Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Apple Makes Two-Factor Authentication Available For Apple IDs

Soulskill posted about a year and a half ago | from the security-is-now-officially-hip dept.

Desktops (Apple) 63

wiredmikey writes "In an effort to increase security for user accounts, Apple on Thursday introduced a two-step verification option for Apple IDs. As the 'epic hacking' of Wired journalist Mat Honan proved, an Apple ID often carries much more power than the ability to buy songs and apps through Apple's App store. An Apple ID can essentially be the keys to the Kingdom when it comes to Apple devices and user maintained data, and as Apple explains, is the key to many important things you do with Apple, such as purchasing from the iTunes and App Stores, keeping personal information up-to-date across your devices with iCloud, and locating, locking, or wiping your devices.' 'After you turn [Two-step verification] on, there will be no way for anyone to access and manage your account at My Apple ID other than by using your password, verification codes sent your trusted devices, or your Recovery Key, a support entry announcing the new service explained."

cancel ×

63 comments

Sorry! There are no comments related to the filter you selected.

Thats just great. (2, Interesting)

ninlilizi (2759613) | about a year and a half ago | (#43251885)

But what happens when the trusted device is the iPhone thats just gone missing?

Re:Thats just great. (2, Informative)

Anonymous Coward | about a year and a half ago | (#43251899)

Then they warn you not to do that, to at the very least set up SMS which could theoretically point to another phone.

Re:Thats just great. (1, Troll)

UltraZelda64 (2309504) | about a year and a half ago | (#43253891)

Easy solution: Have an Android phone handy for logging into Apple services. :P
Security through non-Apple Products. It should officially become a new form of security, like security by obscurity...

Re:Thats just great. (5, Informative)

jsdcnet (724314) | about a year and a half ago | (#43251917)

The person who finds it would still need to know your password. You can have multiple trusted devices (I set up my phone and iPad). There is also a special "recovery key" that can be used to get in to reset the trusted devices.

Re:Thats just great. (2)

ozmanjusri (601766) | about a year and a half ago | (#43254623)

There is also a special "recovery key" that can be used to get in to reset the trusted devices.

And that could never cause a problem...

Major security hole allows Apple passwords to be reset with only email address, date of birth

http://www.theverge.com/2013/3/22/4136242/major-security-hole-allows-apple-id-passwords-reset-with-email-date-of-birth [theverge.com]

Re:Thats just great. (4, Informative)

glennrrr (592457) | about a year and a half ago | (#43251935)

You print out a recovery number when you set it up. To change your password you need 2 of 3 things: the current password, a trusted device, or a recovery number. You are supposed to print it out, and hide it somewhere safe.

Re:Thats just great. (1)

Opportunist (166417) | about a year and a half ago | (#43253327)

So, in other words, if a compromised computer is used to set this up it is trivial for the hacker to lock the user out of his account and take it over while at the same time making sure that it is nontrivial for the user to get it back?

Re:Thats just great. (1)

Anonymous Coward | about a year and a half ago | (#43253481)

Yes. If the computer is compromised that you are setting this up on you can still be e-injured. However, at that point they had your password anyways via a keylogger. For everyone else, this is a great bonus to their security except for those who it is already too late. In other words, verify checkums of all files you get off of websites, use adblock plus + scriptsafe in chrome / comodo dragon or whatever browser you use (noscript/adblock for firefox for example), malwarebytes clean your pc, virus scan your shit (e.g. bitdefender/kaspersky), install qfx antikeylogger premium, use keepass (with certificate keyfile and a strong long password, don't reuse passwords, reset passwords regularly, use strong/long generated passwords you can't remember for all those forums etc and just let keepass remember), ids/firewall (e.g. comodo), and store it somewhere safe/encrypted (e.g. spideroak). Essentially, be paranoid to the point where when you set up this two-factor you're already reasonably secure. Also, set up two-factor on gmail as well, and store the printed backup codes in a bank safety deposit box along with Apple's recovery code. If you make it painful enough, you become less of a target. "Hackers" are generally looking for low hanging fruit.

