What kind of verification code is apple. How safe is it? Update verified phone numbers

In order to extort money from users to unlock Apple devices. All this is due to the inattention of users, they set simple passwords   on their accounts and use shared accounts to get supposedly free applications.

Despite the fact that VISA is not tied to your account, MasterCard does not mean that you have nothing to lose. With iOS 7, the feature has become available Find my iPhonewhich helps the user to determine where the iOS device is on the map, and in case of loss of the iPhone, iPad, block it or delete all data from it. All this is done through the web interface of the icloud.com service through a regular browser, with which, in a few clicks, you can block any device associated with your iCloud account. Further unlocking of this device is possible only by entering your password and if the password has been forgotten / lost or changed by an intruder, only when sending a purchase receipt to the service apple support. Otherwise, your iPhone, iPad turns into a brick. Simply put, if you lose the mail on which your iPhone or Apple ID account is registered, the attacker will quietly change all the passwords there and block the device. And on your phone you will see the following message:

And even if you pay intruders, they will not send you anything.
  In order to protect your Apple ID account from theft, you need to follow basic security rules. Do not use simple passwords like: 123456, qwerty. Passwords must be diluted with characters, for example, “!” No.;%:? * () _ + ”, Etc. Set answers to secret questions in personal account.
  Also, more recently, Apple has the opportunity to enable two-factor authentication. Two-level authentication is the most reliable way to protect your Apple ID from being stolen. To make any changes to your Apple ID account, you will need to enter a unique code that will be sent to your personal number. mobile phonepre-attached to the account. Thus, no one will change the password or email   on your account without having your mobile phone.

And so how does Apple ID enable two-factor authentication?

First you need to log in apple ID managementlink https://appleid.apple.com/

Then go to the tab password and safety.If you have not previously installed security questions, you will immediately go to the settings, if you already have security questions installed answer them. And in the two-step test section, click get down.



  After reading the information at all stages, click continue.


In the next step, add your mobile number


After adding the phone number, a code will be sent to it, which should arrive within 1 minute.


When you confirm your phone number you will be in the next step. Here you will see previously registered Apple device IDs. Confirm them, the devices must have the “Find my ...” feature turned on and they must be connected to the Internet.

The code will be displayed on the device screen.

Next will be your recovery key, which you need to print and put in a secluded place, for example in the box from under the device. With this key, you can recover your account if you lose your SIM card. In the next step, confirm that you received the code, enter it. Confirm the information that you have read the terms and conditions and this is the setting over.

Now, when entering the Apple ID or iCloud control, you will need to enter the code that will come to your device as an SMS or as a pop-up window on iOS as it was in the previous image.

Passwords do not crack just lazy. The recent massive account leakage from Yahoo only confirms the fact that just a password — and no matter what the length and complexity of it is — is not enough to reliable protection. Two-factor authentication is what promises to give such protection by adding an extra level of security.

In theory, everything looks good, and in practice, in general, it works. Two-factor authentication really complicates account hacking. Now it is not enough for an attacker to lure, steal, or crack the primary password. To enter account   You must also enter a one-time code, which ... But how exactly this one-time code is obtained is the most interesting.

You have repeatedly come across two-factor authentication, even if you have never heard of it. Ever entered a one-time code that you sent via SMS? This is it, a special case of two-factor authentication. Does it help? Honestly, not very: the attackers have already learned how to bypass this type of protection.

Today we will look at all types of two-factor authentication used to protect Google Account, Apple ID and Microsoft Account accounts on Android, iOS and Windows 10 Mobile.

Apple

For the first time, two-factor authentication appeared in apple devices   in 2013. In those days, convincing users of the need for additional protection was not easy. Apple didn’t even try: two-factor authentication (known as two-step verification, or Two-Step Verification) was used only to protect against direct financial damage. For example, a one-time code was required when making a purchase from a new device, changing the password and communicating with customer support on topics related to the Apple ID account.

Good it's not over. In August 2014, there was a massive leak of celebrity photos. Hackers managed to get access to the accounts of victims and downloaded photos from iCloud. A scandal broke out, as a result of which Apple hastily expanded support for two-step verification of access to backups   and photos in iCloud. At the same time, the company continued work on the two-factor authentication method of the new generation.

Two-step test

For the delivery of codes, two-step verification uses the Find My Phone mechanism, originally intended for delivering push notifications and blocking commands in the event of phone loss or theft. The code is displayed over the lock screen, respectively, if an attacker obtains a trusted device, it will be able to get a one-time code and use it without even knowing the device password. Such a delivery mechanism is clearly a weak link.

Also, the code can be received as an SMS or voice call to a registered phone number. This method is no safer. The SIM card can be removed from a well-protected iPhone and inserted into any other device, and then the code can be received on it. Finally, a SIM card can be cloned or taken from a mobile operator with a fake power of attorney - this type of fraud has now become merely epidemic.

