Turn On 2FA To Improve iCloud Security
Yesterday I mentioned two things that you should do to guard against brute force attacks - something which I'm told Apple has not fully mitigated yet - and password concurrency. To wit: longer passwords and different passwords across different services.
There remains one further weakness that exploits a systemic failure in almost all internet services password management services: security questions.
For me this is particularly relevant at the moment, as I'm currently trying to dissuade a large enterprise organisation from implementing remote access using security questions (AKA Challenge / Response) for 18,000 of it's users.
The problem for these internet services is that coming up with a selection of questions which are unique, memorable and universal is very hard indeed. And of course most of the information that can be legitimately considered suitable for a challenge / response solution is discoverable through simple social engineering.
Fortunately more and more services are implementing two-factor authentication (2FA). This is based on having two 'keys' to your account, one that you know and one that you possess. Without both you don't get access.
Foremost amongst implementers of this measure have been the banks. For them security is of paramount importance. And where the banks lead other services should follow.
Google has a particularly good 2FA system, which requires you to enter a token sent via SMS to your phone before allowing access to your account on a device. For your secure devices you can choose to bypass this code once you've logged on, but any new device attempting to access your Google account requires verification. In terms of notifying you of unauthorised access to your account this is as good as it gets. There is a bit of user friction when first turned on, especially if you use Google services on devices which aren't Android or iOS, but it's worth that hassle, so turn it on.
Apple also has a 2FA solution, although it works slightly differently. In this case the second factor is only required if you request a password reset. In terms of preventing the sort of social engineering attacks which the alternative challenge / response system invites this is a major improvement. It isn't a complete solution in the same way that Google's is, but it does offer a much improved level of protection. If you have iCloud you should implement it immediately.