Apple Just Fixed a Huge Security Hole with Two-Step Verification

Apple just added two-factor authentication for iCloud and all your Apple accounts. It's a huge deal for security, and are a welcome boon to a security process that had proven full of holes that were frustrating to fix. You can enable it at the Apple ID page.

Two-step authentication sends a security code to your phone as an SMS or as a notification from the Find My iPhone app on any iOS device, and requires both the code and your password to log in. It won't stop many of the social hacks and security question resets, but it's a good start. It's available in the US, the UK, Ireland, Australia, and New Zealand for now, but will roll out to the rest of the world in time.

Apple's two-step is set up to eliminate all your security questions, which are a big vulnerability if you've used searchable answers to questions like your dad's middle name or your high school mascot. In their place is the security code, but also a Recovery Key, which is basically an emergency password that you're supposed to print out or keep somewhere totally safe. You can only use this key, or issue any password resets at all, from computers or mobile devices you select as "trusted".

Other services, like Blizzard's, can have Customer Service reset your two-factor status if you totally screw it up and lose your key, so it's possible Apple will do that too with folks freaking out about locking themselves out of Apple forever, but that would also increase the vulnerability to social hacks.

It seems like Apple hasn't fully integrated two-step into all of its services. The service claims, "From now on, you will be asked to verify your identity using one of your devices before you (or anyone else) can make changes to your account or make an iTunes or App Store purchase from a new device," but we were able to log into an Apple account that had enabled two-factor on a new computer and make a purchase.

Some users are able to set up the service right away, while others have received this message, saying they need to wait three days to set up the process:

You must wait 3 days to enable two-step verification.
This waiting period helps ensure that no one other than the owner of this Apple ID can set up two-step verification. A notification email will be sent to all addresses we have on file. Thank you for your patience.

Please come back after 06:38 PM on March 24, 2013 (GMT) to continue setup.

Apple Just Fixed a Huge Security Hole with Two-Step Verification

Apple Just Fixed a Huge Security Hole with Two-Step Verification

[9to5mac]