I vividly remember reading Mat Honan’s horror story in Wired magazine about being hacked and having his devices, some of which weren’t backed up, wiped out and his social media accounts taken over. I also haven’t forgotten that one of the players in that very complex chain of events that lead to the unraveling of his digital life was Apple They were hit with a social engineering attack that ended up being the last domino to fall, giving the hackers free reign over Mr Honan’s Apple devices, and in turn, all of his information. The fact that Amazon, Google and Apple were ALL involved in this hack in various ways was definitely eye-opening.
Since that high profile hacking in 2012, all of the above have made great strides in the tools they offer to keep our accounts more secure. All now offer two-factor authentication of various types, which is one of the best weapons against having your accounts hi-jacked by someone who doesn’t have physical access to one of your devices. Combine two-factor with a fingerprint sensor like Apple’s TouchID, and you have a relatively easy path to enough security to head off most attempts to get at your Apple account.
For those who may not be familiar with the concept of two-factor authentication, it is simply a two step process for logging into an account. One step is almost always your traditional password that we all know and love. The second step depends on you actively acknowledging that you are making the log in attempt, but the method can vary. Facebook has a number generator inside their app that provides randomized codes. Google uses the same concept of random codes, but uses various apps to generate them. Amazon gives users the option between a phone call, a text, or an authentication app. Apple offers the option of either traditional text messages to a phone number, or a code sent directly to a device that has been designated as being “trusted.”
One thing to note about two-factor authentication is that it rarely, if ever, applies to all logins. Maybe for secure sites, such as bank or billing account sites, but in the case of Apple, it only comes into play when you need to access the iCloud web interface or the Apple ID management site from your computer, or perform certain critical logins or log outs that could compromise your account. There is always a compromise that has to be struck between security and convenience, and that finding the right balance to keep the highest number of customers secure, yet still happy with the usability of your devices is the key. Having two-factor there for when you need it for protection, but letting the much more customer-friendly TouchID handle the heavy lifting of the day-to-day grind was a smart move on Apple’s part.
To turn on what Apple refers to as Two-Step Verification, you will need to go to the following address: https://appleid.apple.com/#!&page=signin
This is Apple’s site for all Apple ID setup or changes, and the central hub for managing your main Apple account.
After logging in, you will see the following menu below.
Click the Edit button to the right of the Security section, where you will find the Two-Factor Verification menu.
Simply follow the prompts to turn Two-Step Verification on, and you are on your way. First, you will be asked to set up Security Questions and Answers. Next, you will add a Trusted Phone Number, which will be verified with an SMS message with a four digit code. You will also be given the opportunity to set up other Trusted Phone Numbers and/or Trusted Devices. Last, you will be prompted to set up and confirm a Recovery Key. This is your access of last resort if someone tries to hack your account and you have to reset your password. BE SURE TO SAVE THIS IS A SAFE PLACE YOU WON’T FORGET. Sorry for the yelling, but just search for what happens if you can’t find it when needed. Because of hacks like the one that hit Mat Honan, Apple has a no leniency policy on this point. They WILL NOT help you if you lose the Recovery Key.
Once you confirm your choice to Enable Two-Step Verification, you are all set. From here on out, when you log into the Apple Account management page, you will see the following:
Pro-Tip: If you want to be as secure as possible, you need to opt for using a Trusted Device, rather than a Trusted Phone Number to generate your access code. If you use a phone number, the text message and the code in it will be visible from an iOS device’s Lock Screen.
If you use a Trusted Device, the message will appear as follows:
As you can see above, you must unlock your device before you can view your code using this method, making it more secure. Even if someone had your Apple account AND your phone, without the passcode, they wouldn’t be able to get into your account to reset the password.
Speaking of Trusted Devices, be sure to keep yours up to date as time goes on. It is easy to forget to add and subtract from this list as you upgrade and move on from iOS devices. I know because I had an issue with my iPhone this week that necessitated going into Recovery Mode, wiping it out, re-loading the latest version of iOS, and then restoring my backup. Somewhere along the way, I had to provide a code, but my phone, which was still inoperable at the time, was the only current Trusted Device. I had to send the code to my wife at work and wait for her to respond. As soon as she got me that code, I added my iPad Pro as a Trusted Device so this wouldn’t happen again.
Adding a Trusted Device after the fact is easy enough. This can be done from the same Security menu we looked at before.
You can see above that, if you have a device under your iCloud account that hasn’t been set up as Trusted, you will get a message telling you how many are available. There is also a reminder here that devices must be set up to work with Find My iPhone to be set up as Trusted.
It’s difficult to put the proper priority on security until the time comes that you get burned. I got a small, but thankfully not very severe, reminder of this fact two days ago. It woke me up to the fact that I need to be doing more, and staying on top of all my accounts. Heed the words of good old Ben Franklin: “An ounce of prevention is worth a pound of cure.” Thankfully, Apple and others have made these tools, such as Two-Step Verification, pretty easy to use, so it’s not difficult to take advantage. My personal advise to you is to set up two-factor authentication on every account that you can, and then make reminders to check in on each periodically to be sure they are working when that bad day when you need it finally comes.
What do you think Apple’s security tools, including Two-Step Verification? Do you have it set up? If so, what do you think? Have you had any issues? If you haven’t set it up yet, is there a reason that keeps you from pulling the trigger? Let us know what you think here in the Comments, on Flipboard, our Facebook page, or on Twitter @iPadInsightBlog.