Huge Flaw in Apple Account Security

dfelix · Jan 31, 2017

So nowadays 2FA is basic account security because of more and more sophisticated hackers and whatnot, but Apple's implementation leaves a lot to be desired because

YOUR COUNTRY DETERMINES WHETHER YOU CAN ACTIVATE IT OR NOT

Which is ridiculous. If your country is not on a magical list that Apple cooked up of allowed country codes, you will never be able to enroll your phone number to begin the 2FA process.

This is ridiculous. This isn't just an oversight, but a rather blatant omission of proper security practices. Every other provider who has 2FA security for their respective accounts, incl. but not limited to Google, Microsoft, Evernote, Gandi, Github, Dropbox, Facebook. Even Discord for crying out loud, will accept phone numbers from pretty much every country on earth. And yet almighty Apple, who has so many accounts and users worldwide, simply does not give a **** for any of them if they do not live in the tiniest list pre-approved of countries.

This is idiotic. This is ********. This is yet another sign that Apple is losing its way, and is heading wherever their marketing division tells them to.

#MakeAppleGreatAgain

ocabj · Jan 31, 2017

Duo Security has similar limitations on country availability. I am guessing it has to do with the SMS requirement and the supported SMS infrastructure of said country.

Yes, I know Apple two-factor authentication doesn't use SMS, but it does rely on SMS for the initial setup.

As far as Apple's implementation, it is actually pretty good. I use several two-factor authentication mechanisms, and while I think Duo Security is the best platform so far because I can integrate it with commercial products as well as my own code, Apple's mechanism is about as ideal as it gets to protect an account (iCloud/iTunes) that you could potentially setup while only owning one internet capable device (iPhone or iPad). Mechanisms like Duo actually require a computer for token setup.

But are you sure that Google and Microsoft will send SMS two factor to countries that Apple 2FA doesn't support? I'm going to guess it's probably going to be the same.

Not to mention Google and Facebook specifically rely on their own tokens (Google Authenticator and the Facebook smartphone app).

bcave098 · Jan 31, 2017

I don't see any "huge flaw" here. Two-factor is optional anyway.

dfelix · Jan 31, 2017

ocabj said:
Duo Security has similar limitations on country availability. I am guessing it has to do with the SMS requirement and the supported SMS infrastructure of said country.

Yes, I know Apple two-factor authentication doesn't use SMS, but it does rely on SMS for the initial setup.

As far as Apple's implementation, it is actually pretty good. I use several two-factor authentication mechanisms, and while I think Duo Security is the best platform so far because I can integrate it with commercial products as well as my own code, Apple's mechanism is about as ideal as it gets to protect an account (iCloud/iTunes) that you could potentially setup while only owning one internet capable device (iPhone or iPad). Mechanisms like Duo actually require a computer for token setup.

But are you sure that Google and Microsoft will send SMS two factor to countries that Apple 2FA doesn't support? I'm going to guess it's probably going to be the same.

Not to mention Google and Facebook specifically rely on their own tokens (Google Authenticator and the Facebook smartphone app).

I use those without a problem. The supported countries list is very expansive. Apple's supported list is about 50 countries. It's sad, really.
[doublepost=1485928888][/doublepost]

bcave098 said:
I don't see any "huge flaw" here. Two-factor is optional anyway.

Not if you are serious about account security. Are you just trying to troll?

Rok73 · Feb 1, 2017

dfelix said:
I use those without a problem. The supported countries list is very expansive. Apple's supported list is about 50 countries. It's sad, really.
[doublepost=1485928888][/doublepost]
Not if you are serious about account security. Are you just trying to troll?

Well, there is no "huge flaw" with Apple's 2FA. Your country isn't supported for some reason but that doesn't mean the 2FA is flawed. It's just the wording, you know.

I am not defending Apple here but there are other huge companies who don't support some smaller countries for various reasons, Sony being one of them. I think it's really the cost factor which matters for them.

ocabj · Feb 1, 2017

dfelix said:
I use those without a problem. The supported countries list is very expansive. Apple's supported list is about 50 countries. It's sad, really.

So you use Duo? I didn't count, but the number of countries for Duo is less than 50. Google and Facebook are independent of a telephone number since they rely on a time-based token.

Anyway, Apple 2FA isn't flawed because they aren't 100% global. You can still use Apple two-step authentication, IIRC. I was actually using that for a long time before I switched over to the 'recent' Apple 2FA. Granted, two-step might also be SMS dependent, in which case, you are probably SOL as well.

rhett7660 · Feb 2, 2017

Rok73 said:
Well, there is no "huge flaw" with Apple's 2FA. Your country isn't supported for some reason but that doesn't mean the 2FA is flawed. It's just the wording, you know.

I am not defending Apple here but there are other huge companies who don't support some smaller countries for various reasons, Sony being one of them. I think it's really the cost factor which matters for them.

I also have to wonder if it is what the Country's Government wants implemented in order to sell the product there. I wouldn't be surprised if items shipped to country "X" has to service "A" implemented with service "B" disabled. The price of doing business within that country.

