Apple wasn't early on the 2FA bandwagon, seemingly in large part because of the burden it imposes on regular users who may worry about security, but who don't want the friction that a second factor imposes. I've used a numeric token generator at eBay/PayPal and a stock-trading site for several years, and added Google's 2FA when it became available. Large companies were using smart cards and other tools for well over a decade for internal resources and for validating remote access.
Locking up iCloud
iCloud added 2FA in March 2013, and it has several pieces peculiar to Apple's ecosystem. You use the Apple ID site to enable and manage the two-step verification components (explained in Apple's FAQ). It requires at least one trusted device: something that can run Find My iPhone or receive an SMS, with at least one of the trusted devices being SMS capable. Apple provides a 14-character recovery key as a backup. You can regain access to an account after losing a password or all trusted-device access so long as you retain the recovery key. If you lose two of the three elements (password, all trusted devices, and recovery key), your account is locked forever.
Until recently, 2FA was only required for specific actions, mostly in iOS. iCloud.com only required your password, and iCloud backups could be retrieved and unlocked with forensics and cracking software without the use of the second factor. After the latest security debacle involving the release of private photos of famous people, part of which was made possible through brute-force attacks against iCloud passwords, Tim Cook said they'd batten down the hatches, and they now have.
It started with more alerts via email and system messages about account modifications, continued with 2FA being fully implemented for iCloud.com, and mostly completed last week by requiring an app-specific password for third-party apps and services that access iCloud for mail, contacts, and calendar items. (Google has offered app-specific passwords since it introduced 2FA in 2010 for business customers and its broader rollout to all users in early 2011.)
A new password for each app
App-specific passwords caused minor confusion. I didn't see a massive outcry about the switchover, because the sort of person to enable 2FA with Apple — since it remains voluntary — probably also read the email Apple sent and sorted out how to generate the necessary codes. But I read comments from some people who hadn't made the connection, and wondered why some software was failing to connect.
These sorts of passwords have nice properties and one huge drawback. Because they can't be chosen but only generated, Apple creates ones that are long and strong, which makes them essentially impossible to crack through brute force given all currently known techniques. They can't be recovered: once created, and the Done button is pressed, Apple doesn't retain any knowledge of the original nor provide a way to retrieve it — only the one-way encrypted form is retained.
Sign up for CIO Asia eNewsletters.