Apple quietly added optional two-factor authentication for Apple ID accounts last week, joining the likes of Google, Dropbox, PayPal, Facebook, and an ever-growing number of other sites. This additional layer of authentication helps protect the increasingly important Apple ID accounts that millions of Mac and iOS users rely on for iTunes Store and App Store purchases, iCloud logins and data sharing, support from Apple, and more.
Although it’s optional, we recommend enabling two-factor authentication as soon as is practical for you. Since online criminals can use compromised Apple ID accounts both to siphon money from credit cards and to take over your digital identity, it’s no longer paranoid to worry about your password being stolen. Although it may seem like a hassle, and setup should be done with care, Apple’s two-factor authentication will not impact your life significantly. Apple says there are only three situations in which two-factor authentication will be invoked:
When you sign in to the My Apple ID site to manage your account.
When you make a purchase from the iTunes Store, App Store, or iBookstore from a new device.
When you get Apple ID-related support from Apple.
Factoring the Security Equation -- The “factors” in two-factor authentication refer to two distinct private elements one must know or have to perform a successful login. The first factor is typically a password, as it still is with Apple IDs. The second is an “out-of-band” element: a code that can only be known or created using separately provided hardware or separately registered software. The out-of-band part is important to ensure that someone who already knows your password or has gained access to your computer cannot also obtain the second factor through the same medium.
Two-factor authentication used to be wonky, but with the rise in online crime, we’re seeing increasingly widespread support. I have two separate keyfobs, one for PayPal/eBay and another for E*Trade, from which I have to enter a six-digit number whenever I log in to those services. That number changes every minute. Google offers Google Authenticator, a mobile app for iOS, Android, and BlackBerry that can provide the same sort of code more conveniently, once you’ve associated it with your Google account. Dropbox can use Google Authenticator, too, which is handy, relying on a separately registered and generated entry in the app. Even Facebook offers two-factor authentication through both SMS text messages and the Facebook iOS app. Many other services without apps also rely on SMS text messages to send a code to a mobile device under your control in order to provide the out-of-band component.
This two-factor method replaces the “security questions” that Apple has long relied on, much like many other companies. These questions are typically drawn from a list of possibilities like, “Who was your best friend in school?” But the questions may be ambiguous and can often be hacked easily by identity thieves hoovering up your personal details by searching Google, Facebook, or other personal information services. (In “Take Control of Your Passwords,” Joe Kissell recommends coming up with what is essentially a passphrase — not a truthful answer — for each security question.)
Worse, as Mat Honan amply documented when his own accounts were hijacked, crackers can sometimes take over an account using a combination of social engineering and logical failures in password-reset procedures. At one point, Amazon allowed you to add an email address by phone if you had the last four digits of a credit card on file. However, you could also add a credit card by phone. Crackers realized they could add the credit card in one call, hang up, and then call back to add an email address they owned using the stolen (but still active) or faked (but validly formulated) card number they’d just provided. They could then get a password-reset message sent to their email address.
Honan documented that with an Amazon account, an attacker could then view the last four digits of other stored credit card numbers for that account, and use that information to reset passwords or add email addresses to an Apple ID or accounts at other sites.
These attacks fail when the miscreant must both reset the password and either have physical possession of an unlocked device owned by the target or intercept SMS messages bound for that person. For sophisticated attacks targeted at an individual — say someone involved in government or corporate espionage or even a particularly messy divorce — two-factor authentication may still not be enough, but it’s more than sufficient to prevent the commonplace drive-by assaults on one’s identity.
Factor Your Decision -- Before you set up Apple’s two-factor authentication, consider what the future looks like after the switch, as there are pluses and minuses with the new method.
On the upside, consider:
No thief with your password alone can change your password, have Apple make account changes by phone, or gain access to your account to make iTunes Store, App Store, or iBookstore purchases from a new device.
No more security questions to answer and remember!
You can reset your password securely (using a linked device and a special recovery key described below) if you forget it or believe it was compromised.
But there are a few downsides, too:
You must be able to receive SMS messages, or be set up with notifications via Find My iPhone on a particular iOS device. (Apple’s assumption appears to be that both reception of SMS messages and Find My iPhone require physical possession of a specific piece of hardware, whereas messages sent via iMessage, for instance, could appear on multiple devices.)
