Apple has now enabled two-step verification for FaceTime and iMessage, making it harder for hackers to compromise accounts if they've learned a user's password.
Apple chief Tim Cook promised to ‘ratchet up’ the company’s user authentication tools after hackers last year pinched from nude pics from several celebrities’ compromised iCloud accounts.
The key promises were email alerts when someone attempts to login from from an unknown computer and broader application of Apple's two-step verification, which provides additional protection in the event a hacker learns a person's username and password.
Apple services that already had the option to enable two-step verification include iCloud for sign-in, and for purchases through iTunes, iBooks, or the App Store. Apple’s system sends a four digit code to a verified SMS number when a user attempts to sign in from a new device or if they’ve logged out and want to log back in. The other way of receiving the security codes is via the Find My iPhone app.
Despite Cook’s promise to offer the additional authentication, security researcher, Dani Grant, discovered in January that Apple had not yet offered its two-step system for logging in to iMessage, iTunes, FaceTime, the App Store and apple.com.
Apple has now addressed the lack of two-step verification for two of the five called out by the researcher. As the Guardian today reported, Apple has enabled two-factor authentication for FaceTime and iMessage.
Users who’ve enabled the additional authentication step for iCloud will find that it’s already activated for iMessage and FaceTime, according to 9to5 Mac.
Apple enabled two-factor for Apple ID and iCloud in 2013, but following the celebrity hacks last year, Ars Technica discovered Apple’s implementation left iCloud device backups and Find My iPhone exposed. Apple fixed that issue shortly after the nude pic hacks.
Apple recommends that users who set up two step authentication register verify multiple SMS-capable number for the service, and encourages users to consider verifying a number used by a spouse or other family member in the event the user doesn’t have access to the device with their verified number.