Two-factor authentication (2FA) is the latest thing that hundreds of millions of people will likely be dragged into using for the purposes of securing their private information. It's necessary, and will be irritating to most people, despite their having seen some of the endless reports of sites being cracked and passwords being revealed — whether the passwords were stored in clear text, or using an unsophisticated encryption method that allows crackers to easily test common passwords against the stolen information.
Making 2FA as painless as possible while preserving its improved security is a challenge: most people already have trouble managing passwords, and this adds another layer. Apple's approach before a few weeks ago wasn't bad; it just wasn't implemented as throroughly as it is now. However, Apple and others have kept a very large loophole to avoid breaking third-party software, which is exactly the fertile ground in which exploits grow.
Should you use Apple's 2FA? Yes, enable it immediately. Should people who aren't as technical as you use it? Yes, and help them! It takes a little effort to set up, but nearly all of the effort is only required once. Can Apple do even more? You bet; read on.
First, some background
Most readers of this column likely already know that 2FA (also called two-step verification) combines two methods of proving one's valid access to a resource, like a website or an account: one method is conventional, and typically a password. The second, a token generated by a standalone physical key, a tap using a card, a scan of a biometric sensor, or a few digits generated by an app or sent as a text message to a phone. (There can be three or more factors, but you don't see these in consumer use.)
The notion is to have an "out-of-band" method of creating or validating identity: a password may be stolen, but a confirmation requires another path, such as a physical device or an algorithm seeded with particular number that can't later be discovered. By using a different band to obtain the second factor, even if a password is stolen, access to the account or service remains out of reach. (Keystroke-capturing and other malware can allow someone's access to be hacked in real time during an active session by capturing the data entry of the code or hijacking the session; and site vulnerabilities have been exploited to route around 2FA, too.)
In theory, one could have an extremely weak password, like "123456," and rely on the second factor to prevent an exploit. In practice, no sensible person would recommend it, as having a strong first wall — breakable only through a site compromise — is a good defense made stronger by the second wall.
Sign up for CIO Asia eNewsletters.