Two-Factor Authentication, Two-Step Verification, and 1Password

ace · July 10, 2023, 9:56pm

Originally published at: Two-Factor Authentication, Two-Step Verification, and 1Password - TidBITS

Is it true two-factor authentication if 1Password auto-fills security codes for you? Thanks to a 1Password blog post, we now know the answer: No, it’s two-step verification instead.

jweil · July 10, 2023, 10:57pm

I pointed out to Apple Support the 2-factor verification issue on the same device with Macs years ago. It was like speaking to a brick wall and expecting a meaningful response. It left me with the feeling that they were politely telling me to go and kiss the dark spot in the crack of their behind.

Interesting enough, speaking of hardware verification, in order to get touch ID verification on a MacPro desktop you have to purchase a new separate keyboard. For the numeric keyboard that will cost you an additional $200. However, unless you also have an ARM machine it will not work. This means for owners of a MacPro 7.1 2019+ enterprise computer with a base price of $5000.00 touch ID verification is not available, at least from Apple. Neither is facial recognition. Go figure!

ace · July 11, 2023, 1:39pm

A post was split to a new topic: Problems with using multiple email addresses

jeff4 · July 11, 2023, 12:53pm

My workaround is simple, although it’s bypassing all kinds of conveniences that 1PW has made available. I don’t allow it to install 1PW’s browser plug-ins, nor do I allow it to auto-fill fields for any online logins. I use it to store certain un’s and pw’s - I open the app, look them up, and manually retrieve them by copy/paste only. The one system I have decided to trust is Apple’s keychain system. If that gets penetrated and compromised, all is lost.

Wondering if anyone has tried or just has an opinion on the idea of activating a defunct iPhone (not the one I use daily) with a pay-as-you-go SIM card, and employing that for certaind high-sensitivty 2FAs.

ace · July 11, 2023, 1:42pm

Just make sure you never enter your iPhone passcode in public, since that (coupled with resetting the Apple ID password) is the known way to break Apple’s keychain system.

jeff4 · July 11, 2023, 1:58pm

I never enter my iPhone passcode in public - because you (and the WSJ) told us not to! Thanks.

jimthing · July 17, 2023, 4:45am

I thought Apple was adding some extra steps to help fix this in iOS 17? (…or maybe I just thought they were, lol.)

Alternatively, AFAIR I thought I read about another solution – something to do with using device accessibility settings to help stop a thief ‘using device code to take-over Apple ID’ issue. Of course I can’t find it again now, so…?

EDIT: Silly me – it’s literally in your above How a Thief… article, the text from “The closest we have to an additional password step is a Screen Time passcode.” Doh.

ddmiller · July 17, 2023, 11:59am

I just want to reiterate that this is not a solution. A thief who knows the passcode can still reset the Apple ID passphrase even with screen time restrictions. So setting a screen time passcode and restricting account changes ending up just making the phone more difficult to use for yourself.

As for what is coming in iOS 17 - at WWDC, Craig Federighi, when asked about this vulnerability during John Gruber’s live podcast, said (without any detail about timing or specific changes) that Apple was looking into ways to make the phone more secure from this.

rcostain · July 17, 2023, 7:26pm

I see your point, @ace, but having to keep the multiple factors separate poses it’s own issues.

I ran into an issue recently while travelling in Europe. I needed to check our credit card balance during our trip. The bank site required me to enter a code sent by SMS to log in. Alas, I had switched SIM cards while travelling and couldn’t receive any texts at my regular number, so I was tucked. Some sites offer an alternative, but many don’t. As for 1Password, I like that it clears the clipboard of any copied logins after 90 seconds and that you can put it in “travel” mode, making only certain logins accessible.

ddmiller · July 17, 2023, 7:42pm

That is one good thing about being a Verizon customer - they have an app called Message+ that will collect and send any SMS messages to the app over a data connection, even if you are not connected to the network. It is not the most beautiful app, but it’s great for that one purpose.

jimthing · July 17, 2023, 7:52pm

Is this not true then? (setting a separate 4-digit code for Screen Time to stop changes to the Apple ID.)

mikebhm · July 17, 2023, 8:10pm

Is this not true then? (setting a separate 4-digit code for Screen Time to stop changes to the Apple ID.)

Correct. Screen Time passcode does not prevent thief changing Apple ID. I think Adam recognised that this was the case in the other long thread.

It is easy enough to test for yourself. You can can back out before actually changing your Apple ID password.

ace · July 17, 2023, 8:15pm

Yes, that’s correct. In the second article on that topic, I wrote:

More problematically, I believe it’s possible to reset the Apple ID password during the process of disabling the Screen Time passcode, thus bypassing Screen Time’s restriction on account changes. Apple reportedly addressed some of this vulnerability in iOS 16.4.1, but I was still able to change my Apple ID password knowing nothing beyond the passcode. My testing wasn’t as complete as I would have liked because I risked locking my Apple ID account for days, but Apple definitely has more work to do here.

ddmiller · July 17, 2023, 8:16pm

Unless something changed with 16.5.1 - I don’t think it has - there is still a way to change the Apple ID password even with that setting turned on if you know the Apple ID (when you turn on restrictions, it prevents showing the Apple ID, but it’s available in other places on the phone, including the email app) and the device passphrase. Joanna Stern at the WSJ keeps recommending it, even knowing that it doesn’t protect you, because she argues it adds another minute or two to the theft of your account, which may be just enough to borrow a phone and use Find My to lock the device.

[edit - I checked on 16.5.1(c) - the vulnerability remains.]

jimthing · July 17, 2023, 8:31pm

Ah OK, not worth bothering with then. Thanks all.
Looks like an issue to check for any improvements in the shipping version of iOS 17 in the Fall.

‘…looking into ways to make the phone more secure from this.’ – sounds pretty noncommittal to me.
Reading between the lines, it’s more like a ‘we don’t know yet if we think this is a problem worth fixing, or whether the status quo is good enough and so won’t be fixing’.

whshep.shop · July 17, 2023, 9:01pm

just enough to borrow a phone and use Find My to lock the device.

“Lock” is not a choice in Find My. It’s either “Mark as Lost” or “Erase.” And all anyone needs is the passcode to mark as found, so I think the only viable choice is Erase.

The next step would be to change your Apple ID password.

If you don’t erase your phone and it’s registered as a trusted device, the crooks can deny your attempt to log in to your Apple account, and you won’t be able to change the ID password.

So if you get the chance, Erase.

ddmiller · July 17, 2023, 10:12pm

What Apple has said off the record to journalists is that they have far more people who forget their Apple ID passphrase than have been victimized by this ability to change the password knowing only the device passcode, so they have left it this way for this reason. Perhaps it would be as simple has having a non-default option to force entering the old password when changing it, or allow an older recovery key or trusted number to regain control of the Apple ID within a short amount of time (2 weeks, or 30 days, say).