- Queso recipe gets launched to space Today 10:09 AM
- ‘Isabelle Facts’ was a wholesome queer meme account—until harassers showed up Today 8:28 AM
- 2016 election stories the ‘Newsroom’ reboot will cover Today 6:30 AM
- How to stream Brandon Rios vs. Humberto Soto for free Today 6:00 AM
- ‘The Haunting of Hill House’ heads to ‘Bly Manor’ for next installment Today 5:45 AM
- How to stream James DeGale vs. Chris Eubank Jr. for free Today 5:30 AM
- How to stream UFC Fight Night 145 in Prague for free Today 5:00 AM
- R. Kelly charged in Chicago with multiple counts of sex abuse Friday 7:51 PM
- Elon Musk finally hosts PewDiePie’s meme review Friday 6:27 PM
- Netflix throws ‘Umbrella Academy’-themed wedding for fans Friday 4:54 PM
- Report: Facebook collects app data on users’ body weight, menstrual cycles Friday 3:38 PM
- Amy Klobuchar reportedly ate salad with a comb, and Twitter’s got questions Friday 2:47 PM
- Nobody likes Spotify’s new update Friday 2:34 PM
- Student assaulted on campus while tabling for right-wing group Friday 1:56 PM
- Kim Kardashian West sues fashion company for using her likeness to sell clothes Friday 1:12 PM
“Are you sure you want to protect your data?”
In light of recent events, this evening I decided to enable iCloud two-step verification. I expected it would be easy, but I was very, very wrong.
For reasons that defy all logic, Apple makes it extraordinarily difficult to enable two-step verification—the single most effective measure iCloud users can take against getting hacked. Not only does Apple fail to encourage iCloud users to take the powerful precaution, but it actively discourages users from setting up two-step verification. It’s nothing short of shocking.
I expected setting up the safeguard on my iCloud account to be simple, especially for a relatively advanced user like myself.
I already use two-step verification with my Google accounts. Setting it up there is a breeze (and highly encouraged)—it’s a very simple process with plenty of friendly looking support documentation to guide users on their brief journey. I use a Mac and an iPhone most of the time, but I had put off enabling two-step verification for my iCloud account. Today was the day.
Here’s what happened. I googled “iCloud two-step” to find the right link to begin with. Once I did, I clicked through no fewer than four different pages before I was met with the button that let me turn the security measure on. (Once, it inexplicably logged me out of iCloud and I had to answer my security questions over again.) Even then, the button sat next to a button of equal size inviting me to rethink my privacy-minded actions.
After telling Apple that, yes, I wanted to continue, I was met with the screen you see above. At first glance, I thought there was an error with my accounts. In Apple’s user interfaces, red exclamation marks usually mean that something is wrong. The psychological effect is akin to running into a virtual “Danger! Land Mines!” sign. I know that two-factor verification is a powerful way to protect my account, but it even had me thinking twice. Consumers don’t like anything that they can’t get fixed at the Genius Bar, so I can’t imagine many average users would continue with the process. It felt a little scary.
Still, I pressed on. Then I ran into this.
Apple wants me to wait three days to enable two-step verification… just in case someone wants to break into my iPhone and turn on a feature that will protect my iPhone? What? 36 hours is just enough time for me to absolutely not remember to scour my inbox for the notification email.
In theory, hackers could use this method to lock a legitimate user out of their account for good (assuming Apple really refuses to help at that point). But the more likely case is that they’d just tap into your unprotected account in a much more straightforward way, like by using a brute force attack—a technique that two-step verification renders useless.
Two-step verification is a form of multi-factor authentication that makes sure the person trying to get into an account (iCloud, in this case) is in fact the person who owns the associated device (my iPhone). The idea is that two-step verification enabled, someone would not only need to figure out your password, but they’d need your device in hand too.
And just for comparison’s sake, this is the presentation and wording Google uses for its two-step verification process:
For cloud-syncing software that we use across multiple devices, this safeguard is the most robust around. Unfortunately, it only works if you can turn it on.
[Note: We reached out to Apple for an explanation of its two-step verification policies, but have yet to hear back.]
Photo via teezeh/Flickr (CC BY-SA 2.0)
Taylor Hatmaker has reported on the tech industry for nearly a decade, covering privacy and government. Most recently, she was the Debug editor of the Daily Dot. Prior to that, she was a staff writer and deputy editor at ReadWrite, a tech and business reporter for Yahoo News, and the senior editor of Tecca. Her editorial interests include censorship, digital activism, LGBTQ issues, and futurist consumer tech.