Additional login step brings extra layer of protection against
hackers for Apple’s messaging and video chat, but more can be can be
done say experts
The security feature adds an extra layer of protection against hackers trying to access users’ accounts. After logging in with their usual name and password, two-factor asks account holders to use a second security code to verify their messaging and video chat accounts.
The login protection was added to Apple’s iTunes and iCloud accounts in March 2013, meaning Apple users who have previously logged into a Mac, iPhone or iPad with their Apple ID were already protected by the extra security.
Now the same service has been activated for two more of Apple’s services, meaning that if users log out of their FaceTime or iMessage accounts and attempt to log in again, or log in on another machine, they will require a security code to confirm their username and password.
“It’s really great to see Apple extending its two-step authentication to cover more services, particularly person-to-person communication services such as these, which have been so widely abused in the past (Facebook, Skype etc),” said Rik Ferguson, vice president of security research at Trend Micro.
Two-step authentication means that even if an attacker has the username and password for the account they cannot access it without the extra code. While the extra security is welcome Ferguson said more can be done to secure user accounts.
“Two-step authentication, such as a message to a mobile device, is still not the same as fully-fledged two-factor authentication. Multi-factor authentication typically relies on something that you know (a password) in addition to either something you have (eg. a swipe card), or something that you are (a fingerprint),” said Ferguson.
Banks have been using card readers or numeric key fobs with security codes for years. But for internet sites and services, including Facebook, Twitter and Google, the second step is either a code-generating smartphone app or a text message with a code send to the phone number registered to the account.
“Two-step authentication is simply two sets of something that you know,” said Ferguson. “The ability to enter to enter the SMS-based password doesn’t depend on your ownership of the smartphone, only your access to the text message. If attackers can divert the calls or messages of that device, for example by calling the mobile service provider, this two-step authentication can and has already been subverted.”