Apple’s recent nude selfie hack illustrated the need for two-step or two-factor authentication (TFA) as a way of hardening the protection for online accounts. You may be familiar with this from banks, some of which use systems where you generate a one-time authentication code that you enter together with your password. It ensures that access to your account requires both something you know (your password) and something you have (a device that generates a code; an app; a cellphone to receive a code by SMS).
Here’s how Apple explains the process:
In practice, however, this is problematic. I use TFA on Dropbox; whenever I log into Dropbox on a new device, I immediately get a code sent to my iPhone. I enter that code, and I can access my files. But, the other day, I tried to turn on TFA for Google. I went to step 1, where I entered my user name and password, then step 2, where I gave them my cellphone number. Then I waited; and waited. I then clicked a link saying I hadn’t received the code, and I clicked a link to have it sent again. And again. Then the Google site recommended I have them send a voice mail instead of a text message. I waited. And I waited. I finally got a voice call with the code, but when I entered it, it had already expired. I never got any of the text messages, which I requested four times. Needless to say, the way Google works, I would be effectively locked out of my account with no way at all to get back in.
I’ve thought about activating TFA for my iCloud account, but have you ever looked at Apple’s FAQ for two-step verification for an Apple ID? I make my living writing about computers, and telling people how to use them, and I’m daunted by this page. I once started the process, but it was so scary – full of warnings that if I didn’t print out the Recovery Key, I might never be able to get access to my iCloud data. Needless to say, I gave up.
Two-factor authentication is a powerful tool; my bank uses this, and a banker told me that, since they introduced it, fraud has essentially disappeared. But the way it is implemented for online accounts is problematic, and dangerous. Accessing my data is far too important to trust to a system that can go wrong, as Google’s did, or that is too confusing, as Apple’s is. There has to be a better way.