Security experts applaud Apple's new two-factor authentication
Option locks Apple IDs, stymies account hijacking
Computerworld - Apple this week followed the lead of rivals like Facebook, Google and Microsoft, offering two-step authentication to help customers secure their Apple IDs against hacking.
The new feature is designed to block unauthorized changes to iCloud or iTunes accounts, and keep hackers who steal Apple IDs from purchasing digital content or hardware using the credit cards stored in customers' iTunes and Apple Store accounts.
iTunes users in particular have complained for years about security so lax that hackers have easily hijacked their accounts to run up big bills.
Security experts commended Apple, even though the company was slow pulling the trigger.
"Always exciting to see a major consumer-oriented service roll out some sort of two-factor authentication," said Jon Oberheide, co-founder and CTO of Duo Security, a developer of authentication software, in an email. "Rolling your own two-factor definitely isn't a trivial task, both from an upfront engineering cost and continued support and maintenance, despite the perceived ease from an external view."
Two-factor authentication -- sometimes called two-step verification -- is a more demanding method of locking an account than a password-only process. In enterprises, for instance, two-factor relies on hardware tokens that generate passcodes, which are valid for just moments and must be entered along with the usual password.
But Web services don't distribute tokens. Instead, they send a passcode to a mobile phone number the account owner has set earlier. The passcode is typically sent as an SMS (short message service) text.
Apple's optional two-factor authentication uses that same approach, but also will send the passcode to an iOS device -- iPhone or iPad -- via the Find My iPhone app's notification feature. Find My iPhone is normally used to, not surprisingly, help users locate lost, stolen or misplaced devices.
That drew accolades from the experts.
"I'd say [Apple's] is above-average for a consumer-oriented two-factor solution, particularly with respect to leveraging the Find My iPhone mobile application," said Oberheide in an email Friday. "Using a native app for two-factor authentication, like Find My iPhone, is a much better approach than simply relying on SMS, which has a number of security and reliability concerns."
SMS messages, for instance, can be faked, and receiving them requires that the user be in range of their carrier's signal. Find My iPhone, on the other hand, operates independently of the wireless carrier, letting iOS owners get passcodes when all that's available is Wi-Fi, or on tablets like the iPad and iPad Mini that lack cellular connectivity.
Andrew Storms, director of security operations at nCircle Security, had a different thought on Find My iPhone's advantage.
"It has some potential for good contextual awareness authentication," said Storms in an interview via instant messaging. "GPS could be used as the second factor of authentication. Are you really at the home address you already have on file with your iTunes account? If so, Apple could check your iPhone's GPS location to verify."
- Apple hands stock worth $12.1M to top execs in retention deal
- Hands on: Apple's Mac Pro is the fastest Mac ever
- Apple CFO to retire in September after he cashes in $53M stock award
- Apple's CarPlay to spark mobile apps war in your car
- Apple retires Snow Leopard from support, leaves 1 in 5 Macs vulnerable to attacks
- Apple patches critical 'gotofail' bug with Mavericks update
- Why Apple needs a $700 MacBook Air
- Apple takes top spot in brand value computation
- Apple gets a patent for health-monitoring ear buds
- Apple shifts to hardware-first TV strategy with revamped set-top box
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- Cybersecurity Imperatives Reinvent Your Network Security With Palo Alto Networks The Rise of CyberSecurity
- 10 Things Your Next Firewall Must do Next-Generation Firewalls Defined
- Webinar: Building a Big Data solution that's production-ready Big data solutions are no longer just a nice-to-have.
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well... All Malware and Vulnerabilities White Papers | Webcasts