two-step verification
Latest
Google says default 2FA cut account breaches in half
Google says enabling two-factor authentication by default cut those users' account breaches in half.
Your Android phone's volume key can unlock your Google account
Google just made two-step verification a little easier for Android users. Android phones running 7.0+ Nougat or newer can be used as a physical security key to confirm a user's identity when logging into a Google account with the Chrome browser. When prompted, users will simply hold the volume button on their phone to verify their log-in attempt. This isn't the only option for two-step verification, but it will likely be faster and more convenient than, say, using a physical key fob.
Google users can sign into Firefox and Edge with a security key
Until now, you've had to use Chrome to sign into your Google account with a security key. You won't have to be quite so choosy going forward, though. Google has transitioned to using the new Web Authentication standard for hardware-based sign-ins, making your key useful in Firefox, Edge and other browsers that rely on the format. That could be particularly helpful if you want to check your Gmail on an unfamiliar PC and would rather not install Chrome or punch in a password.
Google streamlines two-step verification with security keys
Google just made it easier to lock down your account if you're a G Suite user. The internet giant is trotting out a series of updates for two-step verification, starting with the interface itself. You'll see new instructions text and images to walk you through the process of setting up a security key, and the flow for that process now changes depending on the browser you're using. You'll get an experience unique to Chrome or Safari, for instance.
Setting up two-step verification for Apple ID and iCloud security
Since you're probably moving to iOS 8 soon -- if not as soon as possible after it goes live -- you might want to start thinking about security as well. In particular, Apple has recently enabled two-step verification for iCloud. What's two-step authentication? As Apple describes it on this web page, "Two-step verification is an additional security feature for your Apple ID that's designed to prevent anyone from accessing or using your account, even if they know your password." Considering the recent issues involving nude celebrity photos that were pulled from iCloud, it's great to see that Apple added one more level of security. Basically, two-step verification requires you to verify your identity using one of your devices before you can sign into My Apple ID to manage your account, sign in to iCloud on a new device or at iCloud.com, make an iTunes, iBooks or App Store purchase from a new device, or get Apple ID related support from Apple. I recently set up two-step verification for my Apple ID, and the process isn't that difficult. To begin with, sign into My Apple ID using your Apple ID and password. Once you're in, go to the Password & Security tab on the left side of the My Apple ID page and click it. Under two-step verification, select Get Started, and then follow the simple onscreen instructions. Note that this doesn't all happen in one day. You'll actually have to wait a few days for an email to arrive: Now what will happen is that each and every time you log in to make changes to your account, make a purchase, or connect from a new device, you'll have to verify your identity from one of your devices. This requires you to receive a 4-digit random code on one of your trusted devices that must be entered in to verify that you're coming in from that trusted device. Just yesterday, Apple sent out an update email to two-step authentication users letting them know that the service also protects iCloud. The email, seen below, also includes information about the requirement for app-specific passwords starting on October 1, 2014. That's a big deal. If you use iCloud to store data from any third party apps and you're using two-step verification, remember that you will need to get an app-specific password in order to make it work starting on October 1, 2014.
Apple brings two-step verification for Apple ID to more countries
After discovering a huge security hole last year, Apple added an extra layer of protection for Apple ID and iCloud users in the form of two-step verification. Today it's making the important security feature available in more countries: Canada, France, Germany, Japan, Italy and Spain. With two-step verification, Apple sends a special code to a trusted device like your iPhone whenever someone attempts to make changes to your account or log in for the first time on a new device. Similar to what Google does with Gmail, the extra step prevents malicious changes happening without your knowledge. It's a simple thing to set up, and something that can save you from a whirlwind of pain should your Apple ID ever fall into the wrong hands. Those in the mentioned countries can register now on Apple's website.
Evernote two-step verification now available to all
Evernote's been rolling out two-step verification over the course of some months now, making the feature available to its Premium and Business users way back in late-May, a few months after having its database hacked. Now the company's ready to offer the added security up to the rest of us, making logging in even safer with the use of phone codes. You can implement two-step verification now by heading over to Evernote, and if you're a free user, you'll also need to install an authenticator app like Google Authenticator. In the meantime, more info can be had in the source link below.
Google's updated security roadmap details increased friction, reliance on hardware
A lot has changed in the security realm since 2008 -- remember Alicia Keys' recent attempt to convince us her Twitter account was hacked, when we all know she still uses an iPhone even as BlackBerry's Creative Director? Pranks aside, the consumer world alone has been overrun with mass data hackings -- everyone from Evernote to Microsoft to Sony to RSA has felt the wrath. To combat all of this, Google is revamping its five-year security plan, which calls for a complex authentication code replacing the conventional password in due time; in other words, Google is going to make it harder to access your accounts when initially setting up a device, but hopes you'll deal. Eric Sachs, group product manager for identity at Google, put it as such: "We will change sign-in to a once-per-device action and make it higher friction, not lower friction, for all users. We don't mind making it painful for users to sign into their device if they only have to do it once." The documents also suggest that two-step verification may soon become less of an option, and more of a mandate. Sachs straight-up confesses that Google didn't predict the current level of smartphone adoption back in 2008, but now realizes that utilizing mobile hardware and apps as friction points for logging in makes a lot more sense. A huge swath of Google users are already carrying around a product that could be used as a verification token, so the obvious solution is to make use of that. We're also told that learnings from Android will be carried over to Chrome, and further into the world of web apps. No specific ETAs are given, but trust us -- half a decade goes by quickly when you're having fun.
Exploit (now offline) allowed bogus reset of Apple ID passwords (updated)
Apple's new two-step verification process has already been put to the test, thanks to a (now apparently offline) exploit that allows anyone with your email address and birthday to reset your Apple ID. The Verge confirmed the exploit after the site was made aware of a tutorial posted on a Chinese-language hacking site. The hack involves pasting a modified URL while answering the question about the account's date of birth info. The Verge did further exploration on the hack and found that accounts that were told they needed to wait three days to enable the two-step verification are also vulnerable to the exploit. The only way to change it for those in the waiting period is for people to change their birthdays in their Apple profile. Apple's password reset tool is in maintenance status right now, which means there's no way to use the exploit. Chances are it will remain offline until Apple gets this hole patched. Apple maintains its Product Security page, including a contact email, to allow users, researchers or media organizations to notify the company of emergent security issues and concerns. Update: Apple has confirmed the exploit to The Verge and says it is working on a fix.
