As users start to update their Apple devices to iOS 11 and macOS High Sierra, they will notice what has been perceived as a requirement to start using two-factor authentication.
That’s not quite the case. A notification from Apple about changes that will be introduced in the public beta versions of the respective operating systems when they are released this summer has caused some confusion.
An email sent to public beta users informed them: “If you install the iOS 11 or macOS High Sierra public betas this summer and meet the basic requirements, your Apple ID will be automatically updated to use two-factor authentication.”
Implied in the message is that users who download the beta versions of the operating systems due out later this year will be forced to adopt two-factor authentication, a feature that requires a secondary login code along with the standard password to confirm the identity of the person trying to access the account.
Instead, what that means for users is those who currently use older two-step verification (2SV) technology will be upgraded to two-factor authentication. Those who never adopted 2SV won’t see their experience changed at all.
This change isn’t as big a deal as it may seem. Two-step verification has been available for Apple ID and iCloud accounts since 2013. The system is similar to that found on most web services, which will send a one-use login code via SMS text message to a device registered to the user logging into the account.
While 2SV is a typical form of additional security, it’s also vulnerable to exploits, including a man-in-the-middle attack where an actor intercepts the login code before it reaches the user. Such an attack was carried out to access bank accounts in Germany.
The two-factor authentication system that will replace the previous 2SV technique was first introduced in 2015 for users running OS X El Capitan or iOS 9 or later. Instead of sending a code via text message, the code is generated directly on a trusted device owned by the user trying to log in.
The approach mitigates the possibility that a text gets intercepted and ensures the only way a user can log into a device is if they are in possession of the secondary device and can log into that device to retrieve the code.
This adds its own layer of protection. For example, if an iPhone is used as the device that receives the code, a person must be able to unlock the iPhone using the Touch ID fingerprint sensor or login code.
Apple is essentially viewing the update to iOS 11 and macOS High Sierra as an opportunity to push users already using a two-step login to a more secure version of the system. But for those who have not adopted the suggested security measure, nothing will change.