With the celebrity nude photo leak still making waves, Apple CEO Tim Cook has announced that the company will extend two-factor authentication to mobile logins for the iCloud service, when iOS 8.0 comes out later this month. And, it will start sending push notifications to users when changes are made to iCloud accounts.
He also downplayed any security oversight on Apple’s part for the leak.
While 2FA has been available from the web, sers will soon be able to enable it from iPhones and iPads as well—a notable hole in the security option menu until now, given the near-ubiquity of Apple devices in some markets, like the United States. So, in addition to an Apple ID and password, users will have the option of requiring a PIN code sent to the device through SMS or a key generated at the time of sign-up.
Also, in about two weeks, Apple will begin alerting users via email and push notifications when a new device tries to log into an iCloud account for the first time, and anyone attempts to restore iCloud data to a new endpoint. It will also send a push notification when a password change is attempted or made.
Apple has been the subject of negative publicity in the wake of the photo leak. The theft, which affected about 100 unsuspecting celebs, was originally thought to be a brute-force attack that used a set of 500 or so common-ish passwords to randomly attempt to break into accounts. The implication is that Apple had set no limit on the number of times that account credentials could be tried before locking the user out.
However, speaking to the Wall Street Journal, Cook said that celebrities fell victim to hacking of their iCloud accounts because the perpetrators were able to successfully phish the credentials, or were able to answer security questions correctly—thus placing the blame squarely back on the shoulders of the celebrities themselves.
"When I step back from this terrible scenario that happened and say what more could we have done, I think about the awareness piece," he said. "I think we have a responsibility to ratchet that up. That's not really an engineering thing."
The Apple IDs and passwords were not, he stressed, leaked or lifted from the company's servers. And, he pointed out the company’s pioneering position with biometrics, with the Touch ID fingerprint sensor in its iPhone 5S.