More than three weeks after it was publicly shamed for leaky security, Apple has finally tightened security by enforcing two-factor authentication for iCloud access.
In the wake of the iCloud celebrity picture hacking attack (at the beginning of September), the security of Apple’s cloud service has been under scrutiny. Apple itself claimed that the attack was not the result of a breach of its iCloud system. Rather, Apple said the attack was targeted against usernames, which in Apple’s world is the AppleID system. One of the ways that Apple and other vendors often recommend to users to protect their credentials is through the use of two-factor authentication.
With two-factor authentication, a second password (or factor) is required in order to log into a site or service. Apple first announced support for two-factor authentication in March 2013. Apple’s two-factor authentication system leverages Short Message Service (SMS) as an optional delivery method to send users the second password.
While Apple has had two-factor authentication support for more than a year, it hasn’t always applied the technology to all its log-in systems. At the time of the celebrity hacking incident, the Web log-in for iCloud (at iCloud.com) apparently did not require the use of two-factor authentication. That means that if an attacker somehow was able to trick users into giving out AppleID passwords, the attacker could have had access to the user’s iCloud files, even if the user had two-factor support enabled.
Apple has not made an official statement about two-factor support for iCloud, though its publicly accessible support site provides some direction on the issue. An archived snapshot of Apple’s support page for two-factor authentication that was taken on Sept. 16 indicates that two-step authentication is used to sign in to My Apple ID to manage an account; make an iTunes, App Store or iBooks Store purchase from a new device; or get Apple ID-related support from the company.
The same page on Sept. 17 now includes an additional item: sign in to iCloud on a new device or at iCloud.com.
The simple truth of security is that you can have the best technology in the world, but if you don’t actually turn it on, it won’t work.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.