Re:Thats just great. (0)

Anonymous Coward | about a year and a half ago | (#43266239)

E-injured: when your virtual girlfriend kicks your e-peen.

Re:Thats just great. (-1, Troll)

Anonymous Coward | about a year and a half ago | (#43251963)

But what happens when the trusted device is the iPhone thats just gone missing?

Then you clearly failed to treat your iPhone with the respect and honor befitting one of Saint Jobs's precious blessings, and thus you deserve to lose your earthly goods and personal information for your sinful neglect. Maybe next time you'll be more careful.

Re:Thats just great. (2)

93 Escort Wagon (326346) | about a year and a half ago | (#43252577)

But what happens when the trusted device is the iPhone thats just gone missing?

You can have multiple trusted devices, and choose which one you want to use at any point in time. And you can remove devices from that list if they are lost or stolen (or, for that matter, if you just sell it).

2 factor my ass (0)

oztiks (921504) | about a year and a half ago | (#43253701)

Is this like the 2 factor authentication which now that I do my banking on my Smartphone has become 1 factor authentication?

I.E

1. Login to netbank, issue payment on phone
2. Receive SMS authentication code (on the same device)
3. Key in the SMS authentication code in to the phone.
4. Bill paid?

What timing... (1)

Almonday (564768) | about a year and a half ago | (#43251909)

...considering the pretty serious security hold in the Apple ID system that was reported earlier today. [mashable.com]

Already closed (3, Informative)

SuperKendall (25149) | about a year and a half ago | (#43252401)

If you follow your link back to the original Verge source, you'll see Apple already shut down the password reset tool, and is probably working on a fix.

The timing then would seem to be excellent as with two-factor enabled the security hole would not matter.

Re:Already closed (1, Interesting)

ColdWetDog (752185) | about a year and a half ago | (#43253219)

This is interesting - went to set up two factor authentication; logged into the Apple site, then went to the passwords and security section, which asked for my two 'security questions' - which I never gave them. At this point, you can't get anywhere else. You're dumped to a KB article that is clearly incorrect and other than waiting online for an AppleDrone to tell me it's not really a problem (the usual Apple response to things), there is nothing else I can do.

Perhaps it's embroiled in this little issue. I suppose I'll wait a bit to see what happens.

Re:Already closed (2)

node 3 (115640) | about a year and a half ago | (#43255199)

Yeah, right, they just magically put in answers to your security questions for you.

Most likely you were prompted at some point to put them in, and being the clever but paranoid (and more than slightly annoyed at the time) geek that you are, you gave them bullshit responses (so that someone who knows you can't put in the info, like they are going to check which school you went to and who your childhood friend was, or whatever!). The only problem is that you didn't write them down and totally forgot about it.

That, or, yeah, somehow those questions just got magically entered by a ghost or something...

Re:Already closed (0)

Anonymous Coward | about a year and a half ago | (#43256531)

That, or, yeah, somehow those questions just got magically entered by a ghost or something...

Haven't you head? The mac book pro has problems with ghosts

Re:Already closed (1)

node 3 (115640) | about a year and a half ago | (#43258593)

Well, surely that explains it!

(And for a point of interest, only some of the LG retina models have a ghosting which is generally only found in contrived testing scenarios and not in normal use. That's still bad, but nothing so bad as many people (who don't even own one) like to portray it as.)

Re:Already closed (0)

Anonymous Coward | about a year and a half ago | (#43259239)

> which asked for my two 'security questions' - which I never gave them.

Why do so many large companies decide to do that? The database that Paychex got their information from is wrong. I'm from a town with a single high school. How did they get the name of my high school wrong? Bank of America's database they purchased is also just as broken. They misspelled my grandmother's first name. Even worse is Wells Fargo that asked two insulting questions. The first is "What year did your first child start school?" I don't have children. The next is worse. It is, "What is the profession of your paternal grandfather?" My grandmother was raped by Polish solders and doesn't even know who he is. Wells Fargo is being incredibly insensitive by claiming to know that information.

