Two-Factor Authentication for Apple ID

Two-Factor Authentication and One-Time Passwords

MacMAD Meeting Topic for June 20, 2017

Your Apple ID is your single set of credentials for everything from Apple, including:

  • Email
  • iCloud files, calendars, contacts, etc.
  • Photos
  • purchases on the iTunes store
  • buying hardware on the Apple Store

This is pretty important stuff, right? You don’t want your credentials to fall into the wrong hands!  Until recently, those credentials consisted of only your username and password, which seldom change. If a bad guy got hold of those, he’d have complete access to your Apple identity.

To help prevent that, Apple set up Two-Factor Authentication (2FA).  With 2FA, in addition to username and password, you must also give a verification code. Verification codes are sent to your phone or other trusted device. The verification code is different each time you log on.

Two-Factor Authentication is optional for users. However, you may now be forced to use it if you use certain apps — those which access your iCloud account.

Some apps require access to your files in iCloud, and therefore need your iCloud credentials to do so. This is fine, but you don’t want them to have the keys to your entire kingdom, do you? You don’t want a calendar app to order a new Macintosh, or delete your photos.

To control such apps, Apple now requires them to access iCloud using a One-Time password. This allows them to bypass 2FA, but using a special password which is only useable by that app for limited purposes. Once you give a one-time password to an app, and it uses it, it can never be used again for any other purpose.

You do not need to store or remember one-time passwords. If for some reason you need to re-authorize an app, you can simply generate a new one-time password for it.  Dennis explains how to do all this in these slides from this month’s meeting:

Apple Two-Factor Authentication 2017

 

 

 

VPN – Virtual Private Network Meeting Topic

MacMAD’s October, 2016 Meeting topic is VPNs (Virtual Private Networks). Here are some accompanying links and information.

People generally use a VPN for these reasons:

  • Security and privacy when using a public network, such as at a coffee shop or hotel.
  • To allow access to online content which is subject to geographical restrictions.
  • To allow remote access to a private local network such as your home network or your employer’s network
  • Provide privacy at home (prevent your ISP from knowing what you are up to)

VPN Features to Look For

  • Automatic connection and reconnection – prevents accidental leakage of unencrypted data
  • Choice of VPN endpoint – What country would you like to be in today?
  • Self Installation/Configuration – Avoids lots of technical settings

Client and Server

VPNs follow a client-server model. The client app usually runs on your computer or portable device. The server can be either a commercial VPN service or you can run your own VPN server at home on your router (some models) or on another computer. There are many (hundreds) commercial VPN providers. The following list is not at all complete.

Commercial VPN Providers

VPN Software

VPN Protocols

Your choice of protocol will probably be determined by what your server or provider supports.

  • PPTP – (Point-to-Point Tunneling Protocol) Old, do not use. No longer supported in macOS Sierra. or  iOS 10.
  • L2TP – (Layer 2 Tunneling Protocol) needs IPSec or similar to be secured.
  • IPSec – (Internet Protocol Security) A modern protocol.  Can work in conjunction with L2TP.
  • IKEv2 – (Internet Key Exchange version 2) A modern protocol.

Here’s the MacOS VPN Dialog in System Preferences

vpn-dialog
MacOS Network Preferences — adding a VPN interface

 

openvpn-1
The iOS app OpenVPN

July 2016 Security & Backup Meeting Slides

We’re trying something a bit different this meeting. So you don’t have to take notes, we’re putting the presentation on-line. And we’re doing it the Apple Way – using iCloud. You should be able to view these links on Mac or iOS. They are Keynote documents.

Here are the slides for tonight’s meeting as a shared iCloud (Keynote) document.

And here are the slides from November 2015’s Security presentation.

After clicking one of these links, you will be able to view the slides in your web browser, or you can download and open a copy in Keynote. Here’s what that looks like in iOS:

iCloud Share

Wireless Emergency Alert System Flops Badly

If it hasn’t happened to you yet, it will soon. Your phone or someone’s near you will alarm loudly, and you will see an important-looking message.  This is the government-mandated Wireless Emergency Alert system in action.

This is an alert I received this morning on my android phone:

Amber Alert

A system like this depends on user acceptance to function properly. So far, the main reaction of users has been “How do I turn this off”? Why?

There are several serious problems with this particular alert and the system in general. First of all, the alert on Android is presented as a one-time modal dialog box. You have to press OK before you can do anything else. Most people will do that within seconds. On my phone, at least, once OK is pressed, the alert is gone. You have no way to retrieve or review it. How many people will remember the license plate number even a minute later? The only way I could capture the alert dialog was to take a picture of it with another phone. I  understand that on iOS, the alert remains visible in the notification center. Can anyone confirm that? Two points for Apple if so.

I have no confidence in a system where I cannot review past history. Alerts should remain reviewable for some time, even if they are cancelled, if they appeared on my phone once, I should be able to look at them again.

The second problem is that the alert does not say who sent it. My first question on seeing one of these for the first time was, what app generated this alert? I had installed some weather apps, maybe it was one of those. I was vaguely aware of the WEA system, but wasn’t sure if that was the source of the alert I was seeing. The question of who sent the alert also applies at the agency level. Did this come from the governor, the corner police station, who?

Problem number three, the alert doesn’t say what to do. What do I do if I see the missing pickup? The weather alert said to turn on the TV, I believe, which is a little more useful. I can’t check that though, because there is no way to recall past alerts.

The fourth problem, is there is no way to get more information. Any half-baked messaging app will let you click to see a photo or web page. How about some photos of the missing person, the vehicle and the suspect? How about a weather map of the tornado warning area? We get none of that.

Another, less serious, problem is that users are unfamiliar with these alerts. They have never seen them before. I would suggest that in the settings for WEA, there be a button for users to generate a demo alert, just on their own phone, so they can see what the alerts look and sound like.

Ask about these problems, and you will hear that there are technical limitations — the system only allows 90 characters of text. I must say, that’s a pretty bad design. What do you expect from a government design? It needs to be changed. Some high school students could make a better system than this in an afternoon.

WEA (Wireless Emergency Alert) Overview

WEA sends alerts through the cellular system. The alerts are sent only to phones and cell towers in the affected area. The system only operates on relatively new phones. On AT&T, the Apple models supported are the iPhone 4S, iPhone 5, 5C and 5S.

The switches to turn off Amber Alerts and Emergency Alerts in iOS are in Settings/Notifications/Government Alerts. There is still the “Presidential Alert” which cannot be disabled.

I haven’t been able to determine for sure whether WEA alerts are supported on any model of iPad or not. They are not happening on mine which does have cellular.

Links

WEA Overview from CITA

A good blog post about problems with WEA

 

 

 

 

 

 

Mac and iOS Security Bug: GotoFail

Safari on both the Mac and iOS (iPhone and iPad) has a potentially serious security problem. This problem is especially worrisome for mobile devices that may be used on public WiFi. Apple has released updates for this problem, so go get them. You can test if your Safari browser is still vulnerable to this problem by visiting http://gotofail.com . If so, update your system.