Skip to main content

two-factor authentication

See All Stories

Apple & others may soon be barred from using SMS for two-factor authentication

iphone6-ios9-verification-text-notification

One of the options available when using Apple’s two-factor authentication (2FA) is to have a code sent to you via SMS. The US National Institute for Standards and Technology, which sets the standards for authentication software, says that text messaging is not sufficiently secure, and that its use for two-factor authentication will in future be barred …


Expand
Expanding
Close

Security How-To: Enable two-factor authentication on iOS 9 and OS X El Capitan

Site default logo image

Screen Shot 2016-03-22 at 4.16.41 PM

Three years ago to the day, Apple added in two-step verification to help improve user security. The verification method relied on the user having another device readily available to help authenticate a sign-in. As of today, Apple has taken that security further by now offering two-factor authentication to all users running iOS 9 and OS X El Capitan.

Both methods strive to increase a user’s foothold in security practices, but both go about doing so in very different ways. Luckily, Apple has chosen to make sure that the end user experience is phenomenal no matter what method they choose.

Getting started, or switching to the new two-factor authentication is not without it’s questions. Let’s dive in and resolve them.


Expand
Expanding
Close

LastPass Authenticator for iOS launches to improve the two-factor authentication process

Site default logo image

LastPass Authenticator

Security-minded individuals looking to simplify their two-factor authentication logins may want to take a look at LastPass’s new app today, LastPass Authenticator. The iOS App Store currently has a few different apps that can already handle two-factor authentication logins, like Google Authenticator and 1Password. Most of them come with the minor annoyance that once the app is launched, a user has to find the site’s login, and then type the OTP into the site before it expires. LastPass Authenticator looks to improve that experience by allowing users to quickly approve the new login requests directly from their devices.


Expand
Expanding
Close

Apple sends notifications to encourage Apple Music renewals as first trials expire

Site default logo image

Screenshot 2015-09-29 10.42.38Image via Jon Brodkin

Tomorrow will mark three months since the launch of iOS 8.4 and Apple Music, and this means that the first free trial sign-ups will begin expiring. In its latest push to retain users, Apple has begun emailing users with set-to-expire trials as well as pushing notifications to their devices. As can be seen in the image above, the notification encourages users to renew.

As we learned in the summer, users who do not manually end their free trial with Apple Music will be automatically opted into continuing their subscription for either $9.99 or $14.99 (family plan). Users who wish to not continue with Apple Music can disable their subscriptions manually via their iTunes account page. Last week, our own Ben Lovejoy weighed the pros and cons of Apple Music in order to make his own renewal decision.


Expand
Expanding
Close

Apple unveils improved two-factor login system and device management with latest software betas

Site default logo image

Apple has published a new support document detailing its plans to revamp the existing two-factor authentication system that it first launched last year. The document is careful to differentiate the two systems, referring to the existing one as “two-step verification” and the newer one as “two-factor authentication.”

The latest update to the iOS 9 beta has introduced initial support for the new system, but most users, including those running the beta, will need to wait until later this year to gain access to it.


Expand
Expanding
Close

1Password Mac app updated to support one-time passwords, in line with iOS app

Site default logo image

1password

A couple of months after the 1Password iOS app was updated to support one-time passwords, the Mac app has been given the same feature, allowing the popular password manager to support two-factor authentication.

Version 5.3 of the pricey but powerful app also gains a number of other improvements, including improved credit card filling on a number of sites, among them Hilton, Cineplex, Drafthouse, Amazon, and PayPal. More custom fields have been added, and you can add your own fields in secure notes also … 
Expand
Expanding
Close

Five Apple logins remain unprotected by two-factor authentication when using an unknown device

Site default logo image

[youtube=https://www.youtube.com/watch?v=IKKZfZUqk3I]

More than four months after Tim Cook promised emailed login alerts and the reintroduction of two-factor authentication in the wake of the high-profile celebrity iCloud hacks, five Apple logins remain unprotected by the system. Hackers of NY founder Dani Grant used videos to demonstrate each of the vulnerabilities in a blog post.

Grant showed that two-factor authentication isn’t needed when using an unknown Mac to login to iMessage, iTunes, FaceTime, the App Store or Apple’s website. According to Grant, only one of the five services sent an email notification advising that an unknown device was used to log in … 
Expand
Expanding
Close

Site default logo image

Phone Breaker iCloud-hacking software now supports 2FA, allows access to WhatsApp & iWork files

icloud-hack

Elcomsoft’s Phone Breaker software, used by law enforcement agencies but also thought to have been used by iCloud hackers to access celebrity nudes, has been updated to support accounts using two-factor authentication, reports MacWorld. It can also now access WhatsApp message files and iWork documents.

