I was quite excited when I awoke this morning to find news that Apple has released 2 Factor authentication for Apple ID. Apple seems to have done a good thing and built this into a “trusted device” upon which you use a feature in the Find My iPhone app, or receive an SMS each time you try to log-in. Sounds like a great approach, and it doesn’t surprise me that Apple chose not to use the Google Authenticator.
Following the attempted hack on Evernote, I made a determination that online service I use for personal/private/confidential “stuff” should support 2 factor authentication. Heck, if Facebook could do it, what was stopping Evernote and Apple. Very quickly App.net rolled out 2 factor support, and today was Apple’s turn. This was all part of my (perhaps peremptory decision to return to return to Google, something that following this and the GReadier debacle I am quickly reconsidering.
I went to the Apple ID site to set up two-step verification, and immediately was asked to answer security questions. It’s been a while, and for some reason I didn’t record these in 1Password. Having had more than 1 best pal at school, I went for the backup plan, and had a password reset sent out to my alternate email address.
Of course, I setup new security questions, and then went in and changed my alternate email address to one that is not linked or forwarding to any other email address I have. I took the opportunity to really tighten the hatches.
Next I went back to complete the setup of the two-step verification process, and almost immediately received a block telling me to wait three days. They also mass emailed every linked email address I had.
I guess that I had just changed a lot of security settings, and this raised an alarm at Apple that perhaps I might be hacking, and potentially locking someone else out from their account, a la the Mat Honan saga. So I think that Apple has paid a good bit of attention to the process to ensure that unintended consequences are minimised. Three days gives plenty of time for a real owner to get an email and intervene if necessary.
So at this stage I can’t provide a full review, but one thing that I noted from Katie Floyd’s post is that the two-step verification doesn’t (yet) support iCloud services, such as Documents, Calendar, email, etc. I assume (hope) these will come shortly, but will require a lot of apps to be updated. Today’s initial release was a good test for Apple, as the only app that needed to be updated was Find My iPhone.
Don’t forget to check out my list of web services that support 2 factor authentication.