Enabling Two-Factor Authentication (2FA) for Apple ID and DropBox

In light of the recent compromises, you’re probably wondering what could have been done to prevent such attacks. According to some unverified articles it would appear that flaws in Apple’s services allowed an attacker to brute force passwords without any rate limiting or account lockout. While its not publicly known if the attacks were accomplished via brute force password guessing, there has been a lot of talk about enabling Two-Factor Authentication (2FA) across services that offer it. The two most popular services being discussed are iCloud and DropBox. While setting up 2FA on these services is not as easy as it should be, this guide will step you through enabling 2FA on Google, Apple ID and DropBox accounts. It’s a free way of adding an extra layer of security on top of these services which handle potentially sensitive information.

What is Two-Factor Authentication?

Username and password authentication uses a single factor to verify identity: something the user knows. Two-Factor authentication adds an extra layer of security on top of a username and password. Normally, the second factor is something only the real user has. This is typically a temporary passcode generated by a piece of hardware such as an RSA token, a passcode sent as an SMS to the user’s cell phone, or a mobile application that accomplishes the same function.

With two-factor authentication, stealing a username and password won’t be enough to log in — the second factor is also required. This multi-factor authentication means an attacker will be required to compromise a user above and beyond password guessing or stealing a credentials database. An attacker would have to gain access to the source of the extra, unique and usually temporary information that makes up the 2FA.

Most services provide 2FA tokens through multiple means (SMS, mobile application or separate hardware token), however setting up 2FA on these services can sometimes be tricky. 2FA is still not enabled by default and users are not forced to use it.


An explanatory video from Google about their version of 2FA (you should use this too)

Use a unique password for all of your accounts on top of 2FA. Attackers may have access to lists of passwords and usernames from other websites that have been compromised. These lists may contain your username and password as well. With 2FA enabled, they’ll be missing that last piece of the puzzle for account authentication.

Apple ID

Apple allows you to setup both an SMS and Mobile Push 2FA. Mobile Push means the 2FA code will be delivered to your phone using Apple’s Push messaging system.

While Apple has implemented 2FA for some services it has not been rolled out completely, most notably iCloud. Apple has been seen testing 2FA on iCloud but has not launched support yet. Once Apple rolls out 2FA support for iCloud you’ll most likely be prompted for the 2FA code automatically. There should be no enrollment process for iCloud separate from the rest of the Apple 2FA enrollment process below.

For the purposes of this tutorial, we’ll be setting up SMS only, as that will be the most compatible and cover 2FA setup process for all phones, not just iPhones.

1. Sign into your Apple ID at https://appleid.apple.com and click “Password and Security” from the menu on the right:

1_edit

You will be asked to answer your personal security questions to proceed.

2. At the very top you’ll see a paragraph explaining Two-Step Verification. Click “Get Started” to enroll.

2_edit

3. Apple will ask you to read a few notices before you begin Step 1 of the enrollment process. Read each screen and click continue until you get to the first step. Each screen is shown below:

3_edit

4_edit

5_edit

4. Apple will now ask you to provide your mobile phone number. This will be used to send you a Two-Factor Authentication token as an SMS to verify the phone number you entered is yours and in your physical possession.

6_edit

7_edit

After entering your cell phone number, an SMS will arrive with a 4 digit code.

9_edit

The Apple website will ask you to enter this code.

8_edit

Once you’ve entered it your phone number will be “verified”.

10_edit

Press “Continue” to proceed.

5. Apple will now provide you with a “Recovery Key” in case you lose possession of your phone or phone number. This is a secret code that will allow you to recover your account in the event something goes wrong with your Two-Factor Authentication procedure. It is very important you keep this code secure and private! With this code, an attacker may be able to compromise your account. Don’t store this code electronically on your computer. Print it and put it in a safe place.

Without it, you could become locked out of your Apple account without any recourse.

