Apple is introducing two-factor authentication for users of its iCloud and other services, adding an extra layer of protection against hackers trying to access peoples’ accounts by requiring mobile phone verification for changes in personal details or online purchases.
The move was announced coincidentally just hours after the weakness of single-password systems was demonstrated publicly on Twitter when the BBC Weather Twitter account was hacked, apparently by pro-Syrian activists who either guessed the password or captured it from an unwary user of the account. Twitter is working on the introduction of two-factor authentication, but has not announced any date for its introduction.
The move brings iCloud, which has more than 250m users, into line with Google’s Gmail services, which have offered such “2FA” security for some years.
Two-factor authentication relies on the user having a “trusted” mobile phone in their control – though users are also given a backup code in case they lose their phone or are outside network coverage. Any change to the personal details made online have to be verified using a code that is sent to the mobile phone. Without the code, the changes – such as altering a backup email address or password – will not be approved.
However it doesn’t prevent children or others from spending large amounts of money on devices where they already have the password; that has to be prevented by settings on the device.
The 2FA system replaces “security questions” which often contain information about people that is publicly available.
The change can be made on the under “manage your Apple ID“.
The weakness in single password security was highlighted last year when the writer Mat Honan saw his iCloud account wiped after hackers accessed it after getting access through an Amazon account. Apple was criticised for allowing password resets over the phone, while Amazon was criticised for accepting changes to account settings via phone. Honan’s experience – in which the hackers guessed his Apple email, and then broke into his Amazon account via a credit card number and billing address.
The hackers then methodically wiped his Gmail account of emails, took control of his Twitter account, and remotely wiped his iPhone, Macbook and iPad.
Apple said: “Apple takes customer privacy very seriously, and two-step verification is an even more robust process to ensure our users’ data remains protected. We are now offering our users the choice to take advantage of this additional layer of security.”
The service will initially only be available in the US, UK, Australia, Ireland and New Zealand.
[iPhone via Shutterstock]