Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
iCloud.com Now Utilizing Two-Factor Authentication
- Thread starter MacRumors
- Start date
- Sort by reaction score
Couldn't they just go to a token system, something active that generates a number, like the Blizzard token fob. It would make sense to use that as an option. They could call it the iToken, and license it for other companies to use too...
Blizzard calls them 'Authenticators'...
View attachment 492159
I did work a job that used the RSA SecureID tokens. It was funny that people sticky noted their passwords on the back of them all the time...
There's an app for that. I use it for work.
https://itunes.apple.com/us/app/itoken/id302341144?mt=8
a few celebrities get their security questions cracked, and it's "too late" for the millions upon millions upon millions of the rest of us? absurd.
Well ****...
I can no longer use iCloud.com because my Recovery Key and Trusted Device were all stolen when I was robbed last year
I can no longer use iCloud.com because my Recovery Key and Trusted Device were all stolen when I was robbed last year
Same here. And you gotta love how Apple in the same breath encourages us to use 2FA.
http://www.apple.com/pr/library/2014/09/02Apple-Media-Advisory.html
Apple's MR forum defense force engage in 3...2...1...
It wasn't just about passwords.
The Police Tool That Pervs Use to Steal Nude Pics From Apples iCloud
Also, in the past, two-factor authentication did not protect iCloud backups.
No.
First of all, you're assuming iCloud web apps require a Mac. They don't.
Second, you can do the 2FA via SMS, which is any cell phone.
That's basically what the Authenticator app does, except nobody needs to manufacture yet another device to do it.
I am not worried about someone stealing my device and wiping it remotely, but erasing it for fun like in this story. That's why I don't enable it for Mac and looks like I'm still not going to as I don't want to waste time on restoring everything if something like that would happen to me.
That might be true, but a good password would have prevented access -- no matter what.
A password like "correcthorsebatterystaple" would have been impossible to crack due to its length.
I can no longer use iCloud.com because my Recovery Key and Trusted Device were all stolen when I was robbed last year
Wtf would you store your recovery key and device in the same place?!?
Damn, that's some scary ****... That 'story'. All so easy...
----------
You need to get out more. A dictionary attack could spring that password in probably minutes.
I'll see if I can find the article, but it talked about how even with spelling elite 'l337', a password like that is still easy to hack.
Including punctuation helps, but it's not a matter of 'preventing access' as much as making it take longer and longer for someone to hack it.
NOTHING is safe. Did you read about the attackers that Mandiant identified? They have literally legions of hackers and different levels of expertise too. If someone wants your screen prints from Play Boy bad enough, they will get them...
----------
And all this time I've been ignoring the fact that RSA was hacked, and the hackers were able to clone the SecureID tokens in software to allow them to generate the exact same 'key' as a hardware token. It's not as bad as it sounds, because the hacker would have to know the number on your token, but...
Oh, and their 'encryption' has a notorious NSA backdoor. I don't know if they ever 'fixed' it, but there it is...
There's already an Authenticator app from Google, for the iPhone.
https://itunes.apple.com/us/app/google-authenticator/id388497605?mt=8
I use it for 2-factor authentication for Google Mail, Dropbox, the admin console for my server, and even my Microsoft Live account (apparently required for Windows 8.1).
I'd like to see Apple use it, too. But, their implementation is better than none at all. At the moment, my bank doesn't offer any kind of 2-factor authentication. :-(
Hmmm
Apple won't let me turn this feature on. Apple wants me to change my password. Whats up with that?
Apple won't let me turn this feature on. Apple wants me to change my password. Whats up with that?
RSA also has one:
https://itunes.apple.com/us/app/rsa-securid-software-token/id318038618?mt=8
I posted the link to the Google Authenticator app earlier.
----------
If I remember right, you first have to change your password if it hasn't been changed recently.
Then, you have to wait 3(?) days for the password change notification to be sent, so the owner has time to respond if someone has managed to break into the account.
