Two-Factor Authentication Makes Your Scandalous Selfies Safe on iCloud

NEWS ANALYSIS: You're now free to store your files and indiscreet photos in iCloud securely, provided you remember to turn on two-factor authentication.

iCloud Storage

A couple of weeks after the news broke that some celebrities' intimate photos had been stolen from their iCloud accounts, Apple has provided a real fix.

Now, those celebrities along with anyone else who doesn't want their personal data pilfered can set up two-factor authentication (Apple calls this two-step verification) for their iCloud data. This means that access to iCloud requires a password, plus the entry of a verification code that you retrieve from your cell phone.

Previously, Apple had locked down iCloud somewhat by limiting password tries, which greatly constricted the success of brute-force hacking attempts. What's changed is that Apple has extended the two-factor authentication to all access to iCloud data. It's important that this includes all types of access from a previously unknown device, including access via applications such as Microsoft Outlook.

For customers who already had two-step verification on their iCloud accounts, the new capability announcement came through an email on Sept. 16. For those without such protection, you're finding out about it now. For most users, the extension of protection is automatic. They'll only notice it when trying to access iCloud from a new device.

However, for users that have applications such as Microsoft Outlook that don't natively handle two-factor authentication, but also need access to iCloud, there's a new feature called app-specific passwords. Users need to set up these passwords through the Apple ID Website, where you ask the site to generate an app-specific password. Then iCloud users enter that password when they log into the app.

App specific passwords will be required for all third-party apps that access iCloud by Oct. 1. An Apple spokesperson, speaking to eWEEK on background, said that the reason for the app-specific passwords is so that users won't have to share their Apple ID password with third parties.

There are, unfortunately, two things that Apple did not do when it implemented two-step verification. The first was to find a magical way of overcoming user stupidity, meaning that there will probably be as many unprotected iCloud accounts in the future as there are now. The second was to extend Apple's magical powers to provide similar cloud security to other non-Apple cloud accounts.

What this means is that despite Apple's best efforts, people using Box, Dropbox, OneDrive and other consumer cloud storage services are just as vulnerable as they've ever been. Likewise, while Apple has made a very credible effort to provide a reasonable level of security for its cloud accounts, even Apple can't help those who refuse to be helped.

Wayne Rash

Wayne Rash

Wayne Rash is a freelance writer and editor with a 35 year history covering technology. He’s a frequent speaker on business, technology issues and enterprise computing. He covers Washington and...