In the wake of the iCloud photo theft scandal, Apple’s CEO said the company plans to extend its two-factor authentication system to logins to the iCloud service from mobile device. The change will come when iOS 8.0 comes out later this month.
The change will give users the option of enabling a second layer of authentication for iCloud logins from iPhones and iPads. In addition to an Apple ID and password, users who have 2FA implemented will be required to enter a PIN code sent to the device through SMS or a long access key generated at the time of sign-up. Speaking to the Wall Street Journal, Tim Cook, Apple’s CEO, said that the company needed to do more to protect user’s information, a fact that was highlighted by the celebrity photo leak several days ago.
The as-yet-unknown attackers in this case were able to access victims’ iCloud accounts by getting their passwords, either through phishing attacks or by correctly answering security questions. Apple has had 2FA available for iTunes and Apple ID accounts since March 2013, but it is not enabled by default and it doesn’t apply to iCloud logins at this point. The company has not widely publicized the availability of the 2FA option, something that security experts have criticized the company for.
In addition to extending 2FA to iCloud logins, Cook said Apple also plans to start sending email and push notifications to users if certain operations are attempted on their accounts, such as password changes, iCloud data restoratations to a new device or logins from a new device. Those notifications will start in the next couple of weeks, but one limitation of the change is that users only will be made aware of these attempts after they’ve occurred.
While 2FA is not a panacea for defending against account takeovers or similar attacks, it presents another roadblock for them to overcome on the way to compromising the account. In attacks on systems such as iTunes or Gmail that utilize this version of 2FA, in general the attacker would need to have physical access to the user’s device in order to get the one-time password that’s sent to the device during a login attempt. That’s a relatively high barrier for most attacks, which tend to be remote and opportunistic, and if an attacker has physical possession of a device, very little is going to stand in his way.