• PSA: Apple's Two-Step Verification and You

    Apple added the option of two-step verification to Apple IDs last week so I thought I'd put together a bit of a Public Service Announcement about why you should enable it, how to actually enable it and how it works once its enabled.

    I would like to make it clear up front that I'm by no means a security expert. I just have a healthy paranoia about my online accounts so I've spent some time trying to understand how all these security measure work and why we need them. If you want to dig into this a little more, I'd highly recommend checking out Ars Technica. They often cover this sort of stuff with in depth articles.

    Before we dig into how to enable it, I should probably explain what two-step verification is and how it works in general.

    As the name implies, two-step verification is a way of verifying your access to a system by authenticating your identity with two different mechanisms. The first is your username and password, the second is a 4 to 9 digit code that is either SMSd to a pre configured mobile number or generated by an app or token.

    I've used two-step verification at work for years, and it's still pretty common to secure a corporate users VPN connection with both a user id and password and an RSA token. Over the last few years two-step verification has become more and more commonplace in the consumer space. In fact, you've probably already come across some form of two-step verification. For example the bank accounts I have with several different financial institutions all use some form of two-step verification. My Blizzard account can use a Mobile Authenticator App or an Authenticator token to secure my login to WoW, Diablo 3 and StarCraft II.

    Next, I want to address a question that I've seen in a couple of places, and that Alex raised on this weeks episode of the MacTalk podcast: Why do i need two-step verification? isn't my 1Password generated super long complex password strong enough?

    The short answer is that using a complex password and using two-step verification protects you from two different types of attacks.

    A strong, complex password protects your account from people guessing your password and from brute force attacks, which in their simplest form use a dictionary of words and common passwords which are fed into a script that then tries to log in with each word or variation of each word in the list. These used to be simple dirty programs, however as computing power has increased they've evolved at an alarming rate.

    What a complex password doesn't protect you against is the sort of exploits that allow someone to reset your password without ever knowing what your password is. Often this involves a bit of social engineering on the villains part and sloppy policies/systems on the vendors part.

    This is exactly what happened in the case of Mat Honan, the Wired senior writer whose entire online life was compromised late last year. I strongly encourage you to read his full account of what happened here.

    My biggest takeaway from Honan's experience was that it wasn't a weakness in a single service that was exploited and it wasn't a single service that was compromised. Having strong and unique passwords also didn't protect him. The hackers played Amazon off against Apple all to get at his Twitter account purely because it was one of the rare three letter accounts (@mat).

    Had two-step verification been available and had it been enabled on Honan's account, Apple customer service wouldn't have been able to reset the password for the hackers. Additionally, had they been able to get his password via other means they wouldn't have been able access the website to reset his password.

    Unfortunately what they would've been able to do, and this is where Apple's implementation fails woefully, is log into a new Mac or iOS device as Honan. Giving them full access to Back to My Mac, Find My iPhone and Documents in the Cloud.

    You still get an email letting you know that a new device has been set up with your account. What would be preferable is for iOS and OS X to ask for the same verification code when adding an account with two-step verification enabled to the device.

    That doesn't make two-step verification useless, it just makes it not quite as secure as it should be and as long as you use a complex password you should be protected from this loop hole.

    Hopefully, Apple will bake that in to iOS and OS X in a future update. In the meantime, you should still set it up so lets look at how to enable it.

    The first step is to log into id.apple.com and go to the Passwords and Security tab:

    Click on the Get Started... link under the Two-Step Verification section at the top of the page:

    Click Continue on the next page:

    Again click Continue:

    Click Get Started on the next page:

    And then wait three days:

    I'm still not entirely sure I buy Apple's reasoning behind making you wait three days. According to their two-step verification FAQ it's an added security measure but last weekend it allowed the opportunity for someone with just your email address and date of birth. Apple has since fixed that massive security hole, but it wouldn't have been an issue if they hadn't made you wait to set up two-step verification.

    This article also would've been up a hell of a lot sooner if they hadn't made me wait three days

    After the three days have passed, log back into the id.apple.com, go into the Password and Security section and click on the Get Started... link under the Two-Step Verification section at the top of the page again.

    You'll go through the same three screens above, until you click Get Started, this time however you'll see the following page. If you have any devices associated with the Find my iPhone service on your Apple ID, they'll automatically show up in the list. If you don't, you'll still get the link to add an SMS-capable phone to your account. Note: You don't need the Find My iPhone app installed on your iOS device, just the service enabled under Settings -> iCloud:

    To setup the device to receive two-step verification codes, click the Verify link. You'll receive a code via the Find My iPhone service on your phone that looks a little something like this:

    Enter the code on the website and click Verify Device:

    Next you'll be prompted to enter the mobile number associated with the phone, you could skip this step but if you lose your iPhone or Find My iPhone is disabled, you won't be able to access your account. With your mobile number associated you can get your telco to move your number to a new SIM allowing you to receive codes on another handset and get back into your account.

    Make sure you enter your mobile number without the leading zero. For example, if your mobile number is 0401234567 you would enter 40 in the first box and 1234567 in the second box.

    When you hit next, you'll be SMS'd a code that looks a little something like this:

    After verifying your mobile number you'll be given a Recovery Key, which you can use to access your account if you forget your password. Make sure you keep it somewhere safe because Apple won't be able to get you back into your account without it. Personally, I've added it to my 1Password safe rather than printing a physical copy.

    After hitting continue, you'll be prompted to enter the Recovery Key to make sure that you've kept a copy of it:

    Finally, you'll be prompted to tick a box confirming that you agree to and understand the changes that two-step verification will make to your account. Tick the box, and hit Enable Two-Step Verification to finish the process:

    And you're done:

    Hit Done and you'll be taken back to the Password and Security page, where you can now disable two-step verification, change your password, add or remove trusted devices and regenerate your recovery key if you've lost it.

    Once two-step verification is enabled, you'll be prompted to choose which device you want to send a code to when logging into the website (as below).

    And this all there is to it for now. As I said, it's not perfect but it's definitely a step in the right direction. Hopefully Apple will continue to improve the security of our accounts...especially seeing as they want to store all our information in iCloud.

    Alec lives in rainy Brisbekistan with his lovely editor and soon-to-be wife, Fiona. By day he's a Cisco certified network engineer who deploys IP Telephony infrastructure from his trusty 2011 unibody MacBook Pro. By night he plays far too many video games and watches way too many Ru-Paul's Drag Race marathons. You can normally find him lurking on the forums (formerly thatfilthyspringbok), follow him on Twitter, Google+ or on his blog, Inane Geekery.

    His opinions are all his own and do not reflect those of MacTalk or his employer.
  • Dropdown