11_edit

6. Apple will now ask you to re-enter your “Recovery Key”. This ensures that you have copied it down and it is now your responsibility to store it securely.

12_edit

7. You’re almost there! Read the conditions presented to you and click the “I understand the conditions above.” checkbox.

Then take a deep breath and click “Enable two-step Verification”

13_edit

Congratulations! You’ve now enabled Two-Factor Authentication on your Apple ID account. Logout and log back in to try it out.

14_edit

DropBox

DropBox allows you to setup 2FA using SMS or a mobile application. For the purposes of this guide we’ll step through setting up 2FA using SMS only to be compatible with the most configurations of mobile phones.

1. Login to your DropBox account and click your name in the top righthand corner of the screen. Select “Settings” from the drop down menu.

1_edit

2. Click the “Security” tab in the top left hand portion of the page.

02_edit

3. Under “Two-Step verification” click “Enable”

03_edit

4. DropBox will display some information about their two-step verification process. Click “Get Started” to continue.

04_edit

5. DropBox will ask you to enter your password to continue the two-step verification process.

05_edit

6. For the purposes of this tutorial we’ll select the “Use text messages” option. This will send 2FA codes to your phone as an SMS.

06_edit

7. DropBox will ask for your mobile phone number.

08_edit

After your click “Next” an SMS will be sent to your phone with a “security code”.

2facode

DropBox will ask for the code and verify your phone number.

09_edit

8. DropBox will ask if you wish to provide a backup mobile phone number. This is an optional step, if you choose to provide a backup number you will be required to repeat the process above for enrolling another mobile phone number.

10_edit

9. Similar to Apple ID, DropBox will provide you with a “recovery key” or as they call it an “emergency backup code” to disable two-step verification in the event you lose possession of your phone or lose control of your mobile phone number.

Write it down and keep it safe, DropBox does not ask you to re-enter this code so make sure you keep a copy of it somewhere.

10_new_edit

10. Finally, click “Enable two-step verification” and you’re finished!

Other Services

Many services other than Google, Apple and DropBox provide some form of 2FA. You may have to search around your account settings to locate the option to enroll. Not all services allow 2FA over SMS and may require the use of a mobile phone app such as Duo, Authy or another 2FA software vendor. Use twofactorauth.org to discover which services you use support 2FA:

twofactorauth.org keeps track of which services support 2FA

twofactorauth.org keeps track of which services support 2FA

Conclusion

Unfortunately, on today’s Internet you are responsible for your own security, even if you use web services from respectable Internet companies. Two-factor authentication significantly increases the security of your accounts by making stolen passwords harder to abuse. Enabling two-factor authentication is not without extra responsibility. You must be sure to setup 2FA on devices you control and protect any “recovery keys” in case you lose control of your device or mobile phone number. 2FA is not foolproof, but using it where you can will put you a head above the rest.

Update – Sep 16th, 2014

Apple has finally enabled two-factor authentication on iCloud.com. It now asks you to verify yourself via the 2FA method you signed up for using the above instructions.

2fa_icloud

Testing this with Elcomsoft’s iCloud forensics tool shows that 2FA is preventing the tool from logging in successfully even with a valid password.

elcom_failElcomsoft may update the tool to support 2FA tokens, however it would still require an attacker to obtain access to the device or method in which you receive your 2FA tokens and utilize them before they expire. This is still much better than simply requiring just your username and password. It is raising the bar for the attacker to compromise your account.

Trackbacks

  1. […] is not a blog post about 2-factor authentication or proper implementation of authentication channels or how Apple should be more open in their […]

  2. […] to use strong passwords, and to enable two-step verification. You can also check out this helpful post by Nick DePetrillo for a step-by-step guide on how to set up two-factor authentication for iCloud […]

  3. […] he will reassure users that two-step verification will roll out to include iCloud. Until then, enable two-factor authentication for your Apple ID and possibly turn off iCloud so your selfies aren’t stored there and […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 3,758 other followers

%d bloggers like this: