One more time: Use two-factor authentication on iCloud, even if there's a waiting period
- 03 September, 2014 08:28
Two-factor authentication adds another layer of security: First, you have your username and password, something you know. But since it’s possible for someone else to crack your password, the second layer of two-factor authentication hinges on something you own, typically your smartphone. Once you log in, you’re sent a single-use security code, often as a text message, and you have to enter that too, to access your account. So if someone tries to log in with your password, but they don’t also have physical access to your phone to get that second security code, they can’t log in.
Celebrities probably aren't used to proving they are who they say they are. People recognize them wherever they go. Your online accounts should not treat you like a celebrity.
Forget about remembering you from last time--even just giving your username and password shouldn't be enough to get you through the door. Two-factor authentication is the way to go, especially for cloud storage services, where you might be storing all kind of private data you don't want hackers to find.
Two-factor authentication adds another layer of security: First, you have your username and password, something you know. But since it's possible for someone else to crack your password, the second layer of two-factor authentication hinges on something you own, typically your smartphone. Once you log in, you're sent a single-use security code, often as a text message, and you have to enter that too, to access your account. So if someone tries to log in with your password, but they don't also have physical access to your phone to get that second security code, they can't log in.
We've already covered how--and why--to set up two-factor authentication for Dropbox, Facebook, Google, Microsoft (which includes your SkyDrive and Outlook.com webmail), PayPal, and Twitter. I just double-checked, and all those instructions still work as written.
But Jennifer Lawrence, Kate Upton, Kirsten Dunst, and the other affected celebrities had their iCloud accounts hacked. iCloud has two-factor authentication, but it's buried in an obscure part of settings--this guide can walk you through the whole process. Apple says the hack wasn't the result of a general iCloud vulnerability, but rather a targeted attack where hackers sniff out user names, passwords, and the answers to those dumb security questions.
Besides helping you create and remember strong passwords, a good password manager like F-Secure Key, KeePass, Dashlane, and 1Password can also help you strengthen the answers to those security questions too. That's an amazing idea, since as TUAW uncovered, iCloud's two-factor authentication isn't automatically triggered by someone logging into your account from a new machine.
And that's not the only problem with iCloud--Apple might subject you to a waiting period to turn on two-factor authentication in the first place. When I tried to turn on two-factor authentication on my iCloud account this morning, I was first prompted to change my password. (My current password was a mnemonic device that consisted of upper- and lower-case letters and some punctuation, but Apple wanted me to add some numbers in there, too.) So I changed it, because I couldn't continue without doing so. Then when I continued in my quest to enable two-factor authentication, I ran into a three-day waiting period... because, as this FAQ explains, I'd recently changed my password. OK, then.
As annoying as that is ("But I want increased security noooooow!"), this waiting period actually makes sense. If someone had hacked into my iCloud account, changing my password would probably be one of the first things the jerk would do. This waiting period would give me three days to notice my password has been changed before the hacker could also enable two-factor authentication to lock me out even further. When I requested two-factor authentication in iCloud, Apple also emailed all the associated email addresses on that account, with instructions for notifying Apple Support if the requestor wasn't really me. When the waiting period is over, I'll get another email letting me complete the setup.
Until passwords finally die, two-factor authentication is one of the best tools we have against hackers sneaking their way into our accounts. Be sure to use it.