That’s two small steps for man… one giant leap for security

by | Sep 17, 2014 | 1 comment

NOT ONLY does that bastardized quote make an appropriate lead-in to this posting, it reminds us of the fact that although we put a man on the moon way back in 1969, we still rely on passwords to protect our identity online and offline. And because it takes a concerted effort–even with the services of a password manager–to update and strengthen all those passwords, we often end up putting that task off for another day.

In the wake of the recent “celebrity photo iCloud hack,” Apple has been urging all of us to employ “two-step verification,” which as the name implies, involves a second step beyond simply entering a password in order to verify your identity when you make an iTunes store purchase or update your Apple ID account info. This isn’t a new concept; Apple and many other online services (including Google, Yahoo!, Facebook and Twitter) have offered various flavors of this security enhancement for years.

WHAT IS NEW is that Apple is now officially urging us to make use of two-step verification, in addition to strengthening our passwords. I’m all in favor of anything that makes our accounts more secure, as long as it doesn’t make our computing experience unnecessarily complicated. For most of us I feel the extra step is worth the additional protection, but read on to make sure that it’s a good option for your particular situation.

The additional “step” in two-step verification involves a unique PIN code that is sent to your cellphone via text message (or iDevice, via a “push” notification) once you’ve entered your password. At that point you’ll see a prompt to enter this code, which changes each time it’s used. So this prevents anyone from accessing your iTunes Store account or your iCloud data, even if they are able to guess your password. It’s a relatively simple process and requires only a one-time setup on Apple’s site.

KEEP IN MIND, however that if you decide to enable and use two-step verification, you must have a cell phone that can accept SMS text messages (most can) in order to set up TSV, and you must have either that cell phone (or any iDevice on which you’ve enabled Find My Phone) with you whenever you want to do any of the following:

  • Make a purchase from the iTunes Store, iBooks Store or App Store, whether on your Mac or any of your iDevices
  • Make any changes to your Apple ID info (credit card, password, etc.)
  • Sign into the iCloud Web site
  • Call Apple for help with your Apple ID

One other word of caution: Once you enable TSV, your Apple ID password is encrypted in such a way that even Apple can’t retrieve it for you. That’s why in the setup process you are prompted to create an emergency Recovery Key, which can be used in the event you forget your password. Obviously you will want to keep that in a safe place on your Mac, ideally within your password manager or in a Word document that is password-protected.

SHOULD YOU determine that two-step verification is the way to go for you, start with the setup instructions here:

Frequently asked questions about two-step verification for Apple ID:
http://support.apple.com/kb/HT5570

and then check out this Wall Street Journal article, which details how to enable TSV for many other Web sites:

Safety First! How to Sign Up for Two-Step Verification on 11 Top Online Services:
http://blogs.wsj.com/personal-technology/2014/04/11/safety-first-how-to-sign-up-for-two-step-verification-on-11-top-online-services/

If you’ve determined that you don’t want to go the TSV route, that’s perfectly fine–only if you’ve created very strong passwords for your Apple ID and any other Web properties that contain your personal or financial info.

SO THAT’S two-step verification. Unlike the moon landing, it’s not rocket science. But compared to using only a password–especially a “weak” one–it really is one giant leap for security.

1 Comment

  1. Ron Chen

    Gil, I learned a lot from this posting. Thanks!

    Reply

Submit a Comment

Your email address will not be published. Required fields are marked *