Apple ups iCloud security following celebrity hack, adding alerts and boosting two-factor authentication

Apple is to start notifying users when someone tries to restore iCloud data to a new device, in the wake of last week’s big celebrity nude selfie hack — and it’s also going to start using two-factor authentication as a security measure for accessing iCloud accounts from its mobile devices.

[company]Apple[/company] CEO Tim Cook told the Wall Street Journal late Thursday that the company would start sending out email and push notifications for iCloud data restoration in a couple weeks’ time, and reiterated an earlier statement asserting that the hackers had correctly guessed security questions in order to change the victims’ passwords, or used standard phishing techniques to fool the targets into giving up their Apple IDs and passwords.

Email and push notifications will also alert users when someone tries to change the account password or log into the account from a new device – these activities already triggered email notifications before.

Security experts had suggested that Apple should introduce two-factor authentication for iCloud access. (They also said Apple should make it harder for people to ascertain whether a certain email address is associated with an Apple account, though there’s nothing in the WSJ piece about that.)

In Apple’s two-factor authentication system, which already protects Apple ID management and iTunes and App Store purchases when users turn it on, users have to log in with two of the following three things: a password, a short one-time code or the long key they were given at signup.

Cook said the upcoming iOS 8 operating system refresh would urge people more to use two-factor authentication – he said most customers don’t use it currently – and would also allow them to use it to keep others out of their iCloud accounts.

He also suggested that user awareness, rather than engineering, was ultimately the solution to user security – basically, people should have better passwords. This is true, but good passwords are hard to remember and not particularly easy to enter on a mobile device. I think Apple and the wider industry need to move to smarter security techniques, though of course everyone’s working on this problem.

To be frank, I’m a little shocked that Apple didn’t previously have notifications for when iCloud data is being downloaded to a new device or and use two-factor authentication for iCloud, given the amount of sensitive information that gets sucked up into these accounts.

And, given that this stuff has been going on for a long time, with ordinary people as well as celebrities being affected by having data stolen, it’s unfortunate, to say the least, that Apple is only springing to action to this degree when a very high-profile case hits just before a major iPhone launch.