*in selected countries* (0)

Anonymous Coward | about a year and a half ago | (#43251925)

great to know that security only matters for some countries :-/

Stop asking for my password all the time (2)

Mascot (120795) | about a year and a half ago | (#43252017)

If I didn't have to type my password all the freakin' time, I might generate an actually secure one. Granted, iOS has gotten somewhat better with the latest updates- at least it doesn't ask me for every app update anymore. But, still...

Re:Stop asking for my password all the time (1)

tlhIngan (30335) | about a year and a half ago | (#43252297)

If I didn't have to type my password all the freakin' time, I might generate an actually secure one. Granted, iOS has gotten somewhat better with the latest updates- at least it doesn't ask me for every app update anymore. But, still...

Blame all the developers and users for that one then. Back in iOS 4 days, parents would download an app and then find their kids have spent thousands of dollars on smurfberries on their credit card bill, so parents demanded action. Apple went ahead and split the timer between app store purchases and in-app purchases.

The timer can be set at least to two different values - 15 minutes (default) or immediately, which means it always asks for a password (Settings->General->Restrictions or parental controls or somesuch).

And naturally, Apple was sued and forced to pay out for that as well, so they're here to stay. More telling is why it hasn't happened on Android to a significant extent - either people don't really use apps on Android, or in-app purchases aren't common?

Re:Stop asking for my password all the time (2)

Mascot (120795) | about a year and a half ago | (#43252699)

Indeed, the last time I can remember having to enter my Google password for my Android phone, was when I bought it. And that's why it's a randomly generated password of some length (and two-factor protected). My AppleID is.... not.

Apple could have solved this in so many ways that are more convenient. Like, god forbid, letting the user decide between several options. That way I could get one I would be happy with (a confirmation dialog to avoid accidental clicks), and parents could get one they are happy with (password required when doing something that costs money). Apple really does not like multiple choices though, so it is what it is.

Re:Stop asking for my password all the time (2)

fermion (181285) | about a year and a half ago | (#43252543)

Here is my thing. A secure password is needed to protect the user against a random attack, presumably coming from the interwebs. Except that security is hard and expensive, so there are always going to be attacks that are not password related. Social engineering, hacking a server, using the password reset mechanism. All these get passwords and the complexity is irrelevant. All that wasted personal effort to maintain good passwords with no benefit.

I like this kind of thing because it is dead simple and relatively secure. A good password will keep the account somewhat secure. The one time pad decreases the chances of someone who has the password getting in undetected. They can log in partly and be recorded, but without the code will not be able to get in. Enough of these and it is clear someone has your password. Easier password, easy code, security.

Re:Stop asking for my password all the time (2)

PNutts (199112) | about a year and a half ago | (#43252661)

You don't want to use a password when you buy something? What are you talking about when you say "all the freakin' time". I go for weeks without using my password.

Re:Stop asking for my password all the time (1)

Mascot (120795) | about a year and a half ago | (#43252789)

As I said, it has gotten better. But it's not that long since it asked for a password simply to update an already installed application.

And, no, I don't want it to ask me for my password when I buy something on a device I have previously authenticated on. Tell me the price and ask for confirmation, yes, but ask me for password, no.

Re:Stop asking for my password all the time (0)

node 3 (115640) | about a year and a half ago | (#43255213)

As I said, it has gotten better. But it's not that long since it asked for a password simply to update an already installed application.

Then what the fuck are you complaining about?

And, no, I don't want it to ask me for my password when I buy something on a device I have previously authenticated on. Tell me the price and ask for confirmation, yes, but ask me for password, no.

Tell that to parents who hand their iPhones to their kids, or hell, even just being around some asshole acquaintances that might think it's funny.

Or losing your phone and some stranger finding it and going to town with your account.

Not to mention yourself, accidentally clicking the "buy" button.

Re:Stop asking for my password all the time (1)

Mascot (120795) | about a year and a half ago | (#43256307)

I said *I* don't want. I'm not trying to impose my choice upon others. I'd much prefer Apple added a configurable option to cater both for people that hand their gear to kids, or people they don't know, or habitually misplace hundreds of dollars worth of kit, as well as for people like me that do not.

