Apple’s recent nude selfie hack illustrated the need for two-step or two-factor authentication (TFA) as a way of hardening the protection for online accounts. You may be familiar with this from banks, some of which use systems where you generate a one-time authentication code that you enter together with your password. It ensures that access to your account requires both something you know (your password) and something you have (a device that generates a code; an app; a cellphone to receive a code by SMS).
Here’s how Apple explains the process:
In practice, however, this is problematic. I use TFA on Dropbox; whenever I log into Dropbox on a new device, I immediately get a code sent to my iPhone. I enter that code, and I can access my files. But, the other day, I tried to turn on TFA for Google. I went to step 1, where I entered my user name and password, then step 2, where I gave them my cellphone number. Then I waited; and waited. I then clicked a link saying I hadn’t received the code, and I clicked a link to have it sent again. And again. Then the Google site recommended I have them send a voice mail instead of a text message. I waited. And I waited. I finally got a voice call with the code, but when I entered it, it had already expired. I never got any of the text messages, which I requested four times. Needless to say, the way Google works, I would be effectively locked out of my account with no way at all to get back in.
I’ve thought about activating TFA for my iCloud account, but have you ever looked at Apple’s FAQ for two-step verification for an Apple ID? I make my living writing about computers, and telling people how to use them, and I’m daunted by this page. I once started the process, but it was so scary – full of warnings that if I didn’t print out the Recovery Key, I might never be able to get access to my iCloud data. Needless to say, I gave up.
Two-factor authentication is a powerful tool; my bank uses this, and a banker told me that, since they introduced it, fraud has essentially disappeared. But the way it is implemented for online accounts is problematic, and dangerous. Accessing my data is far too important to trust to a system that can go wrong, as Google’s did, or that is too confusing, as Apple’s is. There has to be a better way.
Apple’s TFA explanation is all CYA. I activated and it works fine. I put my recovery key in my 1Password archive. Apple’s TFA is FAST! It appears to use a dedicated notification mechanism.
Apple’s TFA explanation is all CYA. I activated and it works fine. I put my recovery key in my 1Password archive. Apple’s TFA is FAST! It appears to use a dedicated notification mechanism.
Users without cell phones get locked out of the process. Google at leasts allows for the code to be sent via my phone but Apple only allows for SMS messages. Not everyone has or needs a cell phone. I’m disabled and rarely leave my house so having a cell phone is certainly not needed.
Users without cell phones get locked out of the process. Google at leasts allows for the code to be sent via my phone but Apple only allows for SMS messages. Not everyone has or needs a cell phone. I’m disabled and rarely leave my house so having a cell phone is certainly not needed.
Problem of this method is: if you lose access of both phone and computer, you will likely be locked out your account.
To be honest this is even more dangerous than security questions, at the very least I can put something I know but completely irrelevant to question itself. But recovery code? Expect I need to take months to completely remember it without thinking, while I may only use this recovery code, once or twice. I hate it.
Now I still use security questions and a strong password to protect my account and password is unique.
Problem of this method is: if you lose access of both phone and computer, you will likely be locked out your account.
To be honest this is even more dangerous than security questions, at the very least I can put something I know but completely irrelevant to question itself. But recovery code? Expect I need to take months to completely remember it without thinking, while I may only use this recovery code, once or twice. I hate it.
Now I still use security questions and a strong password to protect my account and password is unique.