Stung by a recent high-profile hacking involving nude photos of celebrities, Apple has added two-step authentication for backups on its iCloud cloud-based storage service. The change is aimed at preventing hackers from being able to access someone's personal backup data with just a password.
A user who chooses the option of two-step authentication must enter both a password and a four-digit code sent at his request to his phone or other trusted device. While Apple already offered two-step authentication for iCloud, the previous level of security left backups and the Find My iPhone service vulnerable.
Those vulnerabilities enabled someone to access nude photos that several female celebrities had taken using their iPhones, even after the women had deleted the pictures from their devices. A large number of those photos were then posted on the imageboard site 4chan in late August.
‘A Very Targeted Attack’
In a statement issued on September 2, following the release of the stolen photos, Apple said that it was "outraged" and "immediately mobilized Apple’s engineers to discover the source." Those investigations revealed that the celebrities' accounts were "compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet."
To prevent such security attacks, Apple recommended that all users "always use a strong password and enable two-step verification."
On September 10, however, Ars Technica reported that its team was able to use forensic software and other strategies to access other users' iCloud backups. Included in that backup data were phone call histories, deleted images, Apple Maps address searches and an address book database.
"It’s clear that anyone targeted by an iCloud account hack hasn’t just had pictures exposed; their entire digital lives have been laid out on display," Ars Technica reported at the time.
In a followup article published Tuesday, Ars Technica reported that it was no longer able to use forensic software to access backup data from iCloud accounts protected with the new two-step authentication. Accounts that had not activated two-step authentication were still vulnerable, it added.
App-Specific Passwords Required Soon
Apple on Tuesday updated its FAQ page on two-step verification. It noted that users who enable two-step verification must be sure to remember their passwords, keep their devices physically secure and store their recovery keys in safe places. The 14-digit recovery keys ensure that users who forget their passwords or lose their trusted devices can still access their accounts.
Two-step verification is now available to Apple users in 59 countries, including the U.S., U.K., Germany, France, China, India and Brazil.
Starting October 1 of this year, iCloud users who want to sign into their accounts using third-party apps (such as Microsoft Outlook or Mozilla Thunderbird) will also be required to use app-specific passwords. Such passwords allow users to "sign in securely, even if the app you're using doesn't support two-step verification," Apple noted.
Posted: 2014-09-19 @ 11:11pm PT
2 is larger than 1 on paper, but two weak boys in the real world may well be far weaker than a toughened guy. Physical tokens and phones are easily lost, stolen and abused. Then the password would be the last resort. It should be strongly emphasized that a truly reliable 2-factor solution requires the use of the most reliable password.
It is very worrying to see so many ICT people being indifferent to the difference between AND/conjunction and OR/disjunction when talking about “using two factors together”.
Biometrics can theoretically be operated together with passwords in two ways, (1) by AND/conjunction or (2) by OR/disjunction. I would appreciate to hear if someone knows of a biometric product operated by (1). The users of such products must have been notified that, when falsely rejected with the devices finally locked, they would have to see the device reset.
Touch ID and other biometric products are operated by (2) so that users can unlock the devices by passwords when falsely rejected, which means that the overall vulnerability of the product is the sum of the vulnerability of biometrics and that of a password. It is necessarily larger than the vulnerability of a password, say, the devices with Touch ID and other biometric sensors are less secure than the devices protected only by a password.
As for an additional vulnerability unique to biometrics, we could refer to
Needless to say, so-called 2-factor systems with a password remembered as the first factor and something possessed as the second factor are generally operated by (1), providing raised security at the sacrifice of lowered convenience. This may have misled many people to take it for granted that using two factors will always raise security, and, that the devices with biometric sensors are always safer than the devices without.