Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
I'd like to enable this, but am wondering...

Does it do the two factor EVERY TIME? Or does it place a cookie on your computer so that you don't have to do it again unless you change computers (or delete the cookie)?

My bank uses two factor, but it remembers each device so you only have to use it when logging in from a new device.

do it and find out. i did.
 
Couldn't they just go to a token system, something active that generates a number, like the Blizzard token fob. It would make sense to use that as an option. They could call it the iToken, and license it for other companies to use too...

Blizzard calls them 'Authenticators'...

View attachment 492159

I did work a job that used the RSA SecureID tokens. It was funny that people sticky noted their passwords on the back of them all the time...:rolleyes:

There's an app for that. I use it for work.

https://itunes.apple.com/us/app/itoken/id302341144?mt=8
 
Well ****...

I can no longer use iCloud.com because my Recovery Key and Trusted Device were all stolen when I was robbed last year :(
 
Damn still no two-step verification for my country, seems that Apple wants some nude pictures

Same here. And you gotta love how Apple in the same breath encourages us to use 2FA.

http://www.apple.com/pr/library/2014/09/02Apple-Media-Advisory.html

To protect against this type of attack, we advise all users to always use a strong password and enable two-step verification. Both of these are addressed on our website at http://support.apple.com/kb/ht4232.

Apple's MR forum defense force engage in 3...2...1...
 
Is this required? Just asking because I use pages in the cloud at school and don't have access to another apple device
 
This has been working for MONTHS!!

I noticed it a while ago when I logged in months ago. This isn't news, this is just a feature that hasn't been reported on yet.

The whole iCloud "break in" is the dumbest piece of reporting I've seen in a while.

They used a password like, "PASSWORD" or "passw0rd" or "Pass123" or something equally dumb. This is a story about idiots and their bad passwords, not about Apple. Ugh, pisses me off.

It wasn't just about passwords.
The Police Tool That Pervs Use to Steal Nude Pics From Apple’s iCloud
The security community quickly pointed fingers at the iBrute software, a tool released by security researcher Alexey Troshichev designed to take advantage of a flaw in Apple’s “Find My iPhone” feature to “brute-force” users’ iCloud passwords, cycling through thousands of guesses to crack the account.
.
.
.
In combination with iCloud credentials obtained with iBrute, the password-cracking software for iCloud released on Github over the weekend, EPPB lets anyone impersonate a victim’s iPhone and download its full backup rather than the more limited data accessible on iCloud.com. And as of Tuesday, it was still being used to steal revealing photos and post them on Anon-IB’s forum.

Also, in the past, two-factor authentication did not protect iCloud backups.
 
Couldn't they just go to a token system, something active that generates a number, like the Blizzard token fob. It would make sense to use that as an option. They could call it the iToken, and license it for other companies to use too...

That's basically what the Authenticator app does, except nobody needs to manufacture yet another device to do it.
 
Not going to do anyone any good since you still need the username and password to access the iCloud account when setting the wiped device back up.

I am not worried about someone stealing my device and wiping it remotely, but erasing it for fun like in this story. That's why I don't enable it for Mac and looks like I'm still not going to as I don't want to waste time on restoring everything if something like that would happen to me.
 
I am not worried about someone stealing my device and wiping it remotely, but erasing it for fun like in this story. That's why I don't enable it for Mac and looks like I'm still not going to as I don't want to waste time on restoring everything if something like that would happen to me.

Damn, that's some scary ****... That 'story'. All so easy...

----------

That might be true, but a good password would have prevented access -- no matter what.

A password like "correcthorsebatterystaple" would have been impossible to crack due to its length.

You need to get out more. A dictionary attack could spring that password in probably minutes.

I'll see if I can find the article, but it talked about how even with spelling elite 'l337', a password like that is still easy to hack.

Including punctuation helps, but it's not a matter of 'preventing access' as much as making it take longer and longer for someone to hack it.

NOTHING is safe. Did you read about the attackers that Mandiant identified? They have literally legions of hackers and different levels of expertise too. If someone wants your screen prints from Play Boy bad enough, they will get them...

----------


And all this time I've been ignoring the fact that RSA was hacked, and the hackers were able to clone the SecureID tokens in software to allow them to generate the exact same 'key' as a hardware token. It's not as bad as it sounds, because the hacker would have to know the number on your token, but...

Oh, and their 'encryption' has a notorious NSA backdoor. I don't know if they ever 'fixed' it, but there it is...
 
They could create something like Google Authenticator app (one time passcode) for 2-way verification...
 
Couldn't they just go to a token system, something active that generates a number, like the Blizzard token fob. It would make sense to use that as an option. They could call it the iToken, and license it for other companies to use too...

Blizzard calls them 'Authenticators'...

There's already an Authenticator app from Google, for the iPhone.

https://itunes.apple.com/us/app/google-authenticator/id388497605?mt=8

I use it for 2-factor authentication for Google Mail, Dropbox, the admin console for my server, and even my Microsoft Live account (apparently required for Windows 8.1).

