With iOS 9 Apple Gets Serious On Security
-
-
Despite Apple touting the system as two-factor authentication for iCloud, this is really a two-step verification method for Apple ID. There is no second factor -- such as a physical token or biometric identifier -- to authenticate users.
Is that right? I thought something you know (password) and something you have, and another preconfigured device or phone number (phone most likely device) would qualify as two factor.
-
If I were going to steal an apple device, I would happily enter 10 incorrect passwords just to wipe the device.
Shrink wrap it, and sell it on craigslist for a few hundred bucks. The best security addition that Apple added was the functionality to not wipe the iCloud account at a system reset, requiring the correct username / password to continue with the setup.
This combined with Find My iPhone and tools like Meraki make it very difficult for a device to actually walk away.
6 Digit pass-codes are only a minimalist approach to attempt securing their devices.
-
Exactly - if you really want to cut down on theft, you need to remove the thief's ability to get any value from the device after they steal it, both in the form of data on the device and reselling the device.
I didn't know they added that piece about locking the phone to a specific iCloud account regardless of data wipe - that's pretty cool, sounds basically like a type of lojack.
-
@Dashrender said:
Despite Apple touting the system as two-factor authentication for iCloud, this is really a two-step verification method for Apple ID. There is no second factor -- such as a physical token or biometric identifier -- to authenticate users.
Is that right? I thought something you know (password) and something you have, and another preconfigured device or phone number (phone most likely device) would qualify as two factor.
Seems as much or more two factor as most of the two factor systems out there.
-
@DustinB3403 said:
6 Digit pass-codes are only a minimalist approach to attempt securing their devices.
It is better than 4 by a long shot and the cries if they forced users to switch from the simple code to alphanumeric would be immense
-
@JaredBusch said:
@DustinB3403 said:
6 Digit pass-codes are only a minimalist approach to attempt securing their devices.
It is better than 4 by a long shot and the cries if they forced users to switch from the simple code to alphanumeric would be immense
And there isn't any RDP type access to these devices where that access can be attempted remotely. That's a physical input device with a ten attempt limit. It's far more secure than the same thing on an SSH password, for example. I think that people are thinking of it in terms of different types of security.