Take Control of Security for Mac Users, Chapter 9: Manage iCloud Security
Because so many aspects of OS X depend on Apple’s free iCloud service for key functionality, iiCloud security merits its own chapter. Of course, iCloud works on mobile devices, Windows PCs, and even Apple TVs — not just on your Mac — but the more you know about iCloud security, the better you’ll be able to protect your Mac and its data from unwanted access.
Is there a subtle difference between "two-factor authentication," and "two-step verification?" That is, for Apple to refer to the practice you describe with their own terminology seems a bit disingenuous to me. As I understand the two-step process you describe, the second factor is sent by the server software to your iOS device and you enter it. This seems subtly different than the second factor being in one's possession on another device, through another process, say an RSA SecurID or other random number generating tokens like the one used by PayPal (and there are others). And the recent hacking of two factor authentication that uses the biometrics of fingerprints, is another troublesome issue here. Is it your opinion that the terminology isn't that important, it's having any second factor that's important? Or, to put it another way, if someone has my iOS device and my primary passphrase, then I think they can initiate a change action or a login should they see the arrival of that code. Of course, if they have my token, then they can get in. And are there weak tokens and strong tokens? The RSA SecurID has also been hacked.
So, sorry for that long-winded diatribe. In the final edition of Chapter 9, might there be some advice about how to assess the efficacy of any two-step or two-factor process? I expect some will be stronger than others, and I'd love some advice on how to find the good needle in that haystack of offerings and lingo.
Long story short, yes, there is a subtle difference (or at least there can be) between two-factor and two-step. For example, if you log in with two-step on a Mac that has SMS Relay set up with an iPhone, your second code will appear on the very same device—in which case, it's still two steps but not really two factors.
However, even then, two-step or two-factor is still a better idea than single-factor. It can't hurt, and it might help. In your example, someone has your iOS device and your primary passphrase. But that's the whole point—they have two different things. They had to find/guess/hack your passphrase AND steal your phone. The likelihood of both happening is far less than just one or the other.
You can't objectively determine the relative security of various two-step/two-factor systems, but it doesn't matter because it's not like you have a choice. I mean, you can choose to use it or not, but you can't say, "Hey, Apple, I don't like your SMS-based approach, let me use a retina scan instead." If a company offers two-step/two-factor, you have to take what you get.
Ah yes, that take what you get issue has been a real thorn in my side until very recently. Many of the large US Investment custodians (who shall remain nameless here) until very recently had just passwords and many were just letters and numbers, and letters were mapped uppercase and lowercase to the same character! I was flabbergasted when I discovered this (in 2006). I wanted to know when they would allow passphrases (raise the limit from 8 characters to 15 or 24 or 32.) In poking around, they seem to have been stuck far too long in catering to those who wanted to know the balance of their retirement or investment accounts over the telephone and initiate transfers to their credit union or bank and would use only the telephone keypad to enter account numbers, and username-password pairs. There I was, looking for special characters and lengthy passphrase standards, and they were in the dark ages of 8 character limits and mapping uppercase and lowercase letters to the same space, catering to the "using the telephone keypad crowd." So, yes, Joe, at times you take what you can get and make the best of it.
And thanks for your work on this TC Book, it contains much information I have tried to impress on computer users I've taught over the last 25+ years. I'll be pointing people to this TC book for readable, pertinent guidance.
The whole thing makes me glad I don't use iCloud except for my minimums.
Is it possible to turn off two-step verification once it is activated?
Using iCloud (carefully) is safer and more convenient than most of the alternatives. If this chapter scared you off, that was not my intention at all.
It is possible to turn off two-step verification if you like (although I wouldn't recommend it). You can do that at appleid.apple.com.
I use Dropbox and it meets my needs. It may not be as secure but I will
live with it.
As a long term Apple user, I've been burned by their discontinuation of
"software" too often, so don't use anything I don't have to. Given that
track record, the April fool's "prank article" of switching iCloud to eWorld seems entirely too possible.
Hardware, on the other hand, has been quite excellent so far.
This obviously confusing for me. I've read portions of it three times. One last question set for this chapter I think.
The Mail sections says "... If you do use iCloud for email, leaving Mail selected in the iCloud pane of System Preferences makes the account available in the Apple Mail app. On the other hand, deselecting that checkbox doesn't affect sending or receiving email from your iCloud account using other Macs or iOS devices, or the icloud.com Web site."
I do use iCloud mail and I use the Mail apps on half a dozen owned devices. At first it appeared I had to leave the box checked on all my Macs and devices but the "other Macs or iOS devices" confused me. That might need clarification.
In the mean time, does the box need to be selected or not?
BTW, I'm learning a lot from this book and have implemented some already.
The Mail checkbox on the iCloud preference pane determines whether Mail (on this particular Mac only) is set up to access your iCloud email account. It has no effect on any of your other devices. If you want to use iCloud for email in Mail, it must be checked. If you uncheck it, you can still access your iCloud email account on other devices or on the iCloud Web site—just not in Mail.