If you do not have access to a trusted iPhone or a trusted phone number, then you need to use a special 14-digit key (which, by the way, it is recommended to print and store in a safe place, and to keep ). If you lose it, it will not seem like a little: access to the account can be closed forever.

How safe is it?

To be honest, not very. The two-step verification was carried out poorly and deservedly earned a reputation as the worst two-factor authentication system of all the Big Three players. If there is no other choice, a two-step test is still better than nothing. But there is a choice: with the release of iOS 9, Apple introduced a completely new protection system, which was given the ingenuous name "two-factor authentication".

What is the weakness of this system? First, one-time codes delivered via the Find My Phone mechanism are displayed directly on the lock screen. Secondly, authentication based on phone numbers is not secure: SMS can be intercepted both at the provider level and by replacing or cloning a SIM card. If you have physical access to the SIM card, you can simply install it into another device and get the code on perfectly legal grounds.

Also keep in mind that the criminals have learned how to receive SIM-cards instead of “lost” on fake powers of attorney. If your password has been stolen, then finding out your phone number is a trifling matter. The power of attorney is falsified, a new SIM card is being obtained - in fact, nothing more is needed to access your account.

How to hack Apple authentication

Hacking this two-factor authentication option is fairly straightforward. There are several options:

  • read one-time code from a trusted device - it is not necessary to unlock;
  • transfer the SIM card to another device, receive SMS;
  • clone a SIM card, get a code on it;
  • use a binary authentication token copied from the user's computer.

How to protect

Protection by two-step verification is not serious. Do not use it at all. Instead, enable true two-factor authentication.

Two-factor authentication

Apple’s second attempt is the official name for “two-factor authentication”. Instead of changing the previous two-step verification scheme, the two systems exist in parallel (however, only one of the two schemes can be used within one account).

Two-factor authentication appeared as an integral part of iOS 9 and the macOS version released at the same time. The new method includes an additional check whenever you try to log in to your Apple ID account from a new device: on all trusted devices (iPhone, iPad, iPod Touch   and computers running fresh versions of macOS) instantly comes interactive notification. To access the notification, you need to unlock the device (with a password or a fingerprint sensor), and to receive a one-time code, you will need to click the confirmation button in the dialog box.

As in the previous method, in the new scheme it is possible to receive a one-time password in the form of SMS or a voice call to a trusted phone number. However, unlike two-step verification, push notifications will be delivered to the user in any case, and the user can block an unauthorized attempt to log in to an account from any of their devices.



Application passwords are also supported. But they refused to restore access to Apple: if you lose your only iPhone along with a trusted SIM card (which you cannot recover for some reason), in order to restore access to your account you will have to go through a real quest confirming your identity (and No, the passport scan is not such a confirmation ... and the original, as they say, "does not channel").

But in new system   protection there was a place for a convenient and familiar offline generation of one-time codes. It uses a completely standard TOTP (time-based one-time password) mechanism, which every thirty seconds generates one-time codes consisting of six digits. These codes are tied to the exact time, and the self-trusted device acts as a generator (authenticator). Codes are extracted from the depths of the system iPhone settings   or iPad via Apple ID -\u003e Password and Security.



We will not explain in detail what TOTP is and what it eats with, but it’s still necessary to tell about the main differences between the implementation of this method in iOS and the similar scheme in Android and Windows.

Unlike major competitors, Apple allows you to use your own devices as authenticators. Their roles can be trusted iPhones, iPads or iPod Touchs running iOS 9 or 10. At the same time, each device is initialized with a unique secret, which allows you to easily and safely withdraw from it (and only from it) trusted status in case of loss. If the authenticator from Google is compromised, then the status of all initialized authenticators will have to be revoked (and reinitialized), since Google decided to use the only secret for initialization.

How safe is it

In comparison with the previous implementation, the new scheme is still more secure. Thanks to the support from operating system The new scheme is more consistent, logical and easy to use, which is important from the point of view of attracting users. The one-time password delivery system has also been significantly reworked; the only remaining weak link is the delivery to a trusted phone number, which the user must still verify without fail.

Now when you try to log in to your account, the user instantly receives push notifications to all trusted devices and has the ability to reject the attempt. However, with sufficiently quick actions, an attacker may have time to gain access to the account.

How to crack two-factor authentication

As in the previous scheme, two-factor authentication can be cracked using an authentication token copied from the user's computer. The attack on the SIM-card will also work, but an attempt to get the code via SMS will still cause notifications for all trusted devices   user, and he may have time to reject the input. But the code on the screen of the locked device will not be able to peep: you will have to unlock the device and give confirmation in the dialog box.



