Mobile security in 2013: two-step verification or security questions?

Chase Bonar
 from Winter Springs, FL
Published: March 22, 2013

If the thought of a hacker compromising your Apple account keeps you up at night, you're in luck. Logging into your Apple account is about to be a two-step affair. The Cupertino-based company just announced two-step account verification. Whereas Google just surpassed its two year anniversary of offering two-step verification to their accounts, Apple is taking the "better late than never" approach. It's a welcome addition, but a combination of security questions and dual verification would be ideal.

I respect account privacy. It's a subject I've long felt requires more attention than it's given. We've recently seen biometrics edging their way into the mobile affair, but we're a long way off until consumers can reap the benefits of this additional level of security. Two-step verification plays a vital role in enterprise security, and anyone who travels. It's a good start and I'm happy to see Apple on board.

If there's anything we can learn from the success of competing mobile security measures, it's that two-step verification directly impacts mobile devices. From Apple's perspective it was only a matter of time before they announced additional security measures for their accounts.

Apple's two-step verification affects Apple ID and iCloud accounts. In the process, Apple has managed to throw a curveball and remit traditional security questions in favor of the two-step in a couple situations: when a change has been made to the account, and when the first purchase is made on a new iOS device. In all other instances, you have the option between security questions and two-step verification.

Security questions are not completely gone with this new added level of security, but you cannot have the questions enabled at the same time as the dual layered verification service; it's one or the other. It's a very Apple-y approach. Also unique to Apple's version of two-step verification is the unique recovery key code which can override all passwords. In retrospect, this seems to defeat the purpose of offering the two-step verification service by making it null and void with a single password, but I understand why it's an option. If you lose your trusted device, it's the only way to gain access back to your account.  

So, how is this any better than traditional security questions?

Late last year, Wired's Mat Honan's Apple ID security questions were put to the test by a set of hackers practicing their social engineering skills. In the span of an hour, hackers gained complete control of Honan's Apple ID and three other accounts. Another hour later and his entire digital footprint had been erased. When asked why, the hacker said he only wanted access to Honan's Twitter handle @Mat.

The real issue at stake was the way Apple's employees handled Honan's security questions over the phone. With hackers ultimately gaining access as the fake Mat Honan, Apple had no idea what they had done to one of their customers.

Whether or not Apple's shunning of security questions in favor of two-step verification is a direct result of Honan's experience is up for debate. Users still have the ability to add security questions instead of two-step verification, just not both at the same time. What we do know about Apple's take on security is that they're now encouraging consumers to exercise caution. The responsibility is being shifted to the consumer.

You could even say Apple is reacting to the competition in Google, instead of Honan's situation. But let's be honest, there's no reason two-step verification should have come to fruition this late in the game. Across the aisle, Microsoft is another big name yet to acknowledge the benefits of additional verification. Apple's addition may force Microsoft to consider adding the security precaution.

Considering Google announced two-step verification on the Blogger homepage in February of 2011, I can't help but think Apple is merely tidying up their security measures in reaction to the competition.

From the outside looking in, Apple has built a stronghold of security measures that consumers believe. Apple products frolic in the closed ecosystem that you'd describe as "safe" and "secure." Ironically, up until now, it wasn't as safe as the competition.

In short, what Apple has effectively admitted is that their security questions were unsafe and that there is no better way to protect your data than to rely on an outside source. 

How do you feel about two-step verification on your Apple and Google accounts? If you use it, do you prefer it over traditional security questions?

Image via Apple.