The move co-incidentally coincided with the latest high-profile Twitter account hijack (of the BBC Weather account) on Thursday, but more specifically follows last year’s disastrous hack of journalist Matt Honan’s Apple identity. In both cases, and very many more, 2-factor authentication would almost certainly have prevented the hacks.
Authentication is usually defined by the number of factors involved. Password only is single factor – it’s something the user knows. The most common second factor is usually something the user has/owns – such as a trusted device like a personal phone. A common third factor would be something the user is; that is, a unique biometric identifier. Others could include geography; that is, where the user is located.
Apple’s 2-factor authentication involves sending a one-time authentication code to the user’s phone; that is, to something the user owns in addition to the password that user knows. “When you set up two-step verification, you register one or more trusted devices. A trusted device is a device you control that can receive 4-digit verification codes using either Find My iPhone notifications or SMS to verify your identity,” announced Apple yesterday.
Once a user has done this, any hacker would need to know the account password and have access to the user’s phone and password (or have infected the user with a sophisticated man-in-the-browser trojan). It is not fool-proof (nothing in security is), but it raises the bar significantly. “Without both your password and the verification code, access to your account will be denied,” explains Apple.
ESET’s David Harley (ESET is also involved in 2-factor authentication) stresses that the 2nd factor also needs to be secured. “Since it's not usually practical to guarantee that the trusted device will always be 'physically secure', the user needs to go the extra mile to restrict unauthorized access, and I'd have liked to see more about that in the [Apple] document,” he told Infosecurity. “My concern isn't with the Apple ID authentication, but with the way that the trusted device itself needs to be locked. And, of course, Apple itself needs to take prompt action over occasional glitch issues like the iOS 6.1.3 lock bypass issue.”
Use is optional. Users can set it up or ignore it; or turn it off later. Although good security advice is always to take advantage of 2-factor authentication if it is available, users notoriously choose ease over security. Google was one of the first major cloud companies to introduce 2-factors – but it has not been without problems. Firstly, it has had a relatively low uptake by users; and secondly a bug was revealed (and fixed) only last month.
Apple’s process also provides a separate ‘recovery key’ “to regain access to your account if you ever lose access to your devices or forget your password.” This is an important safety element, but needs to be kept very safely and not online. If the user loses access to any two of these three items (password, trusted device and recovery key) at the same time, warns Apple, “you could be locked out of your Apple ID account permanently.”
This warning is something that pleases Sophos’ Graham Cluley. “The good news about what Apple has done is that they've made it clear that if you opt for 2FA then you take on full responsibility for password recovery. That means, Apple support staff will be unable to help you if you need to reset your password, rather than merely disallowed from doing so.
“Which means there shouldn't be any more Mat Honan-style social engineering hacks on Apple support staff.”