On Monday, I dutifully installed iOS 8.1 to enable Apple Pay on my iPhone 6, intending to test it out later in the day. (Spoiler: I did not.) This also let me turn on Continuity, the suite of seamless connection features between iOS and Mac OS X devices signed into the same iCloud account. My mid2011 MacBook isn't capable of Handoff and Instant Hotspot, but it can manage SMS forwarding and phone calls.
Later in the day, three seemingly unrelated events occurred. First, I logged into Twitter in a browser that wasn't currently authenticated, and because I have two-factor authentication (2FA) enabled, Twitter sent me a text message after I successfully entered the password — and it appeared on my Mac, as Apple advertised. Huh, I thought.
Second, I read a detailed account of the information that Yosemite sends Apple for Spotlight suggestions, which could provide enough detail to pinpoint an individual, and associate search terms and other factors with a user. Rrrrmmm.
Third, in the evening, The New York Times released a story about a man-in-the-middle attack in China against Chinese users to swipe login information from iCloud users following the release of the latest iPhones. Humphf.
Taken at face value, these are three unrelated issues: a reduction in security for SMS-based 2FA, a leak of private data, and an attempt to disrupt the integrity of a secure connection. I'm neither going to spin conspiracy theories nor misstate the severity of any of these things.
Rather, I want to highlight how we should always examine new paths of information, and not offer a knee-jerk dismissal of associated concerns. Because our digital identifiers are so easily spread, stolen, and misused, anything that changes where data is sent — or how it's interrupted — should be examined thoughtfully.
Take SMS forwarding. Most of the two-step/two-factor systems used in business require a hardware token, an authentication app, or specialized software to produce the second factor that validates a login. (See last week's column for more background on these two-part logins, and I'll be writing more in the future about them as well.)
Twitter is an exception with a footnote. When you enable its version of 2FA, "login verification," you can opt between having an SMS message sent with a code each time or using the Twitter app (in iOS or Android) to confirm your login. I've opted for SMS, because I prefer to not even have the Twitter app installed, and many people I know are in the same boat. (SMS can also be useful if you lose a phone or are restoring one, before you complete the loop to install and verify the login within the Twitter app!)
Sign up for CIO Asia eNewsletters.