Microsoft & Twitter should look to Apple for how security is done, says feds
The US' top cybersecurity official commended Apple's iCloud security, and believes Twitter and Microsoft should look to Cupertino for inspiration on how to get it done.
iCloud has good security
In a speech delivered Monday at Carnegie Mellon University, Cybersecurity and Infrastructure Security Agency Director Jen Easterly mentioned Apple as a good example of accountability and transparency in security. For example, she cited Apple's statement that 95% of iCloud users have multi-factor authentication (MFA) enabled, according to CNBC.
MFA is a recommended security feature in which users need to enter a unique code sent to their Apple devices when logging in with an Apple ID under specific circumstances. For example, Apple requires turning on MFA for features and services such as Apple Pay and Sign in with Apple.
According to Easterly, Apple making MFA the default is the reason for the high adoption rate. As a result, "Apple is taking ownership for the security outcomes of their users," she said.
In comparison, Easterly said that Microsoft and Twitter had low MFA adoption rates among users. Roughly one-quarter of Microsoft's enterprise customers use MFA, while fewer than 3% of Twitter users enable it, results she said were "disappointing."
In February, Twitter even placed its SMS security authentication feature behind its paid Twitter Blue subscription -- though free users can still enable MFA via an authentication app or security key, which are more secure than SMS authentication anyway.
However, Easterly still commended the two companies for their transparency in disclosing the adoption numbers.
"By providing radical transparency around MFA adoption, these organizations are helping shine a light on the necessity of security by default," she said. "More should follow their lead -- in fact, every organization should demand transparency regarding the practices and controls adopted by technology providers and then demand adoption of such practices as basic criteria for acceptability before procurement or use."
Easterly further remarked that new legislation should "prevent technology manufacturers from disclaiming liability by contract, establishing higher standards of care for software in specific critical infrastructure entities, and driving the development of a safe harbor framework to shield from liability companies that securely develop and maintain their software products and services."
Apple has more layers of security on its devices and services than just multi-factor authentication. For instance, it added end-to-end encryption to most of its services in 2022 with the release of Advanced Data Protection.
And as part of ADP, users have a new MFA option with physical security keys, which are small USB devices that can plug into a computer or wirelessly connect to a device using NFC or Bluetooth. Then, it can authenticate an Apple ID or other online login using the device instead of a one-time passcode.
Read on AppleInsider
iCloud has good security
In a speech delivered Monday at Carnegie Mellon University, Cybersecurity and Infrastructure Security Agency Director Jen Easterly mentioned Apple as a good example of accountability and transparency in security. For example, she cited Apple's statement that 95% of iCloud users have multi-factor authentication (MFA) enabled, according to CNBC.
MFA is a recommended security feature in which users need to enter a unique code sent to their Apple devices when logging in with an Apple ID under specific circumstances. For example, Apple requires turning on MFA for features and services such as Apple Pay and Sign in with Apple.
According to Easterly, Apple making MFA the default is the reason for the high adoption rate. As a result, "Apple is taking ownership for the security outcomes of their users," she said.
In comparison, Easterly said that Microsoft and Twitter had low MFA adoption rates among users. Roughly one-quarter of Microsoft's enterprise customers use MFA, while fewer than 3% of Twitter users enable it, results she said were "disappointing."
In February, Twitter even placed its SMS security authentication feature behind its paid Twitter Blue subscription -- though free users can still enable MFA via an authentication app or security key, which are more secure than SMS authentication anyway.
However, Easterly still commended the two companies for their transparency in disclosing the adoption numbers.
"By providing radical transparency around MFA adoption, these organizations are helping shine a light on the necessity of security by default," she said. "More should follow their lead -- in fact, every organization should demand transparency regarding the practices and controls adopted by technology providers and then demand adoption of such practices as basic criteria for acceptability before procurement or use."
Easterly further remarked that new legislation should "prevent technology manufacturers from disclaiming liability by contract, establishing higher standards of care for software in specific critical infrastructure entities, and driving the development of a safe harbor framework to shield from liability companies that securely develop and maintain their software products and services."
Apple has more layers of security on its devices and services than just multi-factor authentication. For instance, it added end-to-end encryption to most of its services in 2022 with the release of Advanced Data Protection.
And as part of ADP, users have a new MFA option with physical security keys, which are small USB devices that can plug into a computer or wirelessly connect to a device using NFC or Bluetooth. Then, it can authenticate an Apple ID or other online login using the device instead of a one-time passcode.
Read on AppleInsider
Comments
In some ways, Apple's 2FA/MFA implementation is automatic. For example, purchasing a movie on an Apple TV prompts another device connected to that same iCloud account to authorize that purchase. No setup or activation was required for that to happen. It's automatic, and a brilliant way to secure the ecosystem.
Google also achieves this with YouTube-based authorization when signing into an account on another device. The YouTube app puts up a prompt on a secondary device. Zero configuration, as Google's systems already know that a device is logged in using YouTube.
And then there is the single biggest issue with authentication apps where the “backup/sync” option is optional. Most users are not smart enough to turn it on and so they lose access to all of their 2FA codes when they change phones.
It seems the builders of many MFA implementations failed to grasp the basics of UX. Any kind of friction for the end user in getting done what they want to get done will result in the user giving up or finding an easier, usually less secure, way of doing what they want.