How Apple Just Made iCloud a Little Safer
Apple has activated two-step authentication for access to the iCloud.com Web portal, which allows access only to the Find My iPhone utility before users verify their identity. Ars Technica reports that the authentication is now active for users who have turned on the service. With the two-step authentication system, iCloud.com asks users to enter both their password and a four-digit code, which is sent to a trusted device via a text message, iMessage, or push notification. Once users verify their identity, all iCloud.com functions are accessible until the user signs out or closes the browser window.
The update renders useless many of the tools that hackers have used to access targeted accounts — including those used in the recent leak of celebrities’ nude photos — such as the Elcom Phone Password Breaker and other similar programs. With two-factor authentication now keeping hackers from mining your device backups, it’s a better time than ever to set up two-factor authentication. Users can do so via Apple’s “My Apple ID” page, where you can log in and turn on two-step verification in the “Password and Security” section. It’s a good idea for anyone to set this up, but especially so if you keep any important private data in iCloud.
According to a document on Apple’s support website, the company will also introduce app-specific passwords for third-party apps that access iCloud starting in October. All third-party apps that connect with iCloud, even those that don’t support two-step verification, will use the new feature to avoid having apps collect or store a user’s primary Apple ID password. The document outlines how users can generate app-specific passwords — via the same “Password and Security” section of the My Apple ID page — and explains that they generate an app-specific password via iCloud.com, then enter it into the third-party app.
Users can have up to 25 app-specific passwords at a given time and can revoke passwords individually or all at once. Resetting the primary Apple ID password will automatically revoke all app-specific passwords to protect users’ accounts, and users will need to generate new passwords for the apps that they’d like to continue using with iCloud.
Apple began stepping up iCloud security last week, with MacRumors reporting the day before the iPhone 6, Apple Watch, and Apple Pay were unveiled that the company had started sending out email alerts when iCloud accounts were accessed through the Web portal. Alerts were also expected to go into effect for attempted password changes, device restores from the account, or logins from new devices. The report noted that previously, password changes and login alerts were sent only when they took place on an unknown Apple device. Alerts won’t prevent accounts from being hacked, but they will make users aware earlier if their accounts are compromised.
Each of these updates seems aimed at assuring users that Apple takes the security of its customers’ information seriously, and that it will be proactive about keeping people informed. The security improvements also seem aimed at pushing wider adoption of two-factor authentication, the setup of which is an important step that users should take to protect their information and their privacy.