It’s not as scary as it sounds – the software can only be used once the attacker already has an Apple ID and password, together with either a second trusted device or your recovery key. A phishing attack is the most common way to obtain these, so as long as you use strong, unique passwords and don’t click on links in emails claiming to be from Apple, you should be safe. But it does allow users of the software to download either entire iPhone backups or selected data direct from iCloud much more easily than having to go through a compromised device by hand.

The more security-conscious will, though, want to heed Apple’s advice not to store your account recovery code on any of your devices: the software can automatically scan both your Mac and any external drives for these.

If you don’t yet have a recovery code for your Apple ID, do get one: even an unsuccessful hack attempt can lock you out of your account, and without a recovery key, there’s no way back in.

Via Engadget

Site default logo image

LastPass matches Dashlane with automated password changing – but it doesn’t yet fully compete

lastpass

After password manager Dashlane grabbed the limelight yesterday with an automated password changer for 50 top US websites, LastPass has hit back with its own version of the same feature. However, while LastPass supports more sites, it falls short of the Dashlane offering by forcing you to change one password at a time, rather than doing all supported sites en-mass, and not yet supporting sites that employ two-factor authentication.

We’re excited to announce that the Auto-Password Change feature we released to our Pre-Build Team last week is now available for all users in beta. LastPass can now change passwords for you, automatically. We’re releasing this feature for free to all our users, on Chrome, Safari, and Firefox (starting with version 3.1.70) […]

Auto-Password Change already supports 75 of the most popular websites, including Facebook, Twitter, Amazon, Pinterest, Home Depot, and Dropbox.

LastPass notes that it does this while maintaining its secure approach of ensuring that only encrypted versions of the password are ever stored on the LastPass server, with the apps doing the decrypting on your device.

You can download the beta from the LastPass download site. If you’re not yet using a password manager, check out out our how-to guide.

Dashlane password manager can now automatically change your password on 50 top US websites

Site default logo image

dashlane

Password managers are a great way to have strong, unique passwords for each website you access – but vital as it is these days, there’s no denying that it’s a chore to change them. Dashlane, a Mac and Windows password manager app, aims to take away the pain by doing it for you automatically across 50 top US websites like Apple, Amazon, Dropbox, Facebook, PayPal, WordPress and Twitter.

Importantly, the app can even cope with sites that employ two-factor authentication to login or change a password, prompting you for the code when required … 
Expand
Expanding
Close

Site default logo image

PSA: Make sure you have a recovery key for your Apple ID – you’ll need it if you get hacked

apple-id

If, like me, you skipped over the recovery key step when switching on two-factor authentication for your Apple ID, thinking that having the password plus a trusted device was sufficient, you’ll want to correct that.

TheNextWeb‘s Owen Williams recently found that if someone tries to hack your account, and you get locked out, there’s no way back in without a recovery key.

While Apple states on its website that a new recovery key can be generated so long as you know your password and have access to one of your trusted devices, this is not true once the account is locked. No recovery key, no access. No amount of pleading by Williams would persuade Apple to help. Apple increased its security measures following the phishing attack on iCloud.

In Owen’s case, he did have a key, he just couldn’t find it. It was only by digging it out of a Time Machine backup that he was able to regain access to his account.

So, if you don’t yet have a recovery key, or can’t lay your hands on one, here’s what you need to do:

  • Go to My Apple ID

  • Select Manage your Apple ID and sign in with your password and trusted device

  • Select Password and Security

  • Under Recovery Key, select Replace Lost Key

Grab this (Typinator, Intensify Pro, Paperless, Pixa, MacJournal, more!) Mac Bundle while it is only a buck or 2

Site default logo image

From 9to5Toys.com:

9to5-image 2014-11-25 at 3.54.44 PM

We’ve got a nice 9to5Toys Specials deal on this evening and the best part is that it is a name your own price with the bids starting at $1.  The earlier you get in, the less you pay. Here’s the list of apps but frankly Typinator alone is worth it. Go big and 10% of your purchase price goes to a charity of your choice and you’ll be entered to win a Gold iPad 2 & iPhone 6

(Update:6:30am ET: the price is now $3.50)

  • Typinator – $32 – The program the “types” frequently used text for you
  • Hotspot Shield VPN – 1 Year Elite Subscription
  • Starry Night Enthusiast – $80 – Turn your computer into a virtual universe
  • Intensify Pro – $60 – The image enhancer for photographers of all levels
  • Spotdox 3 – $72 – Get access to all your files, on any device, anywhere
  • Data Backup 3 – $49 – Easy, powerful, and flexible backups
  • Paperless – $50 – Fuel your paper-free lifestyle
  • MacJournal 6 – $40 – Multimedia journal for the 21st century
  • Pixa – $25 – Image management and sharing app
  • Must Have Mac App Tutorial – $100 – Learn how to maximize the 9 apps included

 

Apple reminds two-factor users about changes starting tomorrow, provides instructions for passwords

Site default logo image

 

Screen Shot 2014-10-08 at 10.40.34 PM

Apple has sent an email to users of its two-factor authentication system reminding them of an upcoming change to the feature that will take effect tomorrow. Originally the requirement for app-specific passwords was supposed to start on the first of the month, but Apple has informed users that it will begin tomorrow instead. The system to generate and use these passwords is already in place.

