twostepverification
Latest
Google improves two-step verification on phones
Last summer Google introduced phone prompts as a way of approving sign-in attempts protected by two-step verification. Instead of an email or text, users receive a simple pop-up alerting them to a new sign-in request. While useful, there wasn't much information on the card, save for the location and device being used. Now, Google is refreshing the feature, adding more details about the associated time, location and hardware. As Android Police notes, the wording has also been adjusted slightly in the prompts, from "no" to "no it's just me." It's a small change, but one that should help privacy-conscious users distinguish friend from foe.
Exploit (now offline) allowed bogus reset of Apple ID passwords (updated)
Apple's new two-step verification process has already been put to the test, thanks to a (now apparently offline) exploit that allows anyone with your email address and birthday to reset your Apple ID. The Verge confirmed the exploit after the site was made aware of a tutorial posted on a Chinese-language hacking site. The hack involves pasting a modified URL while answering the question about the account's date of birth info. The Verge did further exploration on the hack and found that accounts that were told they needed to wait three days to enable the two-step verification are also vulnerable to the exploit. The only way to change it for those in the waiting period is for people to change their birthdays in their Apple profile. Apple's password reset tool is in maintenance status right now, which means there's no way to use the exploit. Chances are it will remain offline until Apple gets this hole patched. Apple maintains its Product Security page, including a contact email, to allow users, researchers or media organizations to notify the company of emergent security issues and concerns. Update: Apple has confirmed the exploit to The Verge and says it is working on a fix.
