Today Apple quietly expanded its use of two-factor authentication to protect iCloud users. Now those who have enabled the added security measure will be asked to verify their identity with a secondary device when logging into iCloud.com.
For the first time, two-factor authentication also protects iOS device backups from being accessed by hackers. Ars Technica tried using a forensics tool to extract data from a device backup protected by two-factor authentication, and nothing was accessible. Backups tied to iCloud accounts that don’t have two-factor enabled are still hackable.
Another minor security addition is the option to forcibly logout of all browsers currently logged into iCloud.com. Two-factor authentication was enabled for iCloud on the web earlier this year, but only briefly. It was turned back on today.
Apple has been taking steps to enhance iCloud security following the recent hacking of numerous celebrity accounts. Tim Cook said Apple would start alerting users via email and push notification when someone tries to change their account password, restore iCloud data to a new device, or when a device logs into an account for the first time. Apple recently started notifying users via email when iCloud is accessed via the web.
Alex Heath is a journalist who works for Tech Insider. He’s the former co-host of The CultCast. He has been quoted by the likes of the BBC, KRON 4 News, and books like “ICONIC: A Photographic Tribute to Apple Innovation.” He lives in Lexington, Kentucky. If you want to pitch a story, share a tip, or just get in touch, additional contact information is available on his personal site. Follow him on Twitter.
2 responses to “Apple strengthens iCloud.com security with two-factor authentication”
Do you know if when using the Find My iPhone app on iOS if the person’s phone you are logging into will also be notified of that? It would be somewhat counterintuitive to do that if I’m looking to see where my child is and they get an email notifying them that dad was looking. LOL
I am very worried to see so many people being utterly indifferent to the fundamental difference between AND/conjunction and OR/disjunction when talking about “using two factors together”.
Biometrics can theoretically be operated together with passwords in two ways, (1) by AND/conjunctiion or (2) by OR/disjunction. I would appreciate to hear if someone knows of a biometric product operated by (1). The users must have been notified that, when falsely rejected with the device finally locked, they would have to see the device get reset.
Like other biometric products, Apple’s iPhones are operated by (2) so that users can
unlock the phones by passcodes when falsely rejected, which means that the overall vulnerability is the sum of the vulnerability of biometrics and the vulnerability of a password. It is necessarily larger than the vulnerability of a password. Biometrics liked Touch ID operated with a password in the
OR/disjunction way (as in the case of iPhone) offers a lower security than when
only the password is used.
As for an additional vulnerability unique to biometrics, you may refer to
http://mashable.com/2013/09/11/girl-fingerprint-scanner/
Needless to say, so-called 2-factor systems with a password remembered as the first factor and something possessed as the second factor are generally operated by (1),
providing raised security at the sacrifice of lowered convenience.