Apple needs to rethink two-step verification before iOS 8 gets released

[MonstaMash]

With iOS 8, we finally can store all of our files and photos on iCloud. I can't wait to start using iCloud Drive and eagerly await the new Photos app for Mac. I would much rather pay Apple for seamless cloud solutions compared to my current third-party monthly storage providers.

However, if someone gains my Apple ID password, they can easily access all of my information and remotely wipe all of my devices. This is a huge concern of mine.

Apple launched two-step verification a few years ago, but it's not implemented everywhere. For example, someone can sign on to icloud.com without needing to use this verification step.

My hope is that Apple looks into this, and adds a secondary level of security, such as rotating between security questions upon logging in, adding nearby device support for two-step verification or using TouchID to authenticate users on other iOS / OS X devices.

 

[maflynn]

I agree, as more and more information is stored on the cloud, the service providers need to up their security. In this case apple needs to be more proactive. That doesn't absolve the consumer from using proper security measure themselves, i.e., using complex passwords which are changed in a timely manner and don't reuse passwords.

 

[iMacBooked]

That's true. There should be more consistency in their security measures. Starting by finalizing two-step verification is a good first step.

 

[Menel]

Can you imagine. Log into iCloud.com, iTunes, etc. Provide username/password.

Prompt for two way auth.

Push signal is sent to iPhone. Instead of copying and pasting some number.
Prompt is for TouchID, and your desktop auto-authenticates.

 

[FourOhFour]

The problem with requiring two-factor auth for icloud.com is Find my Phone. If I lose my phone, the first thing I'm going to want to do is try to locate it and probably wipe it. I'll probably be borrowing someone else's device to do this, so I won't have access to my two-factor auth. I'm not sure what the right solution is. Maybe allow triggering lost mode without two-factor but require it for wipe?

 

[617aircav]

Keep your password to yourself would be the best thing to do.

 

[Planey28]

Keep your password to yourself would be the best thing to do.

Still not as secure as two factor auth.

I agree, currently Apple's implementation of two factor auth is pretty bare bones at the moment, only seems to affect purchases so far. I'd like to see it applied across all of Apple's online services. They could separate Find my iPhone out from the rest of iCloud and only require your password for that.

 

[whsbuss]

The problem with requiring two-factor auth for icloud.com is Find my Phone. If I lose my phone, the first thing I'm going to want to do is try to locate it and probably wipe it. I'll probably be borrowing someone else's device to do this, so I won't have access to my two-factor auth. I'm not sure what the right solution is. Maybe allow triggering lost mode without two-factor but require it for wipe?

But you should have your recovery key available to use for the 2-step process. I actually sent feedback to Apple saying they should implement 2-step for Find my iPhone when accessing the Lost or Erase mode.

 

[FourOhFour]

But you should have your recovery key available to use for the 2-step process. I actually sent feedback to Apple saying they should implement 2-step for Find my iPhone when accessing the Lost or Erase mode.

My recovery key is in my safe. Sure, I'd have access to it... once I got home. I'm not going to carry it in my wallet.

 

[rritterson]

OP- submit your idea as an enhancement at bugreporter.apple.com. The more people ask, the more likely they are to implement it.

 

[whsbuss]

My recovery key is in my safe. Sure, I'd have access to it... once I got home. I'm not going to carry it in my wallet.

Well maybe you should. I keep a copy with me but anyone who saw it would not know its a recovery key.

 

[zorinlynx]

If one is smart they will keep their own local backup of their photos and files.

It would be absolutely insane to put all your eggs (photos) in one basket (iCloud). The very thought of it makes me shudder.

Apple better have a good local backup mechanism for iCloud stored photos, or it's going to be just one more "awesome new iOS 8 feature" I don't dare touch.

 

[pmz]

With iOS 8, we finally can store all of our files and photos on iCloud. I can't wait to start using iCloud Drive and eagerly await the new Photos app for Mac. I would much rather pay Apple for seamless cloud solutions compared to my current third-party monthly storage providers.

However, if someone gains my Apple ID password, they can easily access all of my information and remotely wipe all of my devices. This is a huge concern of mine.

Apple launched two-step verification a few years ago, but it's not implemented everywhere. For example, someone can sign on to icloud.com without needing to use this verification step.

My hope is that Apple looks into this, and adds a secondary level of security, such as rotating between security questions upon logging in, adding nearby device support for two-step verification or using TouchID to authenticate users on other iOS / OS X devices.

Touch ID is nothing more than another 4 digit password.

 

[Abazigal]

Touch ID is nothing more than another 4 digit password.

You can opt for the longer alphanumeric password if you use Touch-ID. Though I don't because it still doesn't work 100%, and I find myself having to key in my passcode from time to time.

 

[MonstaMash]

Apple is a smart company. I would argue that they brought the idea of secure passwords to the industry. Prior to Apple's password requirements for Apple IDs, almost no one required capital letters and numbers.

I think Apple will be smart with two-step as well. Maybe they could integrate a mix of authentication methods, such as sign in seals, entering info such as the CC number on file, or security questions, when a user tries to do such tasks as remotely wiping a device.

