Two factor awakens
For those intent upon securing their data, two-factor
authentication (2FA) has become a must-have. Apple
has done a pretty solid job of both implementing 2FA
for its own systems and of making it easier to use the
system in its most common form, via SMS text message,
by providing an autofill feature.
However, it’s become increasingly apparent that
SMS isn’t the most secure of vectors for authentication,
thanks to the relative ease of spoofing phone numbers.
Instead, users are better off taking advantage of
authentication apps that can generate such codes
locally on a device, such as Authy, Google Authenticator,
or 1Password. The downside with this method is that
it’s definitely less convenient than SMS, especially with
the autofill feature.
So perhaps it’s time for Apple to expand its own 2FA
system to third parties, perhaps even a system where
authenticator apps can hand off a code when prompted,
à la the SMS autofill. This feature already exists to some
extent: Authy, for example, can, in some cases, bring
up a 2FA code when requested. (I’ve only seen it for
my Twitch account, which apparently uses Authy’s own
API.) Apple seems well positioned to improve the 2FA
experience for its users, thus hitting that rare balance
of improved security and convenience.Stick to its guns
But security’s not just about technology: it’s also
about policy. It’s great that Apple has made security
and privacy a priority, but going forward, it needs to
reinforce that not only by sticking to its guns – suchTwofactorawakens
Forthoseintentuponsecuringtheirdata,two-factor
authentication(2FA)hasbecomeamust-have.Apple
hasdoneaprettysolidjobofbothimplementing2FA
foritsownsystemsandofmakingiteasiertousethe
systeminits mostcommonform,viaSMStextmessage,
byprovidinganautofillfeature.
However,it’sbecomeincreasinglyapparentthat
SMSisn’tthemostsecureofvectorsforauthentication,
thankstotherelativeeaseofspoofingphonenumbers.
Instead,usersarebetterofftakingadvantageof
authenticationappsthatcangeneratesuchcodes
locallyonadevice,suchasAuthy,GoogleAuthenticator,
or1Password.Thedownsidewiththismethodisthat
it’s definitelylessconvenientthanSMS,especiallywith
theautofillfeature.
Soperhapsit’stimeforAppletoexpanditsown2FA
systemtothirdparties,perhapsevenasystemwhere
authenticatorappscanhandoffacodewhenprompted,
àlatheSMSautofill.Thisfeaturealreadyexiststosome
extent:Authy,forexample,can,insomecases,bring
upa2FAcodewhenrequested.(I’veonlyseenitfor
myTwitchaccount,whichapparentlyusesAuthy’sown
API.)Appleseemswellpositionedtoimprovethe2FA
experienceforitsusers,thushittingthatrarebalance
of improvedsecurityandconvenience.
Stick to its guns
Butsecurity’snotjustabouttechnology:it’salso
aboutpolicy.It’sgreatthatApplehasmadesecurity
andprivacyapriority,butgoingforward,itneedsto
reinforcethatnotonlybystickingtoitsguns–such