Re:Stop asking for my password all the time (1)

node 3 (115640) | about a year and a half ago | (#43258565)

Well, that's quite reasonable (if a bit on the far end of the curve).

I think the main problem is that if that's even an option, far too many people would turn it on (either knowingly or unknowingly), only to later find themselves running afoul of one of the many scenarios a password-free purchasing system would allow.

The part I don't quite get is, how often do you need to type your password? When you buy from the stores (and there's a timeout period during which you don't need to type it). This can't be all that often, even for the most voracious App/Book/Music/Movie/TV Show buyer, can it?

Re:Stop asking for my password all the time (1)

Mascot (120795) | about a year and a half ago | (#43279177)

To be honest, if my password is a 30 character one that takes me several minutes to pull up on my computer's password safe and type in using a phone's keyboard, it doesn't take very often for that password to be dumbed down to something more convenient.

The problem is that password is not protecting the phone, but the account, accessible from anywhere. Dumbing down the password is a bad solution. I'd be equally happy with a middle ground, like a PIN code to purchase as opposed to the full password. Which, incidentally, is exactly how people would avoid someone picking up their phone and "prank buying" in the first place (current security drama with regards to the lock screen notwithstanding).

Having said that, my Android phone has not asked me for my password since I bought it, and I am not bankrupt yet, nor can I remember seeing articles about people having issues.

How Many Factors? (1)

SavoWood (650474) | about a year and a half ago | (#43252081)

This may seem like a stupid question, but I'll ask it anyway.

When I count, I see the username and password as two factors. The factors, as I understand it, should be a combination of something you have (CAC, ATM card), know (username, password), and are (retina scan, fingerprint, voice pattern). Using that definition, username and password are two factors. It's quite possible to have a single factor, i.e. password only to log in on a device. A smart phone is a perfect example. You have your PIN, but no user name. On your computer, typically you have to put in your username (first factor) and your password (second factor). Adding a biometric like thumbprint, voice, retina, etc. would be an additional factor, making it three factor authentication.

Maybe I'm just being thick, or have completely misunderstood what's going on here with the naming, but this seems like they're looking at three factor authentication. Since initially writing this, after hitting the preview button, I've looked at the wikipedia page on 2FA/MFA/TFA and find the moniker to still be incorrect in this application.

Am I thinking too hard about this? Is it really simpler than I think it is? (Please be kind in your application of the clue bat.)

Re:How Many Factors? (1)

Lazere (2809091) | about a year and a half ago | (#43252139)

Both username and password are something you know. Perhaps you can claim the username is something you have, but I'm pretty certain they mean physically with that. Also, I think it has to have two of the three things (ie. Something you know and something you have as opposed to two things you know). I may be wrong, but I think that's how it's measured...

Re:How Many Factors? (2)

gorodish (788476) | about a year and a half ago | (#43252169)

You are correct, technically, but the real value of these kind of two-factor authentication techniques is that they are immune to replay attacks. Someone listening in to the Apple login process can't re-use the transmitted SMS code, because Apple expects to see a different code each time you log in.

Re:How Many Factors? (2)

jacinda (1875592) | about a year and a half ago | (#43252181)

"Multi-factor authentication (also Two-factor authentication, TFA, T-FA or 2FA) is an approach to authentication which requires the presentation of two or more of the three authentication factors: a knowledge factor ("something the user knows"), a possession factor ("something the user has"), and an inherence factor ("something the user is")." Wikipeda [wikipedia.org]

While a username and password are two "things," as you wrote yourself they are both things that you know so they only involve one authentication factor. So even if you required 3 passwords per login, that's still only single-factor authentication.

For the most common 2-factor authentication in place today (e.g. if you enable for Gmail) the authenticating entity sends a code to your device in order to tie this to something that you have (your phone) and thereby introduce the possession factor.

Re:How Many Factors? (3, Insightful)

noh8rz10 (2716597) | about a year and a half ago | (#43252511)

For the most common 2-factor authentication in place today (e.g. if you enable for Gmail) the authenticating entity sends a code to your device in order to tie this to something that you have (your phone) and thereby introduce the possession factor.