How to protect

Vulnerabilities in the new system, there are not many. If Apple abandoned the mandatory addition of a trusted phone number (and to activate two-factor authentication at least one phone number would have to be verified without fail), it could be called ideal. Alas, the need to verify the phone number adds a serious vulnerability. You can try to defend yourself in the same way as you protect the number to which one-time passwords come from the bank.

The continuation of the article is available only to subscribers.

Option 1. Subscribe to the "Hacker" to read all the articles on the site

A subscription will allow you to read ALL paid content of the site, including this article, for a specified period We accept payment by bank cards, electronic money and transfers from the accounts of mobile operators.

Two-factor apple Authentication   ID is a new security technology for accounting that guarantees that access to it will be provided only to its owner. And even if someone else knows the characters of the password from the account, anyway, he will not be able to log in instead of the legal ID holder.

Work mechanism

The use of this technology provides access to the account only from trusted devices - an iPhone, tablet or MacBook. When first entering the new gadget, you will need to specify two types of data - the password characters and the verification code in 6-digit format. Code symbols on the machine are updated on these devices. After it is driven in, the new gadget will be counted as trusted. Suppose, if you have an iPhone, when you first enter the account on a newly purchased MacBook, you will need to enter the password characters and the verification code that will pop up on the display of the iPhone on the machine.

Since it is not enough to access the password character account, other types of verification are also used, the security indicator of the ID - number increases significantly.

After logging in, requesting the code will no longer be performed on this device - until such time as the output is completed and all information on the gadget is erased or the password character is not required (also for security reasons). If you log in through the network, you can make the browser trusted and the next time you work with the same device, you will not need to drive the code.

Proven gadgets: what is it?

This may not be any “apple” device - only iPhones, iPad touch with OS version 9 or newer, as well as MacBooks with Capitan OS or more “fresh” ones. The systems of these gadgets must be logged using a 2-factor test.

In short, this is a device that Apple knows for certain who owns it, and through which you can verify your identity by displaying a confirmation code when entering from another gadget or browser.

Verified phone numbers

These are the ones that can be used for confirming codes through text messages or calls. It is required to confirm at least one number for access to a 2-factor identification determination.

You can also confirm other numbers - home, or friend / relative. When temporarily there is no access to the main one, it will be possible to use them.

Customization Rules

If the device has an OS version 10.3 or later, the algorithm of actions will be as follows:

  • Go to the settings section, to the item password and security.
  • Clicking on the inclusion section of 2-factor identification.
  • Click on the continuation item.

If the gadget OSes 10.2 or earlier, the steps will be as follows:

  • Go to iCloud settings.
  • Select your ID - numbers and go to the security password section.
  • Click on the item to enable 2-factor authentication.
  • Clicking on the continuation element.




How to disable two-factor authentication in Apple ID?

Many are interested in whether it is possible to turn off this technology. Of course yes. But remember that after shutdown, the account will be weakly protected - only with password symbols and questions.

To disconnect you will need to enter the edit point on the page of your account (in the security tab). Then click on the section to turn off two-factor identification. After the assignment of new secret questions and agreement with the specified date of birth, the technology is deactivated.

If someone re-activates it for the ID without the knowledge of the rightful owner, you can disconnect by e-mail. Next, you need, as before, click on the authentication shutdown section at the very bottom of the message that arrived earlier by e-mail. The link will be active for another two weeks. Going over it will allow you to restore past security settings ID and control over your account.

I recently Apple suggested that the user ?? m enable two-factor authentication for ?? apple accounts   IDs that use ??, for example, for ?? app purchases in App Store. We offer detailed instructions   on how to do this.

Two-step authorization is required to increase the security of your Apple account. When activating this function, in addition to the main password, additional confirmation of access will be requested - using SMS or push notification, this will be required for the following actions:

Login to the site to manage your account;

Purchase in iTunes, App Store or iBookstore on a new device;

Getting support from Apple related to Apple ID.

In theory, it looks confusing. To activate two-factor authentication, you need to bind to your account one or more iOS devices that will receive messages with codes. When you try to log in to the Apple ID site or when you first purchase from the App Store, a push notification or SMS with a code that you will need to enter in iTunes or on the Apple site will come to the attached device.

With the help of two-factor authentication, we can protect ourselves from those who steal or pick up the password from our Apple ID. Having full access   to the account of the attacker, among other things, can:

Get access to backups of your devices that are stored in iCloud (along with correspondence, notes, etc.);

Using your bank card to buy a couple of very expensive applications on the App Store;

Write on your behalf using your iMessage account;

Secure yourself with a 24-character password and a titanium door,
  Ilya Chekalsky,
  Tjournal

  Trying on © 2019 Mobile and computer gadgets