By Nate Adcock on Sat, 06/16/2012
If you are a Google user, you can make it much more difficult for an attacker to hijack your account by configuring and using 2-factor authentication now available (go here to learn more about this important feature). 2-factor authentication is a security validation process requiring you to present independent proof of identity before you can access an online resource--in this case, your GMail account. The idea is to better protect your account from intrusion by making the sign-in process in some way verifiably unique to your session. Read on to learn more about Google's very smart (providing an authenticator app for iOS) move to help users protect their accounts, and why Apple needs to quickly follow suit!
Online 2-factor security mechanisms often involve a flavor of random number generator. The number generator creates a time-based and changing numeric code. This pseudo-random code is then used as your second form of authentication (beyond simple login/password). Google is making 2-factor easy for the user by allowing you to configure your mobile device (iPhone, iPad, etc) as the tool to get these codes. You can configure your account to send verification codes via SMS text (from Google servers) to your phone, or use a free iOS app that will generate the codes right on your device (requires some basic setup as well). You can even generate a list of "one-time use" codes so that you can still obtain access should your phone be unavailable (maybe keep a few in a wallet or purse). You still need to know your account login and password, but you can choose to cache credentials for a computer for 30 days so that you don't have to enter login/verification every time.
Verification is easy: When asked to verify--for instance, trying to login to your GMail from a kiosk computer at a hotel--you either run the app or select to have a code sent (or use one of your one-time codes). Enter the code in the verification field. Setting up internal apps like Mail or Calendar on iPhone or iPad is a bit trickier, as these apps cannot handle 2-factor authentication. You will need to generate app-specific codes while logged in from a trusted computer and use those. I advise doing this right away (once you have enabled 2-factor authentication inside your account) for all devices that require access. Otherwise, you are going to stop getting mail and alerts, and attempts to use these apps will likely result in errors until the new codes are generated and entered (simply enter the app-specific code in each app instead of your normal password).
Be warned that once you turn on 2-factor authentication, all apps that require access to your Google account will need a specific app password generated as indicated above, and you will need to provide verification to remotely access your account from any un-trusted source. You could run into considerable trouble accessing your account should you not be able to do this, so I recommend starting with your trusted computer, set up everything from there first. Generate your list of one time codes (and save them somewhere you can easily get to them). It can be a bit annoying at first, but once configured, the hassle is trivial compared to the peace of mind of knowing that your data is at least somewhat more secure. Now to why Apple better get on-board with something similar to this and soon.
For years Apple and it's users have enjoyed a somewhat sheltered existence from the virus and bot storms that mostly sweep and aim themselves at Microsoft computers on the internet. That buffer zone is fading. Though no computerized device is truly safe, Mac computers along with their iOS-driven little brothers are now much more ubiquitous than they were years ago, and hackers are always enjoying a treasure trove of new security vulnerabilities. Though Android phones are a big target due to their open architecture, exploits are increasingly being aimed at Apple products. While iOS in it's un-jailbroken form remains a somewhat harder target, the weakest link in the Apple ecosystem is not specific to just iOS. It is iTunes, in my opinion, and most specifically your user account and info contained therein.
Any app or OS or even cloud ecosystem is only as strong as the least protective of it's security measures. Once you turn on a computer or your iPhone for that matter, you must connect it to a network to make use of it's communication abilities (lest it become a one or 2-trick pony). While you can go a long way to secure and encrypt your data en-route to it's destination, it's what happens to it on the other end that may end up defeating the efforts of even the best security software. Apple has been complacent about security mostly because they could afford to be, but iTunes/iCloud represent a big juicy target to hackers, and hijacking an account is still not that terribly difficult.
Apple has certainly improved their iTunes verification process since the early days (asking tons of unique questions, etc.), but without drawing too much attention to some of the nefarious ways one could use to hijack an account (bogus "add" an email account reference via tech support, for example), iTunes access could be made more secure by adopting a dynamic process like 2-factor authentication. A simple app similar to the Google Authenticator app would be a good first step (synced up to Apple servers of course). Separate hardware VPN tokens (available for purchase from Apple) would be a better method of choice, but even those measures may not totally protect your account (PCWorld magazine reported that RSA had an incident last year with several batches of tokens). The bottom line is that Apple needs to harden account access for it's users, whatever the method. It won't totally stop an inside job or large scale data breach, but the enhanced verification process might hinder account hijacking attempts that are sure to come after a breach has occurred. If you have a unique and dynamic way to get into your account, there is still a chance you can change or remove critical info from it before someone else does.