I would say the most common 2-factor authentication is at the ATM, where you need to present your ATM card and enter your pin.

Re:How Many Factors? (4, Insightful)

cbhacking (979169) | about a year and a half ago | (#43252785)

Yep, that's a good example of 2FA. Calling "username and password" two factors is foolish; your username isn't even an authentication credential at all in most cases (that is, it's typically at least semi-public information). It's an identifier, not a credential.

However, even if the username is treated as a second password, then you don't really have two passwords; you have one long password with a break in the middle. There's no meaningful difference between them at that point.

Re:How Many Factors? (1)

Opportunist (166417) | about a year and a half ago | (#43253469)

That's like saying when I log in to my mail account it's two factor, too, because I need something I know (my email credentials) and a computer to type it in (which is something I need to have). Sorry, but that doesn't constitute a two factor authorization yet.

The "something you have" must be sufficiently unique that duplication is nontrivial or (preferably) impossible. What may make it "something you have" is in this case the fact that there is only one phone with this phone number, not the fact that you get it sent to your phone.

Re:How Many Factors? (0)

Anonymous Coward | about a year and a half ago | (#43254959)

Oh and "security questions" (your mother's maiden name, for example) is a 4th factor "Something Everyone Knows".

Re:How Many Factors? (2, Informative)

Anonymous Coward | about a year and a half ago | (#43252265)

Not really. There are two issues:
1) Two factor authentication is generally (always?) accepted as being two factors of different types (ie, you cannot have two things you know, two things you are, or two things you have...the two things must be from different categories). This is more secure because it means the two factors must be attacked through completely different channels (if you had two passwords, the same attack to steal the first password could be used to steal the second password). It is analogous to encrypting something twice using XOR...if I XOR something with k1 and k2, it is no better than XORing it with the value of k1 XOR k2.
2) Your username is generally considered "public"...it is an identifier, not an authenticator. It is generally not protected (you will pretty much always see it in plaintext, while passwords are *supposedly* hashed/encrypted). In combination with a secret (ie, your password), you actually have authentication. The pair is just one factor. Similarly, your username (the identifier) is used in combination with the other factor (token, biometric, whatever) to actually authenticate you.

Re:How Many Factors? (0)

Anonymous Coward | about a year and a half ago | (#43252359)

I forgot to mention the particular case of the phone:
No identifier is required there because it is a single user system. The authentication mechanism doesn't need to determine who it is authenticating...there is only one entity. They just need the correct credential (ie, the pin). If they ever come out with phones intended for multiple users, they would need a way of specifying the identifier in addition to the credential(s).

Re:How Many Factors? (0)

Anonymous Coward | about a year and a half ago | (#43252315)

To address the phone example, that is still authentication using one factor, but no identifier is required. That is because it is not a shared resource (there are not multiple users on a phone...if there are, you would need to specify an identifier as well). The phone doesn't need to determine who it is authenticating...it just needs to know if you are authorized (which is determined by you providing the correct pin).

Re:How Many Factors? (-1)

Anonymous Coward | about a year and a half ago | (#43252593)

How do you have such a low UID but not a single fucking clue about two-factor authentication?
 
Go back to reading comic books and sucking cocks.

Re:How Many Factors? (0)

Anonymous Coward | about a year and a half ago | (#43252727)

Because he gets answers like this when he asks in a semi-technical forum? Now off your your Linux forum.

Re:How Many Factors? (0)

Anonymous Coward | about a year and a half ago | (#43252723)

showing your face to camera
  showing your fingerprint to a scanner
  demonstrating your weight to a scale

Basically, something that requires you personally to be present; handing over a keycard or telling someone a username/password doesn't qualify.

Re:How Many Factors? (1)

Opportunist (166417) | about a year and a half ago | (#43253405)

Well, the confusion is understandable as "two factor" has been applied (wrongfully) to two very different and distinct security paradigms. First, the one you describe where the "factors" are having/knowing/being. The other one determines the "factor" by the paths information takes to negotiate between the two parties involved.

