Microsoft & Twitter should look to Apple for how security is done, says feds

in iCloud
The US' top cybersecurity official commended Apple's iCloud security, and believes Twitter and Microsoft should look to Cupertino for inspiration on how to get it done.

iCloud has good security
iCloud has good security

In a speech delivered Monday at Carnegie Mellon University, Cybersecurity and Infrastructure Security Agency Director Jen Easterly mentioned Apple as a good example of accountability and transparency in security. For example, she cited Apple's statement that 95% of iCloud users have multi-factor authentication (MFA) enabled, according to CNBC.

MFA is a recommended security feature in which users need to enter a unique code sent to their Apple devices when logging in with an Apple ID under specific circumstances. For example, Apple requires turning on MFA for features and services such as Apple Pay and Sign in with Apple.

According to Easterly, Apple making MFA the default is the reason for the high adoption rate. As a result, "Apple is taking ownership for the security outcomes of their users," she said.

In comparison, Easterly said that Microsoft and Twitter had low MFA adoption rates among users. Roughly one-quarter of Microsoft's enterprise customers use MFA, while fewer than 3% of Twitter users enable it, results she said were "disappointing."

In February, Twitter even placed its SMS security authentication feature behind its paid Twitter Blue subscription -- though free users can still enable MFA via an authentication app or security key, which are more secure than SMS authentication anyway.

However, Easterly still commended the two companies for their transparency in disclosing the adoption numbers.

"By providing radical transparency around MFA adoption, these organizations are helping shine a light on the necessity of security by default," she said. "More should follow their lead -- in fact, every organization should demand transparency regarding the practices and controls adopted by technology providers and then demand adoption of such practices as basic criteria for acceptability before procurement or use."

Easterly further remarked that new legislation should "prevent technology manufacturers from disclaiming liability by contract, establishing higher standards of care for software in specific critical infrastructure entities, and driving the development of a safe harbor framework to shield from liability companies that securely develop and maintain their software products and services."

Apple has more layers of security on its devices and services than just multi-factor authentication. For instance, it added end-to-end encryption to most of its services in 2022 with the release of Advanced Data Protection.

And as part of ADP, users have a new MFA option with physical security keys, which are small USB devices that can plug into a computer or wirelessly connect to a device using NFC or Bluetooth. Then, it can authenticate an Apple ID or other online login using the device instead of a one-time passcode.

Read on AppleInsider


  • Reply 1 of 7
    Recently had biz email moved to MS.  I definitely understand why their 2FA is under-used.  

  • Reply 2 of 7
    What's Twitter?
  • Reply 3 of 7
    blastdoorblastdoor Posts: 3,374member
    She should give that speech to the FBI. 
  • Reply 4 of 7
    Are they counting FaceID/TouchID as MFA? 95% seems awfully high...
  • Reply 5 of 7
    Are they counting FaceID/TouchID as MFA? 95% seems awfully high...

    In some ways, Apple's 2FA/MFA implementation is automatic. For example, purchasing a movie on an Apple TV prompts another device connected to that same iCloud account to authorize that purchase. No setup or activation was required for that to happen. It's automatic, and a brilliant way to secure the ecosystem.

    Google also achieves this with YouTube-based authorization when signing into an account on another device. The YouTube app puts up a prompt on a secondary device. Zero configuration, as Google's systems already know that a device is logged in using YouTube.
    edited February 2023 watto_cobra
  • Reply 6 of 7
    NaiyasNaiyas Posts: 107member
    jpellino said:
    Recently had biz email moved to MS.  I definitely understand why their 2FA is under-used.  

    Couldn’t agree more with this. It is far easier for small businesses (I’m talking less than 25 people!) to impose 2FA on MS. Any larger and it becomes a mess for support and massively resource intensive. One of the companies I work for imposed it on 6,000 employees “overnight” and they lost over a month of productivity.

    And then there is the single biggest issue with authentication apps where the “backup/sync” option is optional. Most users are not smart enough to turn it on and so they lose access to all of their 2FA codes when they change phones.

    It seems the builders of many MFA implementations failed to grasp the basics of UX. Any kind of friction for the end user in getting done what they want to get done will result in the user giving up or finding an easier, usually less secure, way of doing what they want.
Sign In or Register to comment.