Apple activates two-step authentication for iCloud Web portal
In a bid to secure its online consumer services, Apple on Tuesday activated two-factor authentication for iCloud.com access, allowing only basic access to Find My iPhone for those opted-in to the security layer.
As seen in the screenshot above, the iCloud.com portal is now protected by Apple's two-step authentication system, which requires users to enter a dynamically generated code sent to a trusted device prior to gaining access to the service.
Apple first tested the extra layer of iCloud.com security in June, more than one year following the protocol's introduction for Apple ID accounts in 2013.
In practice, iCloud.com two-step verification asks users logging in to provide both a password and a four-digit code, the latter of which is sent to a trusted device through text, iMessage or push notification. Apple ID owners can add trusted devices through the Apple ID management webpage.
Once a user is confirmed, all iCloud.com assets are unlocked until a user signs out or closes their browser window. Find My iPhone is left active by default, allowing users to remotely deactivate or wipe a trusted device that is stolen or lost.
At the time of this writing, Apple's implementation of two-factor iCloud.com authentication has effectively broken a number of forensics tools like ElcomSoft's iCloud backup and password breaker programs. The tools were supposedly employed by nefarious users to garnish photos from celebrity devices, which were then disseminated on the Web earlier this month.
As seen in the screenshot above, the iCloud.com portal is now protected by Apple's two-step authentication system, which requires users to enter a dynamically generated code sent to a trusted device prior to gaining access to the service.
Apple first tested the extra layer of iCloud.com security in June, more than one year following the protocol's introduction for Apple ID accounts in 2013.
In practice, iCloud.com two-step verification asks users logging in to provide both a password and a four-digit code, the latter of which is sent to a trusted device through text, iMessage or push notification. Apple ID owners can add trusted devices through the Apple ID management webpage.
Once a user is confirmed, all iCloud.com assets are unlocked until a user signs out or closes their browser window. Find My iPhone is left active by default, allowing users to remotely deactivate or wipe a trusted device that is stolen or lost.
At the time of this writing, Apple's implementation of two-factor iCloud.com authentication has effectively broken a number of forensics tools like ElcomSoft's iCloud backup and password breaker programs. The tools were supposedly employed by nefarious users to garnish photos from celebrity devices, which were then disseminated on the Web earlier this month.
Comments
Nice. One thing you have to hand to Tim Cook's Apple- it acts pretty damn fast.
It says that Apple only allows basic access to Find my iPhone when opted into the security layer. Wouldn't it allow full access if you're opted in? I think you mean that if you haven't enabled the two step, you can only use Find my iPhone but not the other things until you've added the two step access.
I don't log into iCloud all that often, but I just did, to test this two-step system, and after I logged in with my Apple ID, that was it. I was in iCloud, everything was accessible and it never asked me for any security code.
Why is that?
Maybe you've already set it up? Or is it US only?
Maybe you've already set it up? Or is it US only?
I am in the US.
I do already have two-step setup on my iOS devices, but I thought that it would ask me for the security code whenever I try to log into iCloud, at least that's what I thought after reading the OP. I guess that I'm mistaken about that, and since I already have two-step setup on my devices, it just allows me to log onto iCloud without the security code.
Because your nude pics aren't security code worthy. ????
Worked at advertised, sending a 4 digit code to my iPhone
Is there any extra protection against the Elcom backup downloader
if 2-step auth is *not* yet set up?
For example, with at least with one person I know, I can reset their
Apple ID password, knowing only the Apple ID, birthdate and one
security question (I guess they never set up 2.)
Didn't the Elcom downloader rely only upon that?
(And yes, I did see the bit how Apple will now send out email/device
notifications after such a breach ex-post-facto.)
I am in the US.
I do already have two-step setup on my iOS devices, but I thought that it would ask me for the security code whenever I try to log into iCloud, at least that's what I thought after reading the OP. I guess that I'm mistaken about that, and since I already have two-step setup on my devices, it just allows me to log onto iCloud without the security code.
Ugh, it might be. I'm with Bell Canada, and can't configure 2-factor because the SMS message never arrives at my phone and there doesn't seem to be any way past that [even though the 'didn't receive the sms' help seems to indicate it is possible to do so].
