Apple has strengthened security for its text and video messaging applications by adding two-factor authentication (2FA), but security experts say more could be done to protect users.
The ability to use 2FA was added to Apple’s iTunes and iCloud accounts in March 2013, but Apple has extended the security functionality to iMessage and FaceTime only now.
By requiring users of iMessages and FaceTime on iPhone, iPad and Mac computers to enter a security code after the usual username and password, makes it more difficult for hackers to take over accounts.
The added protection means that even if a hacker is able to steal a valid username and password, they will not be able to access user accounts without an SMS text code or emergency recovery code.
This will prevent hackers from taking over accounts to send messages to contacts to get them to share personal information.
Apple advises users not to store the recovery code on a mobile device or computer because that could give an unauthorised user a way to access Apple accounts.
More on Apple security
While welcoming the move, Rik Ferguson, vice president of security research at Trend Micro told The Guardian that more should be done to secure user accounts.
He points out that Apple’s two-step authentication is not the same as fully-fledged 2FA, which typically requires a physical second factor like a token, card or biometric.
Ferguson said two-step authentication used by Apple, Google and Facebook is simply two things the user knows, but does not require them to have anything physical to authenticate themselves.
Two-step authentication methods that do not have a physical element are much more easily subverted because they rely or text SMS messages that could be diverted by attackers.
To enable the extra security, iMessage and FaceTime users need to access to My Apple ID, select “Manage your Apple ID” and sign.
Next, select “Password and Security” and under “Two-Step Authentication” select “Get Started” and follow the instructions.
More on passwords
At a recent security conference in London, Global Identity Foundation chief executive Paul Simmonds criticised the technology security industry for failing to provide a universally acceptable method of authentication.
“We do not architect for de-perimeterisation, we have an obsession with control, we lack an identity that can be used across all entities,” he said.
For example, Simmonds said FaceTime, Google Voice and Skype can be used securely only within a company using something like Silent Circle encryption services, but there is no interoperability outside that private locus of control.
The Global Identity Foundation believes that, by taking a different approach to identity in which only authoritative sources can assert attributes, it will be possible to create a global identity system that will be truly privacy enhancing; that scales globally.
The organisation also hopes the system can support all entities in a single identity eco-system that is globally accepted by all parties who need to rely on a digital identity with a known level of trust.