Apple needs to rethink two-step verification before iOS 8 gets released

Discussion in 'iOS 8' started by MonstaMash, Jun 5, 2014.

  1. MonstaMash macrumors regular

    MonstaMash

    Joined:
    Dec 24, 2011
    #1
    With iOS 8, we finally can store all of our files and photos on iCloud. I can't wait to start using iCloud Drive and eagerly await the new Photos app for Mac. I would much rather pay Apple for seamless cloud solutions compared to my current third-party monthly storage providers.

    However, if someone gains my Apple ID password, they can easily access all of my information and remotely wipe all of my devices. This is a huge concern of mine.

    Apple launched two-step verification a few years ago, but it's not implemented everywhere. For example, someone can sign on to icloud.com without needing to use this verification step.

    My hope is that Apple looks into this, and adds a secondary level of security, such as rotating between security questions upon logging in, adding nearby device support for two-step verification or using TouchID to authenticate users on other iOS / OS X devices.
     
  2. maflynn Moderator

    maflynn

    Staff Member

    Joined:
    May 3, 2009
    Location:
    Boston
    #2
    I agree, as more and more information is stored on the cloud, the service providers need to up their security. In this case apple needs to be more proactive. That doesn't absolve the consumer from using proper security measure themselves, i.e., using complex passwords which are changed in a timely manner and don't reuse passwords.
     
  3. iMacBooked macrumors 6502a

    iMacBooked

    Joined:
    Jul 19, 2013
    Location:
    4 8 15 16 23 42 ✈ Country: Belgium
    #3
    That's true. There should be more consistency in their security measures. Starting by finalizing two-step verification is a good first step.
     
  4. Menel macrumors 603

    Menel

    Joined:
    Aug 4, 2011
    Location:
    ATL
    #4
    Can you imagine. Log into iCloud.com, iTunes, etc. Provide username/password.

    Prompt for two way auth.

    Push signal is sent to iPhone. Instead of copying and pasting some number.
    Prompt is for TouchID, and your desktop auto-authenticates.
     
  5. FourOhFour macrumors member

    Joined:
    Jul 28, 2011
    #5
    The problem with requiring two-factor auth for icloud.com is Find my Phone. If I lose my phone, the first thing I'm going to want to do is try to locate it and probably wipe it. I'll probably be borrowing someone else's device to do this, so I won't have access to my two-factor auth. I'm not sure what the right solution is. Maybe allow triggering lost mode without two-factor but require it for wipe?
     
  6. 617aircav Suspended

    Joined:
    Jul 2, 2012
    #6
    Keep your password to yourself would be the best thing to do.
     
  7. Planey28 macrumors 6502

    Joined:
    Jul 10, 2010
    Location:
    Greater Birmingham, UK
    #7
    Still not as secure as two factor auth.

    I agree, currently Apple's implementation of two factor auth is pretty bare bones at the moment, only seems to affect purchases so far. I'd like to see it applied across all of Apple's online services. They could separate Find my iPhone out from the rest of iCloud and only require your password for that.
     
  8. whsbuss macrumors 68040

    whsbuss

    Joined:
    May 4, 2010
    Location:
    SE Penna.
    #8
    But you should have your recovery key available to use for the 2-step process. I actually sent feedback to Apple saying they should implement 2-step for Find my iPhone when accessing the Lost or Erase mode.
     
  9. FourOhFour macrumors member

    Joined:
    Jul 28, 2011
    #9
    My recovery key is in my safe. Sure, I'd have access to it... once I got home. I'm not going to carry it in my wallet.
     
  10. rritterson macrumors 6502

    Joined:
    Jul 10, 2008
    Location:
    DC USA
    #10
    OP- submit your idea as an enhancement at bugreporter.apple.com. The more people ask, the more likely they are to implement it.
     
  11. whsbuss macrumors 68040

    whsbuss

    Joined:
    May 4, 2010
    Location:
    SE Penna.
    #11
    Well maybe you should. I keep a copy with me but anyone who saw it would not know its a recovery key.
     
  12. zorinlynx macrumors 601

    zorinlynx

    Joined:
    May 31, 2007
    Location:
    Florida, USA
    #12
    If one is smart they will keep their own local backup of their photos and files.

    It would be absolutely insane to put all your eggs (photos) in one basket (iCloud). The very thought of it makes me shudder.

    Apple better have a good local backup mechanism for iCloud stored photos, or it's going to be just one more "awesome new iOS 8 feature" I don't dare touch.
     
