to have a capital letter. Annoying while purchasing stuff.