Apple Enables Two-Step Verification to Thwart Account Hijacking
Apple has turned to two-step verification to improve the security defenses against account hijacking for Apple iTunes and App Store.
The feature—which was announced March 21—works by sending a SMS message with a four-digit verification code in it sent from Apple that users have to enter from a "trusted device" in order to access their accounts.
The user can classify a device as trusted when they enable two-factor authentication. Once it’s enabled, any time a user signs in to make an iTunes, App Store or iBookstore purchase from a new device, they will need to enter their verification code.
Users will also get a 14-digit recovery key that should be printed and kept a in safe place so that they will be able to regain access to their account if they ever lose access to their devices or forget their password, Apple advised.
"Your Apple ID is the key to many important things you do with Apple, such as purchasing from the iTunes and App Stores, keeping personal information up-to-date across your devices with iCloud, and locating, locking or wiping your devices," Apple stated in an announcement of the feature. "Two-step verification is a feature you can use to keep your Apple ID as secure as possible."
The feature's appearance may have come at the perfect time. According to a report, there is an exploit is in the wild that allows attackers to reset a victim's Apple ID if they know the person's birthday and email. According to The Verge, the exploit involves "pasting in a modified URL while answering the DOB [date of birth] security question on Apple's iForgot page."
The Verge didn’t publish or link to the details of the exploit.
Apple did not return a request for comment before publication.
This is not the first time Apple has tried to bolster account security. Last year, Apple began prompting users to establish security questions, which users will no longer need to do with this feature enabled. With the introduction of two-step verification, Apple follows a similar path walked by other companies. Google, for example, implemented two-factor authentication for Gmail users a few years ago.
It is important, however, that the security feature is used the right way, explained Paul Ducklin, head of technology at Sophos.
"By avoiding the name 2FA [two-factor authentication], Apple is actually making a slightly weaker, but more honest, security assertion," he blogged. "That's because there is nothing to stop you getting Apple to send your SMS verification codes to the same device on which you actually use your Apple ID."
"Indeed, I suspect that many users will use two-step verification this way, and it isn't really two factor-authentication if the same factor—your iPhone, for instance—is used for both steps of the process," he wrote. “That’s because someone who controls your iPhone to the point that they can acquire your password can, probably with not much more complexity, acquire in real time the contents of SMSes sent to your iPhone."
Initially, two-step verification is being offered in the United States, U.K., Australia, Ireland and New Zealand. As the feature is supported in additional countries, the two-step verification option will automatically appear in the Password and Security section when users sign in to MyAppleID.