In this specific case, where "factor" is used somewhat incorrectly IMO, a more appropriate designation would be "multi-channel", one "factor" is the link through the computer, the other one being the link through the text message channel. Two channel security increases overall security considerably since compromising one system is not enough to get the process compromised altogether. The classic MITM doesn't work out since you would have to sit in the middle of two distinct and independent channels.

Now, of course this only works if both channels give you sufficient information to verify that the other channel has not been compromised. Banks use a similar system for internet banking, where you enter the information of the transaction planned, then you receive a text message with account data and amount to be transferred, which allows you to verify that the information you entered matches the information that arrived at the bank (i.e. a MITM attack changing the data between you and bank is thwarted), and you also receive a confirmation number that you have to enter to authorize the transaction.

Note that the account information is CRITICAL in this setup. Just sending you a text message with "please acknowledge the transfer, your super-secret code is 1234" does NOT increase security AT ALL.

Re:How Many Factors? (0)

Anonymous Coward | about a year and a half ago | (#43253599)

The root of the problem is that username and password are not two factors, the user name does not count as a factor. Because, a factor is something you know that no one else does. However, everyone can find out your username it shows up in forums, friend requests, etc. I've been of the belief for a long time now that, like in mmos, your user account name that you use to login should be completely different than your public name. This would protect accounts against password resets because the user resetting it would have to know your login name which they wouldn't know. However, the imbeciles at all of these companies don't get this very simple concept, so we're left with just one factor - the password. Hence, they generate this extra code now to give you two factors. Three factors would be nice like a private user account name, password, and the SMS code. That'd be a lot harder to crack, I long for that day. Also, your credit card/atm card are also easy to find out, heck you hand them to people when you purchase things in public so they're not really private. And, all of these companies store the numbers plaintext in their databases, and these databases get stolen so you're info is probably already out there. Fingerprints are easy to fake, and make a horrible factor same goes for retina and voice all of these can be recorded and "played back". Anyways a great example of this is that you've posted as SavoWood on slashdot, I now know your account name I can begin social engineering/attacking your account until I get in. Do you really consider your username a factor now knowing this? How safe do you feel that I can't just guess your gmail/amazon/me.com/icloud accounts based on that name, break into one of those services, and ask /. to reset your password. Walked over your grave kind of feeling right?

Exploits already (1)

gmuslera (3436) | about a year and a half ago | (#43252111)

Seems that anyone can reset your password knowing your email and birthdate [theverge.com] for the ones not using the two-factor authentication. And that option is available in just a few countries.

Hopely it gets fixed in very short time or could get a massive impact in all the world.

Re:Exploits already (0)

Anonymous Coward | about a year and a half ago | (#43252829)

I reset my password 2-3 days ago using my email address alone. It did not asked for a dob, since I had never provided one for apple. At least, it was easy to recover from a lost password.

Re:Exploits already (2)

thetoadwarrior (1268702) | about a year and a half ago | (#43252873)

The reset tool isn't available so that issue doesn't exist now.

Re:Exploits already (1)

AmiMoJo (196126) | about a year and a half ago | (#43255921)

Except that you have not been able to reset your password for months. Solve one problem by creating another.

72 Hour Waiting Period (1)

Secret Agent Man (915574) | about a year and a half ago | (#43252259)

I tried to set mine up, and now Apple is saying I need to wait 3 days before the process can be completred. I'm in no hurry, but this feels kind of arbitrary, when other popular services (Google, Blizzard, et al) can set this form of authentication up instantly.

Re:72 Hour Waiting Period (3, Informative)

Macman408 (1308925) | about a year and a half ago | (#43252813)

See the next-to-last answer in the FAQ here: http://support.apple.com/kb/HT5570 [apple.com]

If you've reset your password or changed your security questions, they make you wait first. This prevents somebody from stealing your account, changing the password, and then turning on two-factor authentication preventing you from ever getting it back. As they also note in that article, if you use two-factor authentication, they become unable to reset your password. If you ever lose two of the three things needed to log in (your password, your verified device(s), and your recovery key), then you cannot make any changes to your account. (And if you lose all three, you can't even log in from an already-trusted device.)

