With each new release of iOS, Apple has been improving the security of the mobile operating system, adding new features, inserting exploit mitigations, and taking away avenues for attack. In the forthcoming iOS 9.0 release, the company is continuing this movement with the addition of two-factor authentication and a number of other security features.
Last year, in the wake of the hysteria surrounding the celebrity photo hacking scandal that involved targeted attacks on iCloud accounts, Apple enabled two-factor authentication for the cloud storage service. It also has turned it on for iTunes purchases. Now, Apple is enabling 2FA for users when they sign into their Apple accounts from a new device or new browser.
“A password alone is not always enough to keep your account secure. With two-factor authentication, when you sign in from a new browser or on a new device, you’ll be prompted for a verification code. This code is automatically displayed on your other Apple devices or sent to your phone. Enter the code and you’re quickly signed in — and any unauthorized users are kept out,” Apple said in the notes for iOS 9.
The system that Apple employs for this is more like a two-step verification method than a true 2FA system, as it doesn’t require a physical token or biometric identifier. But it adds another roadblock for attackers trying to take over users’ accounts.
Apple also is changing the passcode strength from four digits to six, a move that it says ups the number of potential passcodes from 10,000 to one million.
“I don’t claim that this is a significant security improvement, it’s not for an attacker that can mount an offline bruteforce attack on your phone. But it’s an strong signal, months after the FBI complained about Apple’s default encryption in iOS 8. Notice that Apple does not let you continue without making a 6-digit password or selecting another passcode option,” security researcher and developer Frederic Jacobs said in a post analyzing the new security features in iOS 9.