Apple IDs aren’t just website logins. They identify and authenticate a user’s entire digital relationship with Apple:
The risk of having an Apple ID breached was infamously showcased last year. Journalist Mat Honan had his iPhone, iPad, and Macbook Air wiped – yes, wiped – by a hacker who used a social engineering phone call to trick Apple support staff into resetting Honan’s Apple ID password.
Protecting all of those assets with a single password that could be guessed, keylogged, stolen or otherwise hacked just wasn’t enough. And neither was Apple’s additional layer of security in the form of “security questions”.
Apple has belatedly launched optional Two-Factor Authentication (2FA) for Apple IDs, but is calling it two step verification.
Apple’s implementation is an out-of-band (OOB) SMS text OTP. It works by sending an SMS text message to one of the mobile devices a user has registered with Apple. The text contains a one time password (OTP) required in addition to the user’s regular password:
Significantly, there is nothing to stop a user from having an SMS text OTP sent to the same device with the user’s Apple ID. That isn’t 2FA, since the same factor – an iPhone, for instance – is used for both password authentications. The result is an obvious vulnerability. If a hacker can acquire the user’s password, a hacker can acquire an SMS text OTP sent to the iPhone.
True two-factor authentication (2FA) is a stronger security solution, but at least Apple is giving users a better means of protecting their Apple IDs.