Re:72 Hour Waiting Period (1)

Secret Agent Man (915574) | about a year and a half ago | (#43253353)

Hmm, while that does make sense, I'm afraid I did none of those things. Ah well, better to err on the side of caution.

Fail (0)

Anonymous Coward | about a year and a half ago | (#43252459)

Well I just tried it. Sat for about five minutes, waiting for the SMS. Got bored, and gave up.

And I did verify that my SMS is working, and that my cellco isn't just borked. Google had no problem pinging my phone in a matter of seconds. Tried to have Apple do it, gave up after five times. I even tried Apple to SMS my Google Voice number, which should forward the SMS to me via email. Still nothing.

Apple fail.

Apples two factor authentication availability (1)

LiquidPaper (69881) | about a year and a half ago | (#43254015)

Only available in USA and selected european countries.

No security token... (1)

Visserau (2433592) | about a year and a half ago | (#43254841)

Dissapointing. As someone with only one mobile device (i.e. the one I want to protect) this is not very useful. Would be a lot better with a security token similar to those used by banks. However I'll probably enable it anyway as in my particular case I'm more worried about someone I know getting into the account, which this DOES protect from even though it'll make me more vulnerable if my phone is stolen.

(Disclaimer: I only own an iPhone as I inherited it. I don't particually enjoy getting screwed by Apply constantly.)

Poorly implemented for multiple Apple IDs (1)

mkraft (200694) | about a year and a half ago | (#43255197)

Since Apple refuses to allow merging of Apple IDs, I have multiple IDs: iCloud, iTunes and other. The way Apple implemented this, you have to use the Find My IPhone app or SMS. The Find My iPhone app is tied to iCloud so it can only be used with an iCloud account, making it useless for a separate iTunes account which is where my devices are registered. That leaves SMS, which also has issues since the same phone number can't be used for different accounts. Plus many people, myself included, don't pay for SMS so it costs them 20 cents per validation.

So Apple's whole 2 steps authentication fails as it has for most companies. Some, like Yahoo, can't even get it to work at all. I've never received a single verification SMS from Yahoo, no matter how many I request. Yahoo simply refuses to send it to me, despite my carrier being on their approved list. Yahoo's 2-factor implementation is rock bottom.

On the other end of the spectrum is Google, who is among only a handful of companies who have got 2-factor authentication right. With Google's one app, I can verify any number of Google and even Dropbox accounts. Other companies like Blizzard and Paypal (Verisign) use the same method.

Personally, I think all companies should use Google's authentication app of something similar. Implementing 2-factor authentication requiring SMS or an active Internet connection is simply a fail.

Re:Poorly implemented for multiple Apple IDs (1)

Ash-Fox (726320) | about a year and a half ago | (#43255831)

Plus many people, myself included, don't pay for SMS so it costs them 20 cents per validation.

That is really only an issue in the states. This doesn't effect the majority of people.

Remeber You Need 2 out of 3 MINIMUM (0)

Anonymous Coward | about a year and a half ago | (#43256251)

Please people keep in mind that if you enable 2 step verification you NEED to keep the recovery code. If you do not have 2 of the three items (password, recovery code, trusted device)

Re:Remeber You Need 2 out of 3 MINIMUM (0)

Anonymous Coward | about a year and a half ago | (#43256267)

ack, doublepost, like I was saying 2 out of 3. Otherwise no one, including apple will be able to recover your account, ever. As a mobile repair guy I spend a lot of time on the phone with apple fixing peoples accounts that come into my store. Your average person doesn't know the questions, or the appleID currently. So Two Step makes me very wary.

That's good news (1)

DeoRip (2874209) | about a year and a half ago | (#43258489)

Great news from Apple then, this will make Apple users feel more safe.

Hard to get folks to use 2FA or OTP (0)

Anonymous Coward | about a year and a half ago | (#43297937)

Why is it so hard to get people to use Two Factor Authentication (2FA)?

We are looking for non profit server owners to deploy our FREE 2FA One Time Password (OTP) app URQUi.com. URQUi works with ALL cell phones. It is available now at iTunes, BlacBerry World & Google Play

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?