Nestled in the middle of iOS 9 announcements were two security-related bumps: Apple now suggests you sete a six-digit passcode instead of a four-digit one; and two-factor authentication becomes a built-in part of iOS (and OS X) rather than an afterthought.
Orders of magnitude harder
The first change is easier to explain. It's up to 100 times harder to crack a truly random six-digit code (that is, not a pattern like "111111" or "123456") than the same four-digit code. While brute forcing 10,000 codes into an iOS device seems unlikely, a set of researchers recently exploited a power-off issue in iOS devices to create an automated four-digit cracking system. Breaking the code takes from 6 seconds to 17 hours, they say.
The new passcode prompt is for six characters. For newer iOS devices with Touch ID, the majority of what Apple now sells, one has to enter a passcode only occasionally if fingerprint recognition is enabled. Apple does let people backslide. Tap Passcode Options, and you can pick the older 4-Digit Numeric Code. Most people never tap for options, however.
If the same cracking routine could work with a new version of iOS, then the upper bound of cracking would be from 6 seconds to...nearly seven months.
Factor that into your experience
Apple added two-step verification to some kinds of accounts in March 2013, and extended it to additional services, including iCloud over the next 18 months. Right now, Apple relies on notifications and the Find My iPhone conduit for providing users a four-digit token to enter to confirm they're legitimate. And two steps aren't required everywhere. I can log into my developer account still with just my Apple ID and no second check of identity.
Apple clearly aims to step up its game by integrating as a function of iOS 9 and OS X 10.11 El Capitan, though full details are yet to emerge. Apple confirmed that El Capitan will also feature integrated two-factor support. (Note that Apple said "two-factor" not "two-step"; that might be a tiny bit significant.)
In the new system, it looks like more sophisticated options will be used. In a screen capture on the iOS 9 preview page, a user is prompted on an iPad to tap Don't Allow or Allow when an Apple ID login is being attempted from another device. The inset modal dialog box not only tells the user the requesting device name and account, but also the device's location on a map.
Making it more straightforward, graphical, and informative could prompt more people to adopt it than the current method. A similar improvement was made a few releases ago in OS X and iOS in pairing Bluetooth devices. Rather than enter a code displayed on one member of the pair on the other, a user needed to just confirm both codes were the same.
Sign up for CIO Asia eNewsletters.