A fairly rare "stupid Apple" thing...
Ugh, it might be. I'm with Bell Canada, and can't configure 2-factor because the SMS message never arrives at my phone and there doesn't seem to be any way past that [even though the 'didn't receive the sms' help seems to indicate it is possible to do so].
A fairly rare "stupid Apple" thing...
You can also choose to have the code delivered to another device instead of SMS. I had the choice of SMS or to a number of iOS devices that I have.
I chose an iOS device and in literally one second the code showed up on the screen.
You can also choose to have the code delivered to another device instead of SMS. I had the choice of SMS or to a number of iOS devices that I have.
I chose an iOS device and in literally one second the code showed up on the screen.
how/where? for me, step 1 is set up trusted devices, "Your trusted devices are used to verify your identity. You must have at least one phone number that can receive SMS messages." I can add my phone number, then I can press Continue to enter a code I never receive, or press Cancel to abort the process. So I can't progress past this point.
And it seems stupid to require one of your trusted devices to be able to receive SMS messages, as it doesn't require actually sending an SMS message...
I have 2 iOS and a MBP connected to iCloud/Facetime/Messages.
You can also choose to have the code delivered to another device instead of SMS. I had the choice of SMS or to a number of iOS devices that I have.
I chose an iOS device and in literally one second the code showed up on the screen.
Is there also a set of one-time codes you can print out and keep with you? (I ask b/c Google offers that) For as rarely as I have to authenticate with two steps in general (once I logged in all my regular devices), whatisgoingon could probably get by just printing one of those off every three months or so, after the initial run of logins on various devices.
Gotta love 2-step authentication. But I would like Apple to launch an authenticator app. It greatly increases the convenience of 2-step authentication. I don't get it, there are apps for everything yet this is still via SMS. Sure it's an adequate solution but an authenticator app is so much better in my view.
I think I prefer SMS, since it's not reliant on an Internet connection. SMS is often available even when mobile data is not. At my office, personal devices are not allowed on wifi, and there are areas of the building where mobile data doesn't work, but SMS does, and there are wired connections on desktops.
I signed into my iCloud account (had already set up the 2 factor authentication), and received an email in less than 1 minute from Apple support that my iCloud account had been accessed! Awesome!
how/where? for me, step 1 is set up trusted devices, "Your trusted devices are used to verify your identity. You must have at least one phone number that can receive SMS messages." I can add my phone number, then I can press Continue to enter a code I never receive, or press Cancel to abort the process. So I can't progress past this point.
I had set up my devices a long time ago, so you do perhaps have to go through the SMS to phone step at least once.
I think that I read something about certain telecoms blocking certain SMS messages, so perhaps that is your problem, if it is your telecom that is blocking the SMS from Apple.
Is there also a set of one-time codes you can print out and keep with you? (I ask b/c Google offers that) For as rarely as I have to authenticate with two steps in general (once I logged in all my regular devices), whatisgoingon could probably get by just printing one of those off every three months or so, after the initial run of logins on various devices.
There is a recovery key that you get when first setting up two step authentication.
"I do already have two-step setup on my iOS devices, but I thought that it would ask me for the security code whenever I try to log into iCloud, at least that's what I thought after reading the OP. I guess that I'm mistaken about that, and since I already have two-step setup on my devices, it just allows me to log onto iCloud without the security code."
If you already use two-step AND you are already on a trusted device AND you are using an already trusted browser (Safari saves your login credentials) then you will automatically login and be unlocked. Try testing by downloading the Google Chrome browser (I did) THEN attempt to login to iCloud.com OR you can delete the Safari password credentials OR you can untrust all your devices from appleid.apple.com.
That is correct. I eventually found out that it wasn't requiring me to enter a security code because I was on my desktop, which I had used a number of times before to log in.
Edit: just tested it just to be sure. Data and WiFi off and waited until it generated a new number (just to be sure it didn't cache or something). Entered the number when logging in on my account (on another computer) and worked just fine. No internet access needed for the device with the authenticator app (only during first time set up).