Apple activates two-step authentication for iCloud Web portal

Posted:
in iCloud edited September 2019
In a bid to secure its online consumer services, Apple on Tuesday activated two-factor authentication for iCloud.com access, allowing only basic access to Find My iPhone for those opted-in to the security layer.




As seen in the screenshot above, the iCloud.com portal is now protected by Apple's two-step authentication system, which requires users to enter a dynamically generated code sent to a trusted device prior to gaining access to the service.

Apple first tested the extra layer of iCloud.com security in June, more than one year following the protocol's introduction for Apple ID accounts in 2013.

In practice, iCloud.com two-step verification asks users logging in to provide both a password and a four-digit code, the latter of which is sent to a trusted device through text, iMessage or push notification. Apple ID owners can add trusted devices through the Apple ID management webpage.

Once a user is confirmed, all iCloud.com assets are unlocked until a user signs out or closes their browser window. Find My iPhone is left active by default, allowing users to remotely deactivate or wipe a trusted device that is stolen or lost.

At the time of this writing, Apple's implementation of two-factor iCloud.com authentication has effectively broken a number of forensics tools like ElcomSoft's iCloud backup and password breaker programs. The tools were supposedly employed by nefarious users to garnish photos from celebrity devices, which were then disseminated on the Web earlier this month.
«1

Comments

  • Reply 1 of 22
    slurpyslurpy Posts: 5,382member

    Nice. One thing you have to hand to Tim Cook's Apple- it acts pretty damn fast. 

  • Reply 2 of 22
    Am I misreading the article?

    It says that Apple only allows basic access to Find my iPhone when opted into the security layer. Wouldn't it allow full access if you're opted in? I think you mean that if you haven't enabled the two step, you can only use Find my iPhone but not the other things until you've added the two step access.
  • Reply 3 of 22
    apple ][apple ][ Posts: 9,233member

    I don't log into iCloud all that often, but I just did, to test this two-step system, and after I logged in with my Apple ID, that was it. I was in iCloud, everything was accessible and it never asked me for any security code.

     

    Why is that?

  • Reply 4 of 22
    apple ][ wrote: »
    I don't log into iCloud all that often, but I just did, to test this two-step system, and after I logged in with my Apple ID, that was it. I was in iCloud, everything was accessible and it never asked me for any security code.

    Why is that?

    Maybe you've already set it up? Or is it US only?
  • Reply 5 of 22
    apple ][apple ][ Posts: 9,233member
    Quote:
    Originally Posted by Benjamin Frost View Post





    Maybe you've already set it up? Or is it US only?

     

    I am in the US.

     

    I do already have two-step setup on my iOS devices, but I thought that it would ask me for the security code whenever I try to log into iCloud, at least that's what I thought after reading the OP. I guess that I'm mistaken about that, and since I already have two-step setup on my devices, it just allows me to log onto iCloud without the security code.

  • Reply 6 of 22
    apple ][ wrote: »
    I don't log into iCloud all that often, but I just did, to test this two-step system, and after I logged in with my Apple ID, that was it. I was in iCloud, everything was accessible and it never asked me for any security code.

    Why is that?

    Because your nude pics aren't security code worthy. ????
  • Reply 7 of 22
    "just" tried it at 8:51 PM EST

    Worked at advertised, sending a 4 digit code to my iPhone
  • Reply 8 of 22

    Is there any extra protection against the Elcom backup downloader

    if 2-step auth is *not* yet set up?

    For example, with at least with one person I know, I can reset their

    Apple ID password, knowing only the Apple ID, birthdate and one

    security question (I guess they never set up 2.)

     

    Didn't the Elcom downloader rely only upon that?  

     

    (And yes, I did see the bit how Apple will now send out email/device

    notifications after such a breach ex-post-facto.)

  • Reply 9 of 22
    Quote:

    Originally Posted by Apple ][ View Post

     

     

    I am in the US.

     

    I do already have two-step setup on my iOS devices, but I thought that it would ask me for the security code whenever I try to log into iCloud, at least that's what I thought after reading the OP. I guess that I'm mistaken about that, and since I already have two-step setup on my devices, it just allows me to log onto iCloud without the security code.




    Ugh, it might be.  I'm with Bell Canada, and can't configure 2-factor because the SMS message never arrives at my phone and there doesn't seem to be any way past that [even though the 'didn't receive the sms' help seems to indicate it is possible to do so].

     

    A fairly rare "stupid Apple" thing...

  • Reply 10 of 22
    apple ][apple ][ Posts: 9,233member
    Quote:

    Originally Posted by whatisgoingon View Post

     



    Ugh, it might be.  I'm with Bell Canada, and can't configure 2-factor because the SMS message never arrives at my phone and there doesn't seem to be any way past that [even though the 'didn't receive the sms' help seems to indicate it is possible to do so].

     

    A fairly rare "stupid Apple" thing...


     

    You can also choose to have the code delivered to another device instead of SMS. I had the choice of SMS or to a number of iOS devices that I have.

     

    I chose an iOS device and in literally one second the code showed up on the screen. 

  • Reply 11 of 22
    Quote:

    Originally Posted by Apple ][ View Post

     

     

    You can also choose to have the code delivered to another device instead of SMS. I had the choice of SMS or to a number of iOS devices that I have.

