Apple is to upgrade the two-factor authentication security in iCloud following a breach of customers accounts
Following a well-publicized series of compromised accounts on its iCloud service that resulted in personal photos of celebrities shared on the internet, Apple CEO Tim Cook announced that the company would be soon be sending emails and push notifications to customers when certain security-related actions occurred on their account.
In an interview with The Wall Street Journal, Cook said that Apple will start sending notifications within the next two weeks.
“When I step back from this terrible scenario that happened and say what more could we have done, I think about the awareness piece,” he stated. “I think we have a responsibility to ratchet that up. That’s not really an engineering thing.”
Upon investigating the situation, Apple engineers found that the iCloud accounts had their passwords reset by targeted phishing attempts to get user names and passwords, plus correctly answering security questions that could be sometimes be easily guessed for celebrities in the public eye.
- The new alerts will be sent via email and iOS push notifications in the following scenarios
- When someone attempts to change an account password
- When someone tries to restore iCloud data to a new device
- When a device logs into an iCloud account for the first time Previously, Apple would only send email notifications to users in situations where financial transactions were made, such as when App Store or iTunes purchases were made on a new device, but not when personal data was retrieved from the iCloud service on a new device.
With the new notifications, Apple hopes to give customers an opportunity to take action immediately, with possible actions including changing their password to lock out other users and alerting Apple’s security team to intrusions.
In addition to the new notifications, Apple will also expand its two-factor authentication service which I wrote about last week. Two-factor authentication involves sending a special four-digit code to an existing device, with that code entered alongside your password upon login.
Beginning in iOS 8, expected for release in the next few weeks, the secure code will need to be entered when accessing iCloud accounts from a mobile device. This is in addition to the situations where two-factor authentication was needed previously:
- When signing into appleid.apple.com to manage an Apple ID or iCloud account
- When making an iTunes, App Store, or iBooks Store purchase from a new device
- When getting Apple ID-related support from Apple Two-factor authentication is a popular method of securing accounts used by many companies, including Google and Dropbox. Activating it is highly recommended for all users, particularly those who are in the public eye in some way.
I also recommend a password manager like Agilebits’ 1Password, which I have written about previously.
Using both a password manager and two-factor authentication on all accounts that offer it is the best way for users to keep their internet accounts secure.