Apple has upcoming plans to fix some big problems in its two-factor authentication scheme. Jordan Golson explains.
Two-factor authentication is a good thing. It requires users to enter their password (something they know) and enter something like a dynamically generated six-digit code sent to their smartphone (something they have).
The idea is to keep people from logging in to your accounts even if they have your password from a phishing attempt or because you wrote it down on a post-it note and left that on your desk. Without the code generated on your smartphone (which can also be something like a RSA SecurID keyfob or the like), knowing your password won't help.
Apple launched two-factor authentication for the Apple ID—the universal login for all Apple services including iTunes, iCloud, and the App Store—a few years ago. Unfortunately, it's had more than a few teething problems.
It's not always clear when two-factor login can be used and when users need to generate an app-specific password (a special one-use password for logging into Apple services through a third-party application, like pulling data from iCloud with a calendar app). Some activities (like logging into an iPhone) use the regular password, while others (like logging into iMessage on a Mac) need a special app-specific password. Unfortunately, there's no way to know which you need until you log in.
Then there's what happens if you somehow get locked out of your account. Even if you have your password and a "trusted device" that can generate a two-factor code, you can still get locked out of an account, needing a "recovery key" that is shown only once, when you set up two-factor authentication for the first time. Without that recovery key, users can find themselves totally locked out of their Apple ID accounts, with no way back in. This means users could lose their entire iTunes purchase history and phone backups—or worse, get locked out of their phones entirely... forever!
To fix these problems, Apple has introduced a totally revamped two-factor authentication system in iOS 9 and OS X El Capitan, the new mobile and desktop operating systems that should be released to the public this fall.
Apple has gotten rid of the recovery key system (and the risk of getting locked out forever) in favor of a more streamlined experience. Any device you log into can become a "trusted device" that can verify identity as before, but users will be able to use any trusted device to recover their account if a password is lost, a previously verified phone number can be used to receive a SMS message, or Apple's customer support team will be able to help users recover their Apple ID accounts through a recovery process.
This customer support option is new, and, though Apple says it can take a few days to verify users, it will allow customers who have lost all their trusted devices (say to theft or a fire) to gain access to their account.
According to an Apple support document on the new system:
"Account recovery will take a few days—or longer—depending on how much information you can provide to verify that you are the account owner. The process is designed to get you back into your account as quickly as possible while denying access to anyone who might be pretending to be you."
All in all, it will be a nice update to two-factor authentication and should reduce the likelihood of users having their accounts compromised or losing access entirely.
At the moment, the new two-factor authentication scheme is available only to beta users of iOS 9 and OS X El Capitan, but it should roll out to all users this fall.
Do you use two-factor authentication? Tell us about your experience in the comments below.
- Secure your Google Account with two-step authentication
- Tutorial: Twitter 2-factor authentication, step-by-step
- Pro tip: Securing your Apple ID and iCloud with two-step verification
- LastPass hack reinforces importance of using multi-factor authentication