App-specific passwords allow you to log into applications that don’t support two-factor logins, such as most email clients or other apps that may want to access your iCloud data. You can create these one-time-use passwords from the Apple ID website. Once you’ve generated the password, just plug it into the app you want to use and you’re all set.


Expand
Expanding
Close

Site default logo image

New two-factor authentication app Lockdown launches with iCloud syncing, recovery code storage, and more

A new iOS app for managing two-factor authentication keys called Lockdown launched this weekend with a set of unique features like the ability to sync your keys over iCloud with other devices (including an upcoming Mac counterpart). Accounts in the app will also be backed up along with your phone’s data so that you can restore the keys back to a new device, which isn’t possible with other two-factor apps.

Of course, while backing up the keys and syncing them with iCloud provide an increased level of convenience, it’s important to remember that those can also lead to a reduced level of security in some cases. It’s important to balance security with convenience when dealing with something like two-factor authentication, and thankfully Lockdown’s developer recognizes this. All data on the device or backed up to iCloud is encrypted whether it’s in transit or stored on the device or server.

Sites that use two-factor authentication typically also use backup codes for logging into your account in case you lose access to your device. Lockdown offers the ability to store these backup codes right in the app. While that’s an excellent convenience feature, it does somewhat defeat the purpose of the codes. If you’ve stored them only in Lockdown and then lose your phone, you won’t have access to those codes, and thus won’t be able to log into your account. So while this is a handy feature, it’s critical that you store these codes in a secondary location that isn’t on your phone as well.

The developer has told 9to5Mac that an update has been submitted to Apple which includes new features such as support for using Touch ID to protect the application. A Safari extension is planned for a later release to make logging into sites through the phone’s built-in browser even easier.

You can grab Lockdown on the iOS App Store for $3.99.

Site default logo image

Apple rolling out app specifics passwords for iCloud, required starting on Oct. 1

icloud

Apple has informed iCloud users via email that the company will begin rolling out an app-specific password feature. The feature allows users with iCloud two-factor authentication enabled to use third-party apps.

Apple explains:

Screenshot 2014-09-16 21.44.33

It will be required starting October 1st. Apple has also informed users via email about this morning’s general rollout of two-factor verification for iCloud. 


Expand
Expanding
Close

One third of Americans have improved their online security since the iCloud hacks

Site default logo image

image002

A YouGov survey of more than 1,000 American consumers commissioned by security company Tresorit found that just over a third of them have taken steps to beef-up their online security in response to the iCloud hacks.

The most common response was to change passwords for stronger ones, with 13 percent creating different passwords for each online service and 6 percent enabling two-step verification … 
Expand
Expanding
Close

Opinion: After the celebrity hacks, the vulnerability that still exists and what needs to be done

Site default logo image

main

There are still many unknowns surrounding the leaked celebrity nudes. While Apple appears to have ruled out a theory that a Find My iPhone vulnerability allowed easy brute-force password attacks, some commentators are suggesting that the wording was sufficiently vague that this may indeed have been one route in. (Apple might be arguing that it’s not a breach if the correct password was required.)

But one thing does now appear clear: rather than a single hacker gaining wide access to iCloud, the photos were instead amassed over time by a number of different individuals likely using several different approaches. Phishing was doubtless one of them – some of the claimed emails from Apple are reasonably convincing to a non-techy person – but another was almost certainly to exploit one of the greatest weaknesses found in just about every online service, including iCloud: security questions.

[Update: Tim Cook has confirmed these were the two methods used] 


Expand
Expanding
Close

Apple finally brings two-factor authentication to iCloud website (updated)

Site default logo image

Screen Shot 2014-06-30 at 5.09.51 PM

It appears Apple has started rolling out support for two-factor authentication on its iCloud.com website. The feature initially rolled out to the Apple ID management website in the United States and then in several other countries soon after.

Under the new setup on iCloud.com, users can only access Find My iPhone without verifying their identities. Mail, Contacts, and other “apps” require you to enter a passcode that can be texted to any phone number or sent to the Find My iPhone app on properly configured devices.


Expand
Expanding
Close