Apple Fixes Huge Security Hole With Two-Step Verification

Apple Fixes Huge Security Hole With Two-Step Verification

Apple just added two-factor authentication for iCloud and all your Apple accounts. It’s a huge deal for security and a welcome boon to a security process full of holes that were frustrating to fix.

Two-step authentication sends a security code to your phone as an SMS or as a notification from the Find My iPhone app on any iOS device, and it requires both the code and your password to log in. It won’t stop many of the social hacks and security question resets, but it’s a good start. It’s available in the US, the UK, Ireland, Australia and New Zealand for now, and it will roll out to the rest of the world in time.

Apple’s two-step process is set up to eliminate all your security questions, which are a big vulnerability if you’ve used searchable answers to questions like your dad’s middle name or the model of your first car. In their place is the security code and a Recovery Key, which is basically an emergency password that you’re supposed to print out or keep somewhere totally safe. You can only use this key, or issue any password resets at all, from computers or mobile devices you select as “trusted”.

Other services, like Blizzard’s, can reset your two-factor status through Customer Service if you totally screw it up and lose your key, so it’s possible Apple will do that too with folks freaking out about locking themselves out of Apple forever. However, that would also increase vulnerability to social hacks.

It seems like Apple hasn’t fully integrated two-step into all of its services. Apple says that from now on “you will be asked to verify your identity using one of your devices before you (or anyone else) can make changes to your account or make an iTunes or App Store purchase from a new device”, but we were able to log into an Apple account that had enabled two-factor on a new computer and make a purchase.

Some users are able to set up the service right away, while others have received this message, saying they need to wait three days to set up the process:

You must wait 3 days to enable two-step verification.
This waiting period helps ensure that no one other than the owner of this Apple ID can set up two-step verification. A notification email will be sent to all addresses we have on file. Thank you for your patience.

Please come back after 06:38 PM on March 24, 2013 (GMT) to continue setup.

You can enable two-step verification for iCloud at the Apple ID page.