Stepping up protection of the Apple ID falters as password reset bug emerges before two-step verification is fully implemented.
Ask any CISSP and they will tell you that two factors are better than one, so security wonks like myself were delighted to hear about Apple introducing “two-step verification” last week to improve the security of its crucial Apple ID system. As a Mac and iPhone user myself, I was particularly pleased about this security enhancement and planned to implement it this weekend.
[Update: Edited to reflect availability of two-step verification.]
As reported in Wired, this added layer of protection from Apple can help prevent what Wired writer Mat Honan described as an “epic hack,” one in which his entire “digital life dissolved.” As Honan later pointed out at length, passwords alone do not offer enough protection for valuable data like your medical records, bank account, iCloud backups, or iPhone data. Adding a second factor to the authentication process is something that I and my colleagues have endorsed on these pages (although we used the more generic terminology of “two-factor authentication“).
For readers who are not into Apple and may not be aware of the significance of these developments, here is how the company describes the importance of the Apple ID:
Your Apple ID is the key to many important things you do with Apple, such as purchasing from the iTunes and App Stores, keeping personal information up-to-date across your devices with iCloud, and locating, locking, or wiping your devices. Two-step verification is a feature you can use to keep your Apple ID as secure as possible.
Security is in the execution
Of course, the trick with security measures is to execute them securely. A kind word for Apple’s execution of two-factor authentication so far might be: flawed. For a start, not everyone was offered this added protection right away according to The Verge, one of the websites which covered the seemingly-related issue of a password reset bug. There is also some updated reporting on CNET, although quite frankly it has been hard to keep up with the latest in this fast-moving story of flaws and fixes.
Here’s the short version: shortly after the Apple ID two-step was introduced, some people discovered that you could engineer an Apple ID password reset on another person’s account using just their email address and birth date. If you bear in mind the power of the Apple ID over your digital stuff you will understand why this news made me very nervous (not to mention the fact that I am one of a generation of authors whose birth year was published by the Library of Congress, and in recent years I have probably divulged the day and month on one or more social networks.)
In other words, Apple introduced a big security hole as it rolled out a big security improvement. The security improvement (two-factor authentication or 2FA) would protect against the hole, but the improvement was not available to everyone. Fortunately, as of Sunday, as confirmed by CNET, Apple has fixed the password-reset bug. However, we don’t know if everyone can get two-step verification yet, so some people may find their Apple ID is not yet “as secure as possible”.
Right now I’m going to check my Apple account to make sure nobody has been illegally using it to order heavy metal albums from iTunes (or any other kind of music, apps, or podcasts). And I will keep checking back with apple.com to see when I can do the two-step.
Update: I was able to get to the 2-step setup this evening. When I have set it up I will illustrate the process in a new blog post.
*CISSP = Certified Information Systems Security Professional