To the non technical person and the technical person alike, passwords are a hassle in todays tech filled world. Take me for example, I use no less than three password repositories to manage a minimum of 343 passwords. Some passwords are coupled with security questions, some with encryption keys, others use two factor authentication and even app specific passwords.
Today I want to cover two of these methods and briefly discuss the meaning/possible issues surrounding them. A password is the primary factor in security today. It is the key that opens the lock on the front door of your data. In basic security terms it constitutes “something you know”. When working to achieve a more secure environment multiple factors reduce the likelihood of a breach. In most secure environments the factors include things like “something you know” like a password, “something you have” a key fob or iPhone, and “something you are” a fingerprint or retina scanner. Although it may seem overkill, it’s really essential to add those extra layers to unlock that door.
The first one we will cover today is two step. This is a bit older method that is used by apple to keep your Apple ID private. The two steps include your password as well as an encryption key that is given to you at the setup of two step. Once this key is shown, it will not be shown again. The downside to this is obvious. If you loose the key then your account will be locked. I have seen a client locked out of an important Apple ID before. They lost the key and were unable to retrieve their Apple ID. It was the primary and an administrator for an Apple School manager account. It was devastating to loose as the client was forced to start over with a new ID and new portal.
The more modern option introduces an actual second factor to the process covering the question of “something we have” as in your iPhone, iPad, or Mac. This method of securing your Apple ID will send a push notification to all of your integrated devices and give a unique 6 digit code as the second input after the password is given. This method while not perfect is preferable and quite a bit more secure than the former.
The consequences of not stepping a two factor on an apple device is rare but can be devastating. The attacker will login to your iCloud account with the one and only factor, your password. The attacker then has the option to lock your device and request money for the 6 digit key that locks your machine in an unusable state. When using two factor, you would get a message telling you that someone was trying to login and you are prompted to allow or disallow the log in.
The biggest downside to two factor that has recently made headlines is the loss of privacy by allowing the service to obtain your cell phone number. If you have noticed an increase in calls to your cell phone asking for student loan help, the FBI trying to reach you, or some other sales pitch, it may be due to the service providing you with two factor selling your number off to third party companies. As you can see, it is a trade off, more security less privacy. That is a very tough pill to swallow, but something we must consider as we navigate the new wave of technology that we live in.
Below are some references to the apple articles on two step and two factor as well as a few others for a little more official take on the security methods apple uses.
Two-step verification: https://support.apple.com/en-us/HT204152
Two-factor authentication: https://support.apple.com/en-us/HT204915
App-specific passwords: https://support.apple.com/en-us/HT204397
Getting verification codes with 2FA: https://support.apple.com/en-us/HT204974