A couple of weeks after the news broke that some celebrities’ intimate photos had been stolen from their iCloud accounts, Apple has provided a real fix.
Now, those celebrities along with anyone else who doesn’t want their personal data pilfered can set up two-factor authentication (Apple calls this two-step verification) for their iCloud data. This means that access to iCloud requires a password, plus the entry of a verification code that you retrieve from your cell phone.
Previously, Apple had locked down iCloud somewhat by limiting password tries, which greatly constricted the success of brute-force hacking attempts. What’s changed is that Apple has extended the two-factor authentication to all access to iCloud data. It’s important that this includes all types of access from a previously unknown device, including access via applications such as Microsoft Outlook.
For customers who already had two-step verification on their iCloud accounts, the new capability announcement came through an email on Sept. 16. For those without such protection, you’re finding out about it now. For most users, the extension of protection is automatic. They’ll only notice it when trying to access iCloud from a new device.
However, for users that have applications such as Microsoft Outlook that don’t natively handle two-factor authentication, but also need access to iCloud, there’s a new feature called app-specific passwords. Users need to set up these passwords through the Apple ID Website, where you ask the site to generate an app-specific password. Then iCloud users enter that password when they log into the app.
App specific passwords will be required for all third-party apps that access iCloud by Oct. 1. An Apple spokesperson, speaking to eWEEK on background, said that the reason for the app-specific passwords is so that users won’t have to share their Apple ID password with third parties.
There are, unfortunately, two things that Apple did not do when it implemented two-step verification. The first was to find a magical way of overcoming user stupidity, meaning that there will probably be as many unprotected iCloud accounts in the future as there are now. The second was to extend Apple’s magical powers to provide similar cloud security to other non-Apple cloud accounts.
What this means is that despite Apple’s best efforts, people using Box, Dropbox, OneDrive and other consumer cloud storage services are just as vulnerable as they’ve ever been. Likewise, while Apple has made a very credible effort to provide a reasonable level of security for its cloud accounts, even Apple can’t help those who refuse to be helped.
Two-Factor Authentication Makes Your Scandalous Selfies Safe on iCloud
But at least now if someone’s risqué selfies are exposed to the tabloids, you can’t blame Apple.
The new extension of two-factor authentication will make itself known when users add a new device to iCloud, such as a new iPhone 6, or even when they attempt to access data in iCloud from another previously unknown device.
When they do that, users who choose to be protected will be asked to enter a number that was sent to an SMS (short message service) device such as their cell phone. It will delay access by a few seconds, but your data will be much safer.
Just to make sure that you aren’t locked out of your account, Apple prompts you to create a Recovery Key, which it will send to you during the setup process. If it happens that the device you use for two-step verification, such as your cell phone, is lost or stolen, then you can still get into your iCloud account using the Recovery Key.
When this is created, Apple strongly recommends that you print at least one copy of the key and put it some place safe. Ideally you should keep multiple copies in safe places. If you lose your Recovery Key, you can create a new one using your Apple ID.
Apple has provided a detailed explanation of how the new level of protection works and it shouldn’t be difficult for anyone with an iCloud account to set it up. While you can terminate this greater level of protection at any time, it’s hard to imagine why you’d want to. Unless, of course, some of these alleged iCloud leaks weren’t leaks at all.
Unfortunately for Apple, which stands to get a black eye following any future iCloud leaks, you will have less justification to blame Apple. Password security has been put solidly into place. Any potentially insecure actions are now subject to two-factor authentication, so it should be very difficult to break into someone’s private data without help.
But the bottom line is you have to be willing to take action to protect yourself. Despite the fact that setting up Apple’s two-step verification is very easy, there will be those people who don’t bother.
Sadly, Apple appears to be made up of reasonably polite people, which means that you won’t hear the company saying, “Nyah nyah nyah, I told you so,” after the next breach. And that’s too bad because anybody who fails to set up two-step verification deserves what they get.