How to protect your Apple ID account against hackers

Keep password pinchers out of your Apple account with two-step verification.

Protect your Apple ID with two-step verification

Passwords are ubiquitous in the information age. We use them every day to sign into our web accounts and devices. As such, passwords help secure our digital lives.

Well... sort of.

Notwithstanding their widespread use, passwords are inherently insecure because they are only information. They are not tied to any physical object. Attackers can therefore steal a password from a vulnerable database (or from the Post-It note on your desktop), or they can purchase a tool that allows them to brute force their way into your account.

It is in response to the shortcomings of password security that we have discussed in recent articles how to add an extra layer of protection to your web accounts.

After covering the difference between two-factor authentication (2FA) and two-step verification (2SV), we explored how to protect a Google account with 2SV, including via the use of the Google Authenticator app.

We then moved on to protecting Twitter and Facebook accounts with two-step verification.

Apple idFor argument's sake, let's say you access your online accounts from a MacBook Pro or an iPhone. Those devices require an Apple ID to use iTunes and other features, to install updates, and to unlock the screen, if you so choose. That single set of credentials is central to a user's experience across all Apple devices.

I think, therefore, that your Apple ID deserves an added layer of protection. Don't you?

In this guide, I will show you how you can protect your Apple ID against brute force attacks.

1. Use a web browser to sign into your Apple ID.

On your Apple ID homepage, you will see some basic information about your account, including your email and birthday. You will also see a "Security" section that allows you to change your password, change your security questions, add a rescue email, and activate "Two-Step Verification." Click on the hyperlinked text "Get Started" beneath that lattermost feature.

Apple ID setting

2. Apple will prompt you to answer two of your three security questions. Submit the proper answers and click "Continue."

3. A dialog box explaining how two-step verification works and how it changes your Apple experience will pop up. Click on the "Continue" button.

Apple 2SV

4. Another dialog box will appear and prompt you to enter in your mobile number. Do so and press "Continue."

Apple id 3

5. Apple will send a verification code via SMS to your mobile device. Enter the code into the web browser and click "Verify."

Apple id 4

6. Once you have verified your mobile number, Apple will ask you if you would like to enable verification codes on any device with which you have enabled Find My iPhone, iPod, or iPad. If you would like to activate two-step verification on any of those devices, select the desired devices and go through the setup process. Otherwise click "Continue."

7. Apple will present you with a recovery key that you can use to access your account in the event you lose your device or you temporarily cannot receive codes to your device. Make sure you write down or print that code and store it somewhere safe before clicking "Continue."

Apple id 5

8. Enter in your recovery key and click "Confirm."

9. To complete the process, Apple will alert you to several conditions of enabling two-step verification on your account. These include what you will need in the future to unlock your account.

When you have finished reading over the conditions, check the box next to the text that reads, "I understand the conditions" and click "Enable Two-Step Verification."

Apple id 6

10. And just like that, you're done!

Apple ID two-step verification enabled

On your Apple ID homepage, you will now see under the "Security" section that Two-Step Verification is labeled "On." You will also see trusted numbers/devices clearly displayed.

Whenever you attempt to sign into your account from now on, you'll now come across a screen similar to this one.

Apple id verify

Click on a trusted device on which you would like to receive a verification code. This will lead you to a new screen.

Apple id verify 2

In the meantime, you should have received a verification code on the device you selected. Enter that code into your web browser. Apple will automatically verify the code (if correct) and will direct you to your Apple ID account home page. From there, you can enjoy all the benefits your Apple ID affords.

Tags: , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, ,

4 Responses

  1. Barbara

    April 22, 2016 at 12:19 pm #

    For me, the problem with two-step verification is the addition of a mobile number. I realise there may not be many in my situation, but I do not possess a mobile phone – where I live there is no signal! So what do I do?

  2. EyeR

    April 22, 2016 at 6:05 pm #

    One thing you missed when detailing inherent risks with passwords was social engineering. For example when someone rings up apple and they give them the information required. For example Matt Honan.

    In this case the target would just be the recovery key.

    Tying to a physical device it's possible to take from your posession isn't entirely wise. Something readily spoofable isn't too clever either.

    Each device should be independant of access and authentication so compromise of any single device doesn't lead to compromise of all devices. Case in point, Matt Honan. When (cr)apple gave his auth dets to a random third party the first thing they did is wipe his devices and backups – shining example of trust – to keep him distracted and impotent worring about his wifes tablet and all the photo's of the kids whilst the attacker leveraged the fact this apple ID counts as auth on 2FA and then breached non-related systems that had no rights being linked in the slightest.

    What are the "benefits" of having an apple ID in the first place again?

    That's another set of auth details held by a third party with previous history of dishing it out to randoms?

    There's still no true measure of control held by the individual?

    It pretends to promote upstream flexability in order to encourage dependance on a system that tracks what what it is used to log into, when, and why?

  3. Bob

    April 22, 2016 at 6:58 pm #

    There's a massive problem with Apple's two-step verification and one I'm surprised wasn't covered in the article. Hidden away in Apple's documentation, which most people don't bother to read, is this:

    'If you've permanently lost any two of these items (your Apple ID password, access to one of your trusted devices or your Recovery Key) you can't sign in or regain access to your account. You'll need to create a new Apple ID.'

    Put another way: imagine you forget your password and you can't find your recovery key (or trusted device) then you can kiss your Apple account goodbye – permanently! That's right, you lose your whole Apple ID, everything on iCloud, all your purchases and much more.

    Activating Apple 2SV can cause you a major headache because it can constantly prompt you to access your trusted device/enter your recovery key. Even more seriously hackers (or anybody with very little knowledge) can remotely lock your account!

    "The fact that an attacked account is locked means that a malicious party could even weaponize that behavior into you losing your account access forever if you don’t know where you stashed your Recovery Key. "

    http://www.macworld.com/article/2858347/without-your-recovery-key-your-apple-id-could-be-lost-forever.html

    THINK VERY CAREFULLY before activating Apple's 2SV; it's not like other companies 2SV.

  4. Alexa

    April 30, 2016 at 7:24 pm #

    Careful with http://applesms.co.uk … a new phishing scheme. It's an attempt to hack into your Apple ID to obtain personal information including credit card payment details.

    I have reported it to Apple and spoken to an Apple Care advisor.

    change your password immediately on http://appleid.apple.com.

    Hope this helps.

Leave a Reply