Rok73 · Feb 2, 2017

@rhett7660

Good point too.

dfelix · Feb 2, 2017

ocabj said:
So you use Duo? I didn't count, but the number of countries for Duo is less than 50. Google and Facebook are independent of a telephone number since they rely on a time-based token.

Sorry, no, I misunderstood the question. I don't use DUO, but I just checked the page and yes, I can sign up as it does accept the phone number formats in my country. The countries list is much more expansive than 50 though, so they must have updated recently

ocabj said:
Anyway, Apple 2FA isn't flawed because they aren't 100% global. You can still use Apple two-step authentication, IIRC. I was actually using that for a long time before I switched over to the 'recent' Apple 2FA. Granted, two-step might also be SMS dependent, in which case, you are probably SOL as well.

The Apple account is. Any other major provider is actually global, or at least, they try to be by providing this very basic account security feature for all of their users. Of course, to use an iCloud account (and therefore syncing my contacts, for example) securely I would require 2FA, but I can't get it because I can't get the SMS to enable the damn thing.

This, in 2017, and with all the hacks that have been going on, is backwards. Even moreso when Apple likes to tout security as one of the core features of its OS.

Of course, it's also baked into Sierra. And I can't use it. No one in my country can. That is sad.
[doublepost=1486057208][/doublepost]I haven't researched this completely, but I'm willing to go out on a limb to state that you can only enable 2FA if your country can have an iTunes account. Which means, that despite being able to BUY an Apple device internationally and very nicely inflating their stock price while doing so, you cannot have the most basic of account security added to your account if you do not live in an eligible country.

This is completely and totally backwards logic, not just an oversight. Once again, I haven't done a full research on this but this is exactly the stuff that it appears to be.

This is starting to smell like a petition to me. I'm certainly not the only person in the world in this boat, but most likely the only affected person who knows about it and gives a damn.

bcave098 · Feb 2, 2017

The "basic" security features of an Apple ID or iCloud account are the security questions. Everything else is an optional increase in security, and therefore not a "huge flaw".

A "huge flaw" would be the ability to access an account without providing correct account details or a way to access the details of multiple accounts without authorization.

cswifx · Feb 2, 2017

Apple doesn't want people calling them telling their support telling them 2FA isn't working when it's their country that isn't letting them activate it. That's pretty much why. You can link any of the pre-approved countries' phone number to your 2FA (or if you want to be accurate, 2SA) to any country's account without an issue.

dfelix · Feb 2, 2017

It IS a flaw, because just a password does not cut it in 2017 anymore. Not letting a huge number of people activate it, most not even knowing what it is or why you use it for, is negligent for such a big company. And the flaw is not technical, as you can see a plethora of other, smaller companies completely allowing anyone to activate 2FA on accounts on their sites.

It goes without saying that 2FA is a necessity for anyone online right now, particularly for important accounts such as an Apple ID (find my phone, password recovery for macOS accounts, email, apps purchased, etc.)

Phil A. · Feb 2, 2017

I counted 137 countries on the supported list here: https://support.apple.com/en-gb/HT205075

While not perfect, it's still the majority of the world and the linked document says it's a gradual roll-out so presumably that figure will increase over time

Nermal · Feb 3, 2017

I can't really blame Apple for wanting to get it right, and gradually enabling countries as the various quirks are worked out. Some other services, like Microsoft's, had some glaring oversights in certain countries.

For example, how do you know what route a message needs to take? It seems that Microsoft was looking at the NZ number allocation table to see which provider allocated my number. But I'm no longer with that provider. There's also another layer below that.

Whose allocated pool did the number come from? Which provider currently owns that number? Which provider is the customer actually with? In my case, it's a different company for all three! Microsoft's authentication texts didn't function reliably for me until 2-3 years after the service first became available. And this doesn't even consider incompatibilities between the various technologies; until a few years ago it was common for "special" characters to appear as question marks when messages were sent been different providers.

It seems that it can be difficult to handle this properly, and this is only in one country. Now imagine trying to track down every country's quirks. I'm not surprised that a "slow and steady" approach is being favoured here.

dfelix · Oct 15, 2018

Since about January of 2018 it has been possible for people in my country, formerly Netherlands Antilles, to add their phone number and enable 2FA. I have no idea how many total countries are now supported, as the supported list has not been updated as of yet to reflect my country being on there.

At least they listened. This means that if you are not on the list, just f'n complain in every direction.

Search

Search

Huge Flaw in Apple Account Security

dfelix

macrumors regular

ocabj

macrumors 6502a

bcave098

macrumors 6502a

dfelix

macrumors regular

Rok73

macrumors 65816

ocabj

macrumors 6502a

rhett7660

macrumors G5

Rok73

macrumors 65816

dfelix

macrumors regular

bcave098

macrumors 6502a

cswifx

Suspended

dfelix

macrumors regular

Phil A.

Moderator emeritus

Nermal

Moderator

dfelix

macrumors regular

Our Staff