Apple has added two-factor authentication to its iCloud cloud storage option.
Following the recent attack, which saw celebrities have their accounts accessed and personal photos stolen when an attacker used a password-guessing tool utilising the most common 500 passwords, Apple users with two-factor authentication will now be required to verify their identities when they sign in to iCloud on new devices, or when logging on to iCloud.com.
According to IT News, 2FA for iCloud will now be automatically enabled if users have already set it up for their Apple login credentials and support is extended to iTunes, iBooks and App Store purchases from new devices, as well as Apple ID related support.
As with the earlier system introduced for Apple IDs, the two-factor authentication for iCloud uses a four digit code transmitted out of band via SMS to trusted mobile phones.
Certivox CEO Brian Spector laughed at the news, telling IT Security Guru he admired Apple’s effort to roll out 35-year old technology. He said: “Adding this is everyone’s answer. Who is going to add 2FA from Google Authenticator, what is anonymous about that and who is saying it is a good idea?
“This is a system that knows security risk and knows it has to change. The solution is in applicable technology that uses the advances in crypto in the last ten years.”
Michael Sutton, vice president of security research at Zscaler, said that as the iCloud leak of celebrity photos didn’t occur due to an attack on the iCloud infrastructure, but rather on individual accounts whereby account passwords were successfully brute forced or reset, this was not a timely or reactive addition.
He said: “Two-factor authentication can eliminate the risk of such attacks as obtaining access to an account requires both ‘what you know’ (password) and ‘what you have’ (SMS token on your registered phone). An attacker brute forcing a password would not have the ‘second factor’ and the attack would not therefore succeed.
“While Apple has had two-factor authentication (what they call ‘two step verification’) in iCloud for some time, it was previously limited in scope and Apple is now ensuring that it applies to all aspects of the service. While two-factor authentication can limit brute force password attacks, it still remains up to the end-users to implement and utilise the system, otherwise it’s just a fancy padlock sitting in a drawer.”
Stephen Coty, chief securit
y evangelist at Alert Logic, said that two-factor is a standard practice that should be implemented in all social media platforms, as there is too much stolen usernames and passwords that have been linked to social media attacks.
“2FA should be the standard authentication method for not only social media, but for all online transactions and Enterprise authentication. 2FA is considered a ‘best practice’ for all organisations that have any type of authentication to sensitive or valuable data,” he said. “The only way to bypass 2FA is if the attacker not only has user credentials from the victim, but also has control of their mobile device.”