I'd like to see Apple use it, too. But, their implementation is better than none at all. At the moment, my bank doesn't offer any kind of 2-factor authentication. :-(
 
Hmmm

Apple won't let me turn this feature on. Apple wants me to change my password. Whats up with that?
 

RSA also has one:

https://itunes.apple.com/us/app/rsa-securid-software-token/id318038618?mt=8

I posted the link to the Google Authenticator app earlier.

----------

Apple won't let me turn this feature on. Apple wants me to change my password. Whats up with that?

If I remember right, you first have to change your password if it hasn't been changed recently.

Then, you have to wait 3(?) days for the password change notification to be sent, so the owner has time to respond if someone has managed to break into the account.

----------

Oh, and their 'encryption' has a notorious NSA backdoor. I don't know if they ever 'fixed' it, but there it is...

It was one particular encryption algorithm: the "Dual Elliptic Curve":

http://arstechnica.com/security/201...door-in-rsas-cryptography-a-technical-primer/

The funny thing is: it was already considered suspect, many years ago:

https://www.schneier.com/blog/archives/2007/11/the_strange_sto.html

It was just more recent revelations that confirmed it.
 
Suppose your phone gets lost or stolen...

You want to use Find my Phone. Now you can't authenticate on SMS or your device. That leaves only your recovery key, which presumably is stored at home. That could slow down the search process considerably.

Edit: Oh, just logged in now, and I see that Find my Phone is exempt from 2FA. Very smart. And I would have realized that if I had read the whole article first. :)
 
Last edited:
OK, so, like, please, someone tell me why this makes sense: You have to wait THREE DAYS to finish setting up Apple's two-factor authentication!!!

THREE DAYS!!!

Does it really take that long to scare the crap out of someone and make them wonder if they are doing the right thing?

I mean, the wait time just makes a whole lot less than ZERO sense...

Hell, to flog a dead horse, they could FedEx a hardware token and I'd be farther along than I am now...

Crap on a stick! What sense does that make? #FAIL

----------

There's already an Authenticator app from Google, for the iPhone.

https://itunes.apple.com/us/app/google-authenticator/id388497605?mt=8

I use it for 2-factor authentication for Google Mail, Dropbox, the admin console for my server, and even my Microsoft Live account (apparently required for Windows 8.1).

I'd like to see Apple use it, too. But, their implementation is better than none at all. At the moment, my bank doesn't offer any kind of 2-factor authentication. :-(

Are you sure about the Windows 8.1 thing?

My bank offers 2-factor authentication, but apparently you have to have enough money to be a 'sizable loss' which apparently I don't come close to...
 
Damn, that's some scary ****... That 'story'. All so easy...

I'm not saying it was easy or that someone would hack into my account exactly the same way. But as long as there is only password that can be guessed and nothing more, I won't risk that someone can wipe my Mac.

I already had a situation when someone accessed my account (not iCloud, other service) even though password was only used there and was random. So now I won't use service with ability to remotely wipe my computer that can be accessed without any kind of additional authorization. I don't care that much about iOS as they can be easily restored, but unfortunately Mac cannot - I have to install and set up everything again (I don't have enough free space to set up Time Machine for entire system partition).

2FA is much harder to bypass so practically only professional hackers would be able to do it.
 
OK, so, like, please, someone tell me why this makes sense: You have to wait THREE DAYS to finish setting up Apple's two-factor authentication!!!

THREE DAYS!!!

Does it really take that long to scare the crap out of someone and make them wonder if they are doing the right thing?

I mean, the wait time just makes a whole lot less than ZERO sense...

It's to give the user time to respond if someone manages to break into their account and lock them out by enabling 2-factor authentication.

Are you sure about the Windows 8.1 thing?

I installed Windows 8.1 in a VM on my Mac Pro, simply to run one Windows application that isn't available for a Mac.

One of the steps during installation was to create a Windows Live account. I don't know if I "had" to do it, but I did. Then, I used the Google Authenticator to secure it.

My bank offers 2-factor authentication, but apparently you have to have enough money to be a 'sizable loss' which apparently I don't come close to...

Well, I have to retract this: my bank does indeed support it. But, it's well-hidden. I was able to find instructions in a tutorial on the WSJ site:

http://blogs.wsj.com/personal-techn...-step-verification-on-11-top-online-services/

But, once I set it up: my bank doesn't ask for the 2nd factor all the time. They only ask for it for certain transactions (presumably money transfers to a new external account?). That kinda defeats my purpose....
 
Last edited:
You want to use Find my Phone. Now you can't authenticate on SMS or your device. That leaves only your recovery key, which presumably is stored at home. That could slow down the search process considerably.

Edit: Oh, just logged in now, and I see that Find my Phone is exempt from 2FA. Very smart. And I would have realized that if I had read the whole article first. :)

I have my phone, my wife's phone, and my parent's phones on my iCloud account. Plus, I store my recovery key in a fire-proof container and in 1Password, which is stored on Dropbox.

There's NO excuse for not taking precautions..
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.