Modernizing Authentication — What It Takes to Transform Secure Access
At the heart of Apple's Mac OS X and iOS operating systems is the Apple ID authentication mechanism. The Apple ID is linked to users' payment information, iCloud storage, AppStore access and Apple support. Until this week, the Apple ID was also a potential security weak spot, protected by only a single password.
Apple is advancing the state of Apple ID protection by introducing a two-step verification process.
"Turning on two-step verification reduces the possibility of someone accessing or making unauthorized changes to your account information at My Apple ID or making purchases using your account," Apple stated in a support note.
Apple's two-step verification will require users to enter a time-sensitive verification code in addition to their username/password in order to access the Apple ID services. The verification code is granted by way of a trusted device the user will need to set up to receive a four-digit code from Apple.
The code can be obtained via SMS message on a smartphone or via the "Find My iPhone" notification. "Find My iPhone" can run on Apple iOS, as well as Mac OS X and Windows PCs.
Apple provides an additional layer of fallback by prompting users who have lost trusted devices or access to "Find My iPhone" to print out a one-time 14-digit Recovery Key password if they lose their trusted device or access to the "Find My iPhone" notification.
The move to a two-step verification scheme will also put the onus of responsibility for password protection on users, not Apple.
"Apple Support cannot reset your password on your behalf," Apple stated. "To reset your password, you must have your Recovery Key and access to at least one of your trusted devices."
Promoting Two-Factor Authentication
Apple is not the first vendor to implement a two-factor authentication scheme for consumer technology. Google has been pushing its two-factor approach for several years. Facebook introduced a two-factor authentication system called "Login Approvals" in 2011. Paypal also offers two-factor authentication for its users.
"I think having two-factor authentication is a great security enhancement," said Wolfgang Kandek, CTO of security vendor Qualys.
The challenge with two-factor authentication is implementing it in a user-friendly way, Kandek said.
"Apple is going the SMS route, which is easier for users than installing an application on a smartphone," he said. "Apple is also limiting the situations where the two-factor authentication will be required to managing your account (password resets, etc.), authorizing new devices for iTunes purchases, and in general interacting with Apple Support."
Kandek added that Apple's two-step verification is a great step in pushing the security approach into the mainstream.
Apple's two-step verification will not be available to all Apple users, at least initially. The service is being launched in the U.S., UK, Australia, Ireland and New Zealand, with more countries to come over time.