     

    I chose an iOS device and in literally one second the code showed up on the screen. 


    how/where?  for me, step 1 is set up trusted devices, "Your trusted devices are used to verify your identity. You must have at least one phone number that can receive SMS messages."  I can add my phone number, then I can press Continue to enter a code I never receive, or press Cancel to abort the process.  So I can't progress past this point.

     

    And it seems stupid to require one of your trusted devices to be able to receive SMS messages, as it doesn't require actually sending an SMS message...

     

    I have 2 iOS and a MBP connected to iCloud/Facetime/Messages.

  • Reply 12 of 22
    Gotta love 2-step authentication. But I would like Apple to launch an authenticator app. It greatly increases the convenience of 2-step authentication. I don't get it, there are apps for everything yet this is still via SMS. Sure it's an adequate solution but an authenticator app is so much better in my view.
  • Reply 13 of 22
    Quote:



    Originally Posted by Apple ][ View Post

     

     

    You can also choose to have the code delivered to another device instead of SMS. I had the choice of SMS or to a number of iOS devices that I have.

     

    I chose an iOS device and in literally one second the code showed up on the screen. 


     

    Is there also a set of one-time codes you can print out and keep with you? (I ask b/c Google offers that) For as rarely as I have to authenticate with two steps in general (once I logged in all my regular devices), whatisgoingon could probably get by just printing one of those off every three months or so, after the initial run of logins on various devices.

  • Reply 14 of 22
    Quote:

    Originally Posted by Chipsy View Post



    Gotta love 2-step authentication. But I would like Apple to launch an authenticator app. It greatly increases the convenience of 2-step authentication. I don't get it, there are apps for everything yet this is still via SMS. Sure it's an adequate solution but an authenticator app is so much better in my view.

     

    I think I prefer SMS, since it's not reliant on an Internet connection. SMS is often available even when mobile data is not. At my office, personal devices are not allowed on wifi, and there are areas of the building where mobile data doesn't work, but SMS does, and there are wired connections on desktops.

  • Reply 15 of 22

    I signed into my iCloud account (had already set up the 2 factor authentication), and received an email in less than 1 minute from Apple support that my iCloud account had been accessed!  Awesome!

  • Reply 16 of 22
    apple ][apple ][ Posts: 9,233member
    Quote:

    Originally Posted by whatisgoingon View Post

     

    how/where?  for me, step 1 is set up trusted devices, "Your trusted devices are used to verify your identity. You must have at least one phone number that can receive SMS messages."  I can add my phone number, then I can press Continue to enter a code I never receive, or press Cancel to abort the process.  So I can't progress past this point.

     


     

    I had set up my devices a long time ago, so you do perhaps have to go through the SMS to phone step at least once.

     

    I think that I read something about certain telecoms blocking certain SMS messages, so perhaps that is your problem, if it is your telecom that is blocking the SMS from Apple.

  • Reply 17 of 22
    apple ][apple ][ Posts: 9,233member
    Quote:

    Originally Posted by waterrockets View Post

     

     

    Is there also a set of one-time codes you can print out and keep with you? (I ask b/c Google offers that) For as rarely as I have to authenticate with two steps in general (once I logged in all my regular devices), whatisgoingon could probably get by just printing one of those off every three months or so, after the initial run of logins on various devices.


     

    There is a recovery key that you get when first setting up two step authentication.

  • Reply 18 of 22
    Originally posted:

    "I do already have two-step setup on my iOS devices, but I thought that it would ask me for the security code whenever I try to log into iCloud, at least that's what I thought after reading the OP. I guess that I'm mistaken about that, and since I already have two-step setup on my devices, it just allows me to log onto iCloud without the security code."


    If you already use two-step AND you are already on a trusted device AND you are using an already trusted browser (Safari saves your login credentials) then you will automatically login and be unlocked. Try testing by downloading the Google Chrome browser (I did) THEN attempt to login to iCloud.com OR you can delete the Safari password credentials OR you can untrust all your devices from appleid.apple.com.
  • Reply 19 of 22
    Quote:

    Originally Posted by Gunner1954 View Post


    If you already use two-step AND you are already on a trusted device AND you are using an already trusted browser (Safari saves your login credentials) then you will automatically login and be unlocked. Try testing by downloading the Google Chrome browser (I did) THEN attempt to login to iCloud.com OR you can delete the Safari password credentials OR you can untrust all your devices from appleid.apple.com.

    That is correct. I eventually found out that it wasn't requiring me to enter a security code because I was on my desktop, which I had used a number of times before to log in.

  • Reply 20 of 22
    I think I prefer SMS, since it's not reliant on an Internet connection. SMS is often available even when mobile data is not. At my office, personal devices are not allowed on wifi, and there are areas of the building where mobile data doesn't work, but SMS does, and there are wired connections on desktops.
    An app like Google Authenticator doesn't necessarily need internet access to work (once set up). It also works offline. But SMS and an app don't need to be mutual exclusive. Apple can f.e. give users the choice between the two when you set 2 factor authentication up.

    Edit: just tested it just to be sure. Data and WiFi off and waited until it generated a new number (just to be sure it didn't cache or something). Entered the number when logging in on my account (on another computer) and worked just fine. No internet access needed for the device with the authenticator app (only during first time set up).
Sign In or Register to comment.