

Apple Adds Two-Step Verification to iCloud and Apple ID - derpenxyne
https://appleid.apple.com/

======
masnick
Apple has done a great job walking users through this process.

Setting up "trusted devices" (iPhone, iPad, etc.) works really well: Apple
already knows which devices you own, so all you have to do is select the
device and you get an instant push notification to unlock to see the
verification code.

Apple gives you a backup recovery code with very clear instructions to
print/write it somewhere safe. They require you to re-enter it as part of the
setup process to make sure you got it right.

When you need a code, you pick the device you want it sent to and Apple pushes
it out instantly via some feature baked into iOS. You can also set up any
phone to have a code delivered via SMS, but presumably this is less secure
because it could be read even if your phone is locked.

Overall this is a great experience for the user -- much more friendly than
Google Authenticator.

In fact I wish this process was open a la Google Authenticator so that other
applications could use it (this will happen when hell freezes over).

~~~
cbsmith
I actually found Google Authenticator just as good on the user experience
side, with the added benefit of being far more effective.

~~~
akandiah
I haven't used Apple's system, so I can't comment on it. However, Google's
system has a few gaping holes that make it far from effective from a usability
standpoint.

First: A large number of Google's web applications still rely on application
specific passwords. This was understandable a year or so ago, but still? It's
getting very tiring generating an application specific password for some
Google applications.

This brings me to my next point: the use of application specific passwords has
been made complicated than what's required. When confronted with a page that
asks me for an application specific password, it takes too long to navigate to
the correct page so that I can generate an application specific password.

Thirdly, I can't change the name that I give to an application specific
password. Discovered that you have a new installation of Chrome on a VM and
want to create a password for that? Too bad: you can't rename the existing
password so that you can distinguish the two easily.

Lastly: Have you checked out the mess that's the management page for it? It's
extremely confronting. It takes a bit of getting used to. In-fact, until very
recently it was rather buggy. For instance: the page used to have a date which
showed when an application specific password was last used. This date always
had the year 1970. Who lets these kind of bugs through??

~~~
cbsmith
4) I've never seen the 1970 bug. How odd.

~~~
akandiah
I took this screen-shot a while back:
[https://lh3.googleusercontent.com/-sugoI5o0K2U/TiEaQ1-qOgI/A...](https://lh3.googleusercontent.com/-sugoI5o0K2U/TiEaQ1-qOgI/AAAAAAAADZY/AlRnntmYSPc/w497-h373/google_auth.png)

------
mootothemax
Argh! Incredibly annoying edge case! I'm in Poland, but have all my language
settings set to English, and the only country codes for receiving SMSs are
those of English-speaking countries!

Can't see any easy way to change my language on the page. How annoying!

~~~
pooriaazimi
It's annoying, but isn't an edge case. Lots of people use US stores (because
it has more content) and gift cards.

And, as it's stated in the FAQ [1], SMS option is only available in those
countries at the moment, regardless of where you're located. When it becomes
available in Poland, they'll text you and you can activate it. But until then,
you can safely use 2FA without an SMS backup (as I did).

[1]: <http://support.apple.com/kb/HT5570>

------
pxlt
Really happy to finally have this option, but disappointing that there isn't
(yet) a way to generate codes from your trusted device as with Google
Authenticator. Hopefully it's on the way.

------
dominik
In case anyone else changed their password to something absurdly long only to
run into the same trouble I did:

Apple passwords have a max length of 32 characters.

Unfortunately, the change password page doesn't enforce this limit and will
blissfully let you think you've changed your password to something that has 50
characters, but actually only stores 32.

Later, when you use a Password Manager that saved the full 50 characters,
suddenly your password doesn't work.

Some Apple pages' login password fields cut off automatically at 32, which
lets the pasted password work (as you can't paste more than 32), but this is
not the case within iTunes itself or on the iPhone.

Solution: Apple needs to limit the new password entry fields on the My Apple
ID -> Password and Security page to 32 characters. Or, alternatively, accept
and store longer passwords. (as 32 characters is a bit tight if you're using a
passphrase)

------
deanclatworthy
What on earth is Apple doing here. The steps I went through so far:

1) I had to switch my password to something more "secure". That means adding a
capital letter and a number. I am sick and tired of companies forcing me to
use non-memorable passwords that have less entropy than if I had come up with
something memorable, personal and long by myself.

2) "You must wait 3 days to enable two-step verification. This waiting period
helps ensure that no one other than the owner of this Apple ID can set up two-
step verification. A notification email will be sent to all addresses we have
on file. Thank you for your patience."

Regardless of the reasoning for having this in place, all it does is make for
a more difficult user experience. Currently when I signed into my Apple ID
today, Apple didn't have this process in place and assumed that it was me
signing in. So by asking me to change my password when I want to enable this
feature it should probably be assumed that I am the account holder. If I was
in fact an attacker, changing the password on my account, what if I was on
holiday for a week? What if that email hit my spam folder? What if I just
didn't notice the email because I am one of the many millions of people who
fight inbox zero daily?

EDIT: Furthermore, this has now broken my iMessage and Facetime, with Apple
not sending a new activation to my device so I can use these services.

------
thomaslutz
"Initially, two-step verification is being offered in the U.S., UK, Australia,
Ireland, and New Zealand. Additional countries will be added over time." Not
in Germany yet.

------
rdl
It's kind of sad that it's taken Apple so long to do this, and they've done
such a mediocre job of it. Offline verification vs. SMS, taking advantage of
the secure element in 3GS+ phones, etc., and supporting credential management
for third party sites, all would have made Apple superior to desktops or
Android for enterprise use, or high-end consumers. But they did none of that.

------
selectout
Great to see this as finally an option, interesting that there is a 3 day wait
to activate it though...just to be certain it is my identity that wants to add
it.

