Apple tightens account security with two-factor authentication
After Wired writer Mat Honan was hacked last year, Apple and Amazon amended their security practices to close some loopholes. Now, Apple has added two-factor authentication: an additional layer of security which works by combining something a user knows with something they have.
Eight months ago, Wired writer Mat Honan's iCloud account was hacked. By exploiting some loopholes in Apple's and Amazon's security practices, the hackers were able to remotely wipe Honan's iPhone, iPad, and Macbook, and take over his Twitter and Google accounts as well. Mr. Honan's story spread, and in response to the concerns of other users Apple and Amazon quietly took measures to increase their security.
This week, Apple introduced two-factor authentication to iCloud, adding an additional layer of security that addresses some of the lingering flaws exposed by the Honan hack.
Two-factor authentication works by requiring both something you know, and something you have, before you can get into an account. Right now iCloud accounts require only a password, which is backed up by security questions (think of standards like "What was your mother's maiden name?"). Two-factor authentication introduces a device -- like a phone or tablet -- into the equation. When someone tries to access an account from an unrecognized device, Apple sends a verification code to that account's "trusted" device, and the code must be entered in order to open the account. In theory, hackers can't get in without having physical access to the trusted device.
If you're interested in setting up two-factor security (and live in the US, UK, Ireland, Australia, or New Zealand), you can head over to the Apple ID site and click on the "Password and Security" tab. Once you've identified your "trusted device," you're pretty much set. Two-factor authentication does away with security questions, which in and of itself probably makes your account safer -- since, in many cases, those questions can be answered based on publicly-available information.
Two-factor authentication is becoming more popular as a security measure: Google, Facebook, Twitter, and many other services all have two-step security options, although they're implemented slightly differently by different companies.
In Apple's case, the authentication code is sent either by text message to a particular phone number, or to the Find My iPhone app, if it's installed. When you set up two-factor authentication the first time, you'll get a recovery key that can be used to access your account in case you forget your password. That's important, since once two-factor security is installed Apple can no longer reset your password for you. (Depending on how you view it, that might actually be an upside: Apple's ability to reset passwords was a key part of the hack that Mat Honan suffered.)
Do you have two-factor security on any of your accounts? Do you feel it's kept your information safe? Share your stories in the comments section below.