Are Critics Misunderstanding the Reason Apple is Recommending Two-Step Verification?

In the wake of the targeted attack that was perpetrated on the individual iCloud accounts of a number of female celebrities, an Apple Media Advisory recommended that "all users... always use a strong password and enable two-step verification."

This resulted in stern criticism for Apple from some writers and analysts. For example:

  • David Auerbach said in Slate, "Two-factor authentication {another name for two-step verification} wouldn't have worked anyway... because Apple doesn't enforce two-factor authentication for iCloud logons even if you have it turned on...."
  • Michael Rose on TUAW, "It's pretty clear that Apple's doing its best to guard your wallet with this implementation -- anything that might cause a credit card charge via an unfamiliar iOS device is going to force you to authenticate. Other than that, 2FA {2FA = two-factor authentication, another name for two-step verification} doesn't get involved in guarding your privacy as far as I can tell."

I think that articles such as these may be making a somewhat false assumption about why Apple is recommending two-step verification to its customers.

Although confirmation of some iCloud account changes through a two-step verification process arguably strengthens overall iCloud account security, the added security measure that Apple may most want customers to adopt is the replacement of security questions with verification codes sent to a user-selected, trusted device.

In Frequently asked questions about two-step verification for Apple ID, Apple says:

Do I still need to remember any security questions?

With two-step verification, you don't need to create or remember any security questions. Your identity is verified exclusively using your password, verification codes sent to your trusted devices, and your Recovery Key.

After all, Caitlin Dewey in The Washington Post says, "The 'secret question,' writes security researcher Nik Cubrilovic, is the single most popular, most effective way for a hacker to gain access to your online accounts." (I agree that Nik Cubrilovic's Notes on Celebrity Data Theft, her source, is really good, as far as it goes.)

But the real question remains, did Apple recommend two-step verification to improve security with verification codes, or because enabling two-step verification altogether does away with the security questions in an iCloud users profile?

Today's Wall Street Journal also indicates that CEO Tim Cook has spoken out about the need to increase the number of places in iCloud use and account management where two-step verification codes are required.