You can permanently lose access to your account in a particularly complicated scenario that’s unlikely, but possible. As Apple describes in a support note, you can reset access to an account as long as you have two of the following: the account password, access to a “trusted” device associated with the account, and a special recovery key generated when you set up two-factor authentication that’s used as a last resort. But if you have only one or none of those, your account is dead forever. “You will need to create a new Apple ID,” Apple writes, and that is guaranteed to be annoying at best.
And there are two kinds of access that two-factor authentication doesn’t protect:
It doesn’t prevent email from being accessed with just the knowledge of the password. Someone could still retrieve your email from a me.com, mac.com, or icloud.com address with just the account name and password. That would in turn still let an attacker invoke password resets for other services that you set up using an Apple-managed address.
You can log into the iCloud Web site with just the password, and use all the services there, including Mail, Contacts, Calendar, Notes, Reminders, Documents in the Cloud, and even Find My iPhone, from which your devices can be erased (you are backing them up, aren’t you?).
Finally, if you made any significant changes to your Apple ID account in the last few days, Apple won’t let you turn on two-factor authentication for three days. And if your Apple ID password is too weak for Apple’s tastes (see “FlippedBITS: Four Password Myths,” 20 March 2013), Apple forces you to change it, and then forces you to wait for three days.
Enable Apple’s Two-Factor Authentication -- If you’re ready to go, follow the steps listed in Apple’s support note if you’re in a supported country, or read our version below. (Apple has rolled out two-factor authentication in the United States, the United Kingdom, Australia, Ireland, and New Zealand, and plans to add additional countries over time. Perhaps it’s a localization issue.)
Navigate to the My Apple ID site, click Manage Your Apple ID, and log in using your current account information.
Click Password and Security on the left, answer the security questions shown, and click Continue.
Under the “Two-Step Verification” heading and text at the top, click the Get Started link.
Apple then presents three screens of information, benefits, and warnings. Read each one and click Continue on the first two, then Get Started on the last one.
Apple displays a list of iOS devices associated with your account and lets you add SMS numbers for mobile phones. When you are finished verifying devices, click Continue.
If you click Verify, Apple sends a code to the associated device via Find My iPhone. But, cleverly, if your device is locked with a PIN, unlike an SMS or iMessage, Apple prompts you to unlock iOS first to get the code. You may have problems if you have multiple Apple IDs because Find My iPhone can be associated with only one Apple ID. For instance, if you use
firstname.lastname@example.org calendars and contacts on an iPad, that’s the account Find My iPhone will use, and you won’t be able to associate that iPad with another Apple ID registered under
If you click “Add an SMS-capable phone number,” Apple sends the code in an SMS message. That works for connecting an iPhone that’s associated with a different Apple ID via Find My iPhone or a completely different mobile phone, even one owned by someone you trust. Happily, the SMS message is free.
Apple now provides you with a 14-character recovery key that, if lost, cannot be recovered by anyone. Click Continue or Print Key to proceed. Apple recommends you write down your recovery key and don’t store it on your Mac. That’s reasonable advice, although if you have a tool that lets you store items with strong encryption (such as 1Password or Yojimbo) and secure that tool’s database with a strong password that’s not stored on the computer, you’re not tempting fate.
You have to re-enter the recovery key to prove that you really wrote it down! Type it in again, and click Confirm, which lights up only if you’ve entered the key correctly.
A final warning screen explains once again how completely messed up your life will be if you lose two or three of the elements required to reset your account. Select “I Understand the Conditions Above” and click “Enable Two-Step Verification.” The Manage Your Security Settings page now shows “Two-step verification is enabled.”
You will receive email notification of the change to all associated accounts immediately afterwards — and I do mean immediately, as mine arrived within a few seconds.
From then on, any time you access one of Apple’s protected services, such as the My Apple ID site’s Manage My Apple ID section, you’re asked which method you want to use to verify. Select it and proceed, and a code is sent. Enter that code, and you’re all set.
Not a Universal Solution -- Two-factor authentication doesn’t solve all problems associated with validation and identity theft, but it solves some of the most important ones: password resets for account hijacking, purchases made through Apple-related services on new devices, and phone-based social engineering.
I’ve turned it on for the account I use for purchasing items, and recommend the same for all of you. Just make sure you have all your ducks and devices in a row (associated with the appropriate Apple ID and at hand) before you start!