Beware two-factor authentication using SMS forwarding
The Continuity features, and SMS Relay in particular, are my favorite part of Yosemite so far. Using my iMac as a giant speakerphone is beyond awesome, and group texts in Messages can finally include the one BlackBerry-toting holdout among my friends. (You're invited, too, Mike.) But in certain situations, SMS Relay can have unintended security consequences.
When logging in to Google on my MacBook Air the other day, I got a text message on my iPhone, like I always do, with a code to confirm my identity through two-step verification. Only this time it showed up on my MacBook as well thanks to SMS Relay's text message forwarding. It was actually convenient; I was able to mindlessly copy and paste the code into my browser, but it got me thinking: What happens if someone makes off with my computer and also gets hold of my password? Over at Macworld, Glenn Fleishman mulled over the same situation.
However unlikely that scenario (most password theft happens out in the electronic ether, away from personal devices), it's still a possibility. Fortunately, there are ways around this. The securest form of two-factor verification uses two devices, and you can ensure that by having Google or whoever is trying to confirm your identity do so by a phone call. That way there's no chance of the text falling into the wrong hands. (While someone could answer that call to your iPhone with your Yosemite Mac, the phone would have to be within Bluetooth range, in which case you likely are as well.)
Although this is a concern for Mac users because of Yosemite's new features, the problem is nothing new. Anyone using a Google Voice number for two-step verification who also has text-to-email turned on could be at risk as well. In fact, that would only require one stolen Google password and no devices, so you might want to rethink that setup as well, even if you're not an iPhone user.
The moral of the story is that if you're serious about two-factor verification, and you should be, consider how your second factor is being delivered and to what device. And yes, I realize this creates one more opportunity for BlackBerry Mike to bring up his phone's security features. At least he's getting invited to more parties now.