----------
It was one particular encryption algorithm: the "Dual Elliptic Curve":
http://arstechnica.com/security/201...door-in-rsas-cryptography-a-technical-primer/
The funny thing is: it was already considered suspect, many years ago:
https://www.schneier.com/blog/archives/2007/11/the_strange_sto.html
It was just more recent revelations that confirmed it.
Suppose your phone gets lost or stolen...
You want to use Find my Phone. Now you can't authenticate on SMS or your device. That leaves only your recovery key, which presumably is stored at home. That could slow down the search process considerably.
Edit: Oh, just logged in now, and I see that Find my Phone is exempt from 2FA. Very smart. And I would have realized that if I had read the whole article first.
You want to use Find my Phone. Now you can't authenticate on SMS or your device. That leaves only your recovery key, which presumably is stored at home. That could slow down the search process considerably.
Edit: Oh, just logged in now, and I see that Find my Phone is exempt from 2FA. Very smart. And I would have realized that if I had read the whole article first.
Last edited:
OK, so, like, please, someone tell me why this makes sense: You have to wait THREE DAYS to finish setting up Apple's two-factor authentication!!!
THREE DAYS!!!
Does it really take that long to scare the crap out of someone and make them wonder if they are doing the right thing?
I mean, the wait time just makes a whole lot less than ZERO sense...
Hell, to flog a dead horse, they could FedEx a hardware token and I'd be farther along than I am now...
Crap on a stick! What sense does that make? #FAIL
----------
Are you sure about the Windows 8.1 thing?
My bank offers 2-factor authentication, but apparently you have to have enough money to be a 'sizable loss' which apparently I don't come close to...
THREE DAYS!!!
Does it really take that long to scare the crap out of someone and make them wonder if they are doing the right thing?
I mean, the wait time just makes a whole lot less than ZERO sense...
Hell, to flog a dead horse, they could FedEx a hardware token and I'd be farther along than I am now...
Crap on a stick! What sense does that make? #FAIL
----------
Are you sure about the Windows 8.1 thing?
My bank offers 2-factor authentication, but apparently you have to have enough money to be a 'sizable loss' which apparently I don't come close to...
Same issue. School won't allow use of phones. So would I not be able to access pages in icloud then?
I'm not saying it was easy or that someone would hack into my account exactly the same way. But as long as there is only password that can be guessed and nothing more, I won't risk that someone can wipe my Mac.
I already had a situation when someone accessed my account (not iCloud, other service) even though password was only used there and was random. So now I won't use service with ability to remotely wipe my computer that can be accessed without any kind of additional authorization. I don't care that much about iOS as they can be easily restored, but unfortunately Mac cannot - I have to install and set up everything again (I don't have enough free space to set up Time Machine for entire system partition).
2FA is much harder to bypass so practically only professional hackers would be able to do it.
It's to give the user time to respond if someone manages to break into their account and lock them out by enabling 2-factor authentication.
I installed Windows 8.1 in a VM on my Mac Pro, simply to run one Windows application that isn't available for a Mac.
One of the steps during installation was to create a Windows Live account. I don't know if I "had" to do it, but I did. Then, I used the Google Authenticator to secure it.
Well, I have to retract this: my bank does indeed support it. But, it's well-hidden. I was able to find instructions in a tutorial on the WSJ site:
http://blogs.wsj.com/personal-techn...-step-verification-on-11-top-online-services/
But, once I set it up: my bank doesn't ask for the 2nd factor all the time. They only ask for it for certain transactions (presumably money transfers to a new external account?). That kinda defeats my purpose....
Last edited:
You want to use Find my Phone. Now you can't authenticate on SMS or your device. That leaves only your recovery key, which presumably is stored at home. That could slow down the search process considerably.
Edit: Oh, just logged in now, and I see that Find my Phone is exempt from 2FA. Very smart. And I would have realized that if I had read the whole article first.
I have my phone, my wife's phone, and my parent's phones on my iCloud account. Plus, I store my recovery key in a fire-proof container and in 1Password, which is stored on Dropbox.
There's NO excuse for not taking precautions..