~~~
tylerhall
The three day wait is only for users that recently modified their account.

From <http://support.apple.com/kb/HT5570>

"As a basic security measure, Apple does not allow two-step verification setup
to proceed if any significant changes have recently been made to your account
information. Significant changes can include a password reset or new security
questions. This waiting period helps Apple ensure that you are the only person
accessing or modifying your account. While you are in this waiting period, you
can continue using your account as usual with all Apple services and stores."

~~~
thoughtsimple
The process forced me to update my password to use their new password
requirements which then forced me to wait 3 days. I'm pretty sure my old
password was secure but it didn't meet all of the new standards. Kind of
annoying.

~~~
stock_toaster
I was not prompted to update my password (and had long ago set up security
questions), and was able to set up 2-factor immediately.

~~~
deanclatworthy
Your password must have already met their new "security requirements", mine
did not.

------
PanMan
To what extend is it two factor when one of the factors is the device you are
working on? One of the biggest risks I see with iCloud is someone
finding/stealing my phone, and using it to erase other devices. A code send to
my phone won't prevent that. For online services, a code to your phone makes
lots of sense (something you have part). For phone services, I'm less sure.

~~~
smackfu
To use the code sent to the phone, you need to know the password or the
recovery key as well. That's the two factor part.

Contrast to someone getting your phone today... they can easily determine your
iCloud account name in Settings, and then send a password reset for it that is
delivered to the unprotected Mail app.

So for most people, it's certainly more secure.

~~~
natem345
What happens if you need a password reset with this new two-factor? Wouldn't
it still just email you, leaving you with the same problem?

~~~
smackfu
No, the FAQ says: You can reset your password at My Apple ID by using your
Recovery Key and one of your trusted devices.

I think they do a pretty good job of emphasizing that there are three things
involved here: Recovery Key, password, any trusted device. Any two will allow
you to recover the third (except if you lose your phone). Not having any two
and you lose your ID forever.

------
squeed
Hooray! I can only hope that by doing this, Apple will bring 2-factor
authentication to the public forefront.

------
sandstrom
There is nothing on two-factor in my UI. Perhaps it's limited to some
geographies? (I'm not in the US)

~~~
crazygringo
There's nothing either for me. And I'm in the US, in the heart of Manhattan,
using my Time Warner cable.

Nothing on the linked page, nothing in my account settings... so I have no
idea how this works.

EDIT: never mind, it's completely hidden behind "Password and Security" in
your account, and then you have to answer your security questions to even SEE
what things you can do. ARGH. It took me several tries -- security questions
should NEVER be character-matched. How am I supposed to remember if I typed in
"Mike" or "Michael" or "Crazy Mike" for my childhood best friend, or "Honda"
or "Accord" or "Honda Accord" for my first car? (Those are obviously not my
actual answers). Security questions should ONLY ever be "matched" by a human
operator over the phone. And God forbid you should ever mistype your initial
answers! There's ZERO warning that these will ever be used in a
"password"-style sense. </rant>

~~~
dunham
I'm not a fan of security questions as they're easily discoverable and known
to other sites that ask the same question. So I just enter random nonsense
words and save a screenshot in a secure store.

------
TomatoTomato
I just attempted to add two-step, and Apple told me I needed a stronger
password before continuing. How do they know my password strength if it is
salted+hashed properly?

~~~
dbpatterson
They could store a strength measurement alongside the salt and hash.

~~~
martinced
So you mean that the strength measurement is send from the client to the
server alongside with the hash+salted password? Password are hashed+salted on
the client side right? They're not transmitting password "in the clear" to
hash+salt them on the server side? (even on SSL I'd be worried about passwords
travelling between client/Apple-severs seen the number of hacks trying to
exploit SSL/TLS recently)

~~~
izakage
If passwords were hashed+salted client-side, an attacker could use the
hash+salt in exactly the same way as they would a 'raw' password.

So the answer is no; the strength measurement would be done on the server when
the password is being hashed or verified.

~~~
Joeri
That's true only for the initial password creation. During verification you
could send down two salts, the real salt and a session salt. You double-hash
the password on the client with both salts, and the server hashes on the
server with the session salt. The hash that gets sent over the wire cannot be
used for replay attacks.

I don't think it adds much security though. If you don't trust the channel to
properly protect the transmitted password, it's not possible to build a
trusted relationship with the server. You have to assume ssl works.

------
smackfu
One odd thing is that it won't let me enable two-factor without setting a
_stronger_ password.

------
anizan
wonder if its got to do with credit card fraud on iTunes than any specific
sensitive data concern. Do people use iCloud a lot? or maybe they are thinking
of providing some cloud service this year which needs the added security

