Why Apple shouldn't force two-factor authentication on iPhone users

[straycat19]

Recent reports indicate that Apple may be gearing up to require additional security measures like two-factor authentication for iOS users. As reported by 9to5Mac, some iOS 10.3 beta users are now being prompted, via a push notification, to enable two-factor authentication.

 

According to the report, users are presented with a notification that they can swipe on to be taken to Settings app, where they are given an explanation of two-factor authentication and how to enable it. If a user doesn't enable two-factor authentication, they will see a warning in the Settings app encouraging them to enable it.

What's even more interesting is that the notification won't just automatically go away, as other iOS notifications do, the report noted. Instead, the notification must be manually cleared.

 

For those who are unfamiliar, two-factor authentication is a security method that requires a user to meet two separate authentication factors to login. For example, a user might input his or her password, and then be prompted to enter the answer to a security question, or to enter a code that was sent to another device.

 

Apple has this to say about two-factor authentication: "Two-factor authentication is the best way to keep your account secure. It can protect your account even if someone learns your password."

 

Two-factor authentication is a common method of improving device security, especially among enterprise users. However, would it be the right move for Apple to force this behavior on iOS users?

 

John Pironti, president of IP Architects and founding member of Cybersecurity Industry Advisory Board at Champlain College, doesn't think so. Instead, Pironti said, "it is better to provide users with information to make informed decisions on the use of two-factor and let them make a risk-based decision for themselves."

If users choose not to enable available security measures, Pironti said, the onus shouldn't be on Apple to do it for them.

 

"I suggest that there should be a scale of what level of assurance, assistance, support, and vendor liability that will be provided to users that is aligned with the level of suggested measures they choose to use," Pironti said. "This way you are empowering the user with the choice of what works best for them and what risks they are willing to take."

 

The issue is not whether or not two-factor authentication is enabled, as many security experts would say that it is ultimately a helpful tool. The bigger issue as it relates to device security is informing users so that they take a strong stance on security themselves, and choose to pursue proper security hygiene.

 

If Apple does indeed make two-factor authentication mandatory in the public release of iOS 10.3, it would follow the company's various public statements it has made on its commitment to security and encryption. Apple was recently ranked highest in mobile security in a Tech Pro Research survey, and the company has been taking steps to further improve its security since its battle with the FBI after it refused to unlock and iPhone used by San Bernardino shooter Syed Farook.

 

source