 

[Mtmspa]

Touch ID is nothing more than another 4 digit password.

Please explain.

 

[Primejimbo]

Well maybe you should. I keep a copy with me but anyone who saw it would not know its a recovery key.

This is a great for women who carry a purse and have their phone and wallet in the purse. Does a lot of good if the purse is stolen

Please explain.

You can use either or to unlock the iPhone. If it's not your thumb print, just use the 4 digest passcode.

 

[joshforman]

Apple needs to rethink two-step verification before iOS 8 gets released

The problem with requiring two-factor auth for icloud.com is Find my Phone. If I lose my phone, the first thing I'm going to want to do is try to locate it and probably wipe it. I'll probably be borrowing someone else's device to do this, so I won't have access to my two-factor auth. I'm not sure what the right solution is. Maybe allow triggering lost mode without two-factor but require it for wipe?

Gmail and Facebook offer one-time-use codes you can print out ahead of time for situations like that.

----------

Can you imagine. Log into iCloud.com, iTunes, etc. Provide username/password.

Prompt for two way auth.

Push signal is sent to iPhone. Instead of copying and pasting some number.
Prompt is for TouchID, and your desktop auto-authenticates.

There's a 2-factor authentication called Authy that actually does this via Bluetooth, but I didn't really get a chance ttry itout.

 

[pmz]

Please explain.

TouchID is a magical convenience that persuades users to use a proper passcode to restrict access to their devices, while (mostly) eliminating the need to constantly re-enter the passcode.

People get confused about TouchID, thinking it is somehow a superior level of "security"....it is nothing of the sort.

Your iPhone 5s is still only protected by the passcode that you create. TouchID merely allows YOU, the device owner, to bypass your own code easily.

 

[Weaselboy]

TouchID is a magical convenience that persuades users to use a proper passcode to restrict access to their devices, while (mostly) eliminating the need to constantly re-enter the passcode.

People get confused about TouchID, thinking it is somehow a superior level of "security"....it is nothing of the sort.

Your iPhone 5s is still only protected by the passcode that you create. TouchID merely allows YOU, the device owner, to bypass your own code easily.

The advantage of TouchID is it makes it really easy to use iOS long pass codes without having to type it in all the time.

So you turn off "simple passcode" then pick pick a complex letters and numbers mixed password, but you can use TouchID so you don't need to type that long passcode in all the time.

 

[SMIDG3T]

With iOS 8, we finally can store all of our files and photos on iCloud. I can't wait to start using iCloud Drive and eagerly await the new Photos app for Mac. I would much rather pay Apple for seamless cloud solutions compared to my current third-party monthly storage providers.

However, if someone gains my Apple ID password, they can easily access all of my information and remotely wipe all of my devices. This is a huge concern of mine.

Apple launched two-step verification a few years ago, but it's not implemented everywhere. For example, someone can sign on to icloud.com without needing to use this verification step.

My hope is that Apple looks into this, and adds a secondary level of security, such as rotating between security questions upon logging in, adding nearby device support for two-step verification or using TouchID to authenticate users on other iOS / OS X devices.

Apple don't need to rethink it, they simply need to add the second verification step when signing into iCloud.

 

[sekazi]

The way I see it they could do what LastPass does.

- Grid Authenticator. Print it on a credit card sized index card. Laminate and keep in your wallet.
- Finger Print. Fast easy and automatically grab it from your iPhone if nearby.
-Google Authenticator. Or Apple can make their own. The ever changing number that gives you access to specific accounts. Just provide the number from a device you setup near you and your in.
- YubiKey. Keep it in a safe just in case you loose your wallet, finger, grid authentication card or access to the iAuthenticate.

 

[ominx]

The biggest problem I see is when you have iMessage on your Mac set to send/receive messages using your mobile phone number.

If you loose your Mac and a thief logs into your online account they can get the 2 factor activation code sent right to them right in a notification on the desktop or in the iMessage app.

 

[Badrottie]

With iOS 8, we finally can store all of our files and photos on iCloud. I can't wait to start using iCloud Drive and eagerly await the new Photos app for Mac. I would much rather pay Apple for seamless cloud solutions compared to my current third-party monthly storage providers.

However, if someone gains my Apple ID password, they can easily access all of my information and remotely wipe all of my devices. This is a huge concern of mine.

Apple launched two-step verification a few years ago, but it's not implemented everywhere. For example, someone can sign on to icloud.com without needing to use this verification step.

My hope is that Apple looks into this, and adds a secondary level of security, such as rotating between security questions upon logging in, adding nearby device support for two-step verification or using TouchID to authenticate users on other iOS / OS X devices.

There is Touch ID and passcode for two step verification or can use with iCloud password genetioner which is harder to break in.

 

[MonstaMash]

Checked out the latest iOS 8 beta as well as iCloud.com beta to see that this issue is still unresolved. Hoping to see something. There was a leak a few months ago that required two-step verification for all iCloud.com features except Find My iPhone, so here's to hoping.