Apple steps up security with native two-factor and 6-digit passcodes in iOS 9
- 10 June, 2015 04:41
Nestled in the middle of iOS 9 announcements were two security-related bumps: Apple now suggests you sete a six-digit passcode instead of a four-digit one; and two-factor authentication becomes a built-in part of iOS (and OS X) rather than an afterthought.
Orders of magnitude harder
The first change is easier to explain. It's up to 100 times harder to crack a truly random six-digit code (that is, not a pattern like "111111" or "123456") than the same four-digit code. While brute forcing 10,000 codes into an iOS device seems unlikely, a set of researchers recently exploited a power-off issue in iOS devices to create an automated four-digit cracking system. Breaking the code takes from 6 seconds to 17 hours, they say.
The new passcode prompt is for six characters. For newer iOS devices with Touch ID, the majority of what Apple now sells, one has to enter a passcode only occasionally if fingerprint recognition is enabled. Apple does let people backslide. Tap Passcode Options, and you can pick the older 4-Digit Numeric Code. Most people never tap for options, however.
If the same cracking routine could work with a new version of iOS, then the upper bound of cracking would be from 6 seconds to...nearly seven months.
Factor that into your experience
Apple added two-step verification to some kinds of accounts in March 2013, and extended it to additional services, including iCloud over the next 18 months. Right now, Apple relies on notifications and the Find My iPhone conduit for providing users a four-digit token to enter to confirm they're legitimate. And two steps aren't required everywhere. I can log into my developer account still with just my Apple ID and no second check of identity.
Apple clearly aims to step up its game by integrating as a function of iOS 9 and OS X 10.11 El Capitan, though full details are yet to emerge. Apple confirmed that El Capitan will also feature integrated two-factor support. (Note that Apple said "two-factor" not "two-step"; that might be a tiny bit significant.)
In the new system, it looks like more sophisticated options will be used. In a screen capture on the iOS 9 preview page, a user is prompted on an iPad to tap Don't Allow or Allow when an Apple ID login is being attempted from another device. The inset modal dialog box not only tells the user the requesting device name and account, but also the device's location on a map.
Making it more straightforward, graphical, and informative could prompt more people to adopt it than the current method. A similar improvement was made a few releases ago in OS X and iOS in pairing Bluetooth devices. Rather than enter a code displayed on one member of the pair on the other, a user needed to just confirm both codes were the same.
Two-step systems aren't a panacea for all security breaches. Rather, they deter phishing, in which someone is fooled into giving up a password. The password and the second factor by themselves are both useless: gain one and the other is still required. It also helps when passwords are stolen from other sites at which people have accounts that they re-use the same credentials elsewhere: the same email and password used for multiple sites. It shifts the point of attack typically from the whole world to physical proximity, reducing exposure by means and likelihood.
Apple has consistently used the term two-step verification before, as its system didn't require that the code was sent to a device other than the one you were using. A code can be sent via SMS to any number as well as to any registered iOS device, but not any OS X device. SMS isn't precisely secure, and because of SMS forwarding with Continuity starting in Yosemite and iOS 8.1, you might log in on a computer to which an confirming token sent via SMS appears onscreen. (I wrote about this in depth in an October 2014 Private I column.)
Two-factor authentication includes the benefit of two-step verification, deterring remote-only attacks. But it also helps with ones in which someone has physical proximity to equipment or devices. To qualify as separate factors, an element like a password (something you know), a phone (something you own), or a biometric measurement (something you are) shouldn't be stored together or accessible in the same way. If someone gains access to one thing--hopefully not your fingertip!--they can't access the others, too.
On its iOS 9 preview page, Apple shows both what appears to be its new method, described above, and an iPhone screen in which a six-digit code has to be entered (also up from four digits as today). Its text description doesn't explain the new method, nor why they picked a new term. We should start learning more about this soon, but it's a good sign.
Any improvement in two-step or two-factor identity proofs that increases the number of people who enable it, the less susceptible they are to exploitation, identity theft, and worse.