Apple is extending the reach of its two-step verification process to protect its FaceTime and iMessage applications. Two-step verification requires users to input a second password (or verification) beyond just their Apple ID username and password.
Apple first introduced two-step verification, in which users get the second password by way of an SMS sent to their smartphone, in March 2013. However, while the company’s two-step verification has been available for nearly two years, it has not been implemented evenly across all of Apple’s products and applications. In September 2014, Apple added two-factor verification support to its iCloud service after a high-profile series of Hollywood celebrities were hacked.
Apple’s support Web page for two-step verification identifies where the service works. It can be used to make App Store purchases on new devices, as well as for logging into the My Apple ID site and iCloud, iMessage and FaceTime services.
The addition of iMessage and FaceTime is seen as a positive move forward by security experts contacted by eWEEK.
“The addition of iMessage and FaceTime is a helpful step in securing the overall Apple ecosystem,” Marc Maiffret, CTO of BeyondTrust.com, told eWEEK. “However, it is a functionality they should have had previously.”
Garve Hays, solution architect at NetIQ, believes Apple has been doing a good job of walking the line between security and usability. “Their user experience continues to be well-curated, and the tightening up of authentication shows other vendors how it can be done,” Hays told eWEEK.
In Maiffret’s view, Apple is playing catch-up with two-step verification as companies such as Microsoft and Google have two-step verification for the majority of their services, including Microsoft’s Xbox gaming console.
“It is clear from the previous hacking of Apple accounts that they are trying to fill in the gaps, and that is a good thing,” he said.
Maiffret noted, however, that Apple still doesn’t support industrywide standards for two-step verification. For example, in the case of Google, Microsoft and Dropbox, users can use standard “Authenticator” apps, he said.
“Apple’s approach is similar to how they do most things in that it is more geared toward the experience of a user leveraging all Apple technologies,” Maiffret said.
From Hay’s perspective, Apple isn’t doing enough yet to protect users when it comes to two-step security. That said, he believes people in the security community are often very demanding. Hays added that password authentication was developed at a time when such a thing was sufficient, but the abilities of password-only authentication are not sufficient to defend against modern attackers.
“Going forward, the sheer scale of the Internet of things will overwhelm the usefulness of passwords,” Hays said. “Multifactor authentication is a good start toward securing future technologies.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.