Apple Extends Two-Factor Authentication to iCloud

Apple finally has enabled two-factor authentication for its iCloud storage service, more than a year and a half after the company first turned the protective measure on for iTunes purchases and Apple ID.

Apple finally has enabled two-factor authentication for its iCloud storage service, more than a year and a half after the company first turned the protective measure on for iTunes purchases and Apple ID.

The extension of 2FA–which Apple calls two-step verification–to iCloud comes two weeks after the company faced public scrutiny for the security of its iCloud service in the wake of the publication of photos belonging to dozens of celebrities. The attack initially was thought to have been a breach of iCloud itself, but Apple officials said there were no indications of a compromise of iCloud. Instead, the company said it was the result of a “very targeted attack on user names, passwords and security questions”.

On Tuesday, Apple sent an email to users informing them that the 2FA system it employs for iTunes and Apple ID is now enabled for iCloud.

“Starting today, in addition to protecting your Apple ID account information, two-step verification also protects all of the data you store and keep up to date with iCloud,” the email says.

The system also enables users to generate app-specific passwords for third-party applications that employ iCloud. The system, which is similar to one Google has for Gmail, which allows users to generate long random passwords that are used for each specific app.

Apple’s 2FA system also is similar to the Gmail two-factor infrastructure. When logging in to iCloud or iTunes a user enters her Apple ID and password and then a verification code that Apple sends either via SMS or through the Find My iPhone app. This presents an extra hurdle for an attacker trying to take over a user’s account, as it essentially requires that the attacker have physical access to a target’s device.

Suggested articles

alien cerberus banking malware

Alien Android Banking Trojan Sidesteps 2FA

A new ‘fork’ of the Cerberus banking trojan, called Alien, targets victims’ credentials from more than 200 mobile apps, including Bank of America and Microsoft Outlook.

Discussion

  • Anonymous on

    TFA and app-specific passwords? Welcome to 2012, Apple! Just remember, Google... imitation is the best form of flattery.
  • Hitoshi Anatomi on

    2 is larger than 1 on paper, but two weak boys in the real world may well be far weaker than a toughened guy. Physical tokens and phones are easily lost, stolen and abused. Then the password would be the last resort. It should be strongly emphasized that a truly reliable 2-factor solution requires the use of the most reliable password. I wonder how many people are aware that biometrics operated with a password in the OR/disjunction way (as in the case of iPhone) offers a lower security than when only the password is used. Media should let this fact be known to the public lest consumers should be misguided. By the way, I am very worried to see so many people being utterly indifferent to the fundamental difference between AND/conjunction and OR/disjunction when talking about “using two factors together”. Biometrics can theoretically be operated together with passwords in two ways, (1) by AND/conjunctiion or (2) by OR/disjunction. I would appreciate to hear if someone knows of a biometric product operated by (1). The users must have been notified that, when falsely rejected with the device finally locked, they would have to see the device get reset. Like other biometric products, Apple's iPhones are operated by (2) so that users can unlock the phones by passcodes when falsely rejected, which means that the overall vulnerability is the sum of the vulnerability of biometrics and the vulnerability of a password. It is necessarily larger than the vulnerability of a password. As for an additional vulnerability unique to biometrics, you may refer to http://mashable.com/2013/09/11/girl-fingerprint-scanner/ Needless to say, so-called 2-factor systems with a password as the first factor and something possessed as the second factor are generally operated by (1), providing raised security at the sacrifice of lowered convenience.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.