  13. pmz macrumors 68000

    Joined:
    Nov 18, 2009
    Location:
    NJ
    #13
    Touch ID is nothing more than another 4 digit password.
     
  14. Abazigal macrumors 604

    Abazigal

    Joined:
    Jul 18, 2011
    Location:
    Singapore
    #14
    You can opt for the longer alphanumeric password if you use Touch-ID. Though I don't because it still doesn't work 100%, and I find myself having to key in my passcode from time to time. :p
     
  15. MonstaMash thread starter macrumors regular

    MonstaMash

    Joined:
    Dec 24, 2011
    #15
    Apple is a smart company. I would argue that they brought the idea of secure passwords to the industry. Prior to Apple's password requirements for Apple IDs, almost no one required capital letters and numbers.

    I think Apple will be smart with two-step as well. Maybe they could integrate a mix of authentication methods, such as sign in seals, entering info such as the CC number on file, or security questions, when a user tries to do such tasks as remotely wiping a device.
     
  16. Mtmspa macrumors 6502a

    Joined:
    May 13, 2013
    #16
    Please explain.
     
  17. Primejimbo macrumors 68040

    Joined:
    Aug 10, 2008
    Location:
    Around
    #17
    This is a great for women who carry a purse and have their phone and wallet in the purse. Does a lot of good if the purse is stolen :rolleyes:

    You can use either or to unlock the iPhone. If it's not your thumb print, just use the 4 digest passcode.
     
  18. joshforman, Jun 14, 2014
    Last edited: Jun 14, 2014

    joshforman macrumors regular

    Joined:
    Aug 11, 2012
    #18
    Apple needs to rethink two-step verification before iOS 8 gets released


    Gmail and Facebook offer one-time-use codes you can print out ahead of time for situations like that.

    ----------


    There's a 2-factor authentication called Authy that actually does this via Bluetooth, but I didn't really get a chance ttry itout.
     
  19. pmz macrumors 68000

    Joined:
    Nov 18, 2009
    Location:
    NJ
    #19
    TouchID is a magical convenience that persuades users to use a proper passcode to restrict access to their devices, while (mostly) eliminating the need to constantly re-enter the passcode.

    People get confused about TouchID, thinking it is somehow a superior level of "security"....it is nothing of the sort.

    Your iPhone 5s is still only protected by the passcode that you create. TouchID merely allows YOU, the device owner, to bypass your own code easily.
     
  20. Weaselboy Moderator

    Weaselboy

    Staff Member

    Joined:
    Jan 23, 2005
    Location:
    California
    #20
    The advantage of TouchID is it makes it really easy to use iOS long pass codes without having to type it in all the time.

    So you turn off "simple passcode" then pick pick a complex letters and numbers mixed password, but you can use TouchID so you don't need to type that long passcode in all the time.
     
  21. SMIDG3T Suspended

    SMIDG3T

    Joined:
    Apr 29, 2012
    Location:
    England
    #21
    Apple don't need to rethink it, they simply need to add the second verification step when signing into iCloud.
     
  22. sekazi macrumors 6502

    Joined:
    Jan 12, 2012
    #22
    The way I see it they could do what LastPass does.

    - Grid Authenticator. Print it on a credit card sized index card. Laminate and keep in your wallet.
    - Finger Print. Fast easy and automatically grab it from your iPhone if nearby.
    -Google Authenticator. Or Apple can make their own. The ever changing number that gives you access to specific accounts. Just provide the number from a device you setup near you and your in.
    - YubiKey. Keep it in a safe just in case you loose your wallet, finger, grid authentication card or access to the iAuthenticate.
     
  23. ominx macrumors 6502

    Joined:
    Jun 23, 2010
    #23
    The biggest problem I see is when you have iMessage on your Mac set to send/receive messages using your mobile phone number.

    If you loose your Mac and a thief logs into your online account they can get the 2 factor activation code sent right to them right in a notification on the desktop or in the iMessage app.
     
  24. Badrottie Suspended

    Badrottie

    Joined:
    May 8, 2011
    Location:
    Los Angeles
    #24
    There is Touch ID and passcode for two step verification or can use with iCloud password genetioner which is harder to break in. :apple:
     
  25. MonstaMash thread starter macrumors regular

    MonstaMash

    Joined:
    Dec 24, 2011
    #25
    Checked out the latest iOS 8 beta as well as iCloud.com beta to see that this issue is still unresolved. Hoping to see something. There was a leak a few months ago that required two-step verification for all iCloud.com features except Find My iPhone, so here's to hoping.
     

Share This Page