“Apple on Monday appears to have rolled out a new implementation of its two-factor Apple ID authentication system with iCloud.com, requiring users who have the additional layer of security enabled to enter a special code before accessing the Web apps,” Mikey Campbell reports for AppleInsider.
“Prior to the change, iCloud.com was accessible via a simple password,” Campbell reports. “AppleInsider was able to confirm the new iCloud security feature is indeed Apple’s normal two-factor authentication service, though it is unclear if the feature is in testing or nearing rollout. Certain Apple ID accounts we tested required the second verification, while though others did not.”
Campbell reports, “Like Apple’s other two-factor methods, iCloud.com asks users who log on to enter both a password and a four-digit verification code that is sent by the system to a trusted device. Once verified, all iCloud apps are unlocked and can be accessed normally. ”
Read more, and see the screenshots, in the full article here.
So is it two factor or two step? In the security world these are two *radically* different things.
““Like Apple’s other two-factor methods, iCloud.com asks users who log on to enter both a password and a four-digit verification code that is sent by the system to a trusted device. Once verified, all iCloud apps are unlocked and can be accessed normally. “
In this scenario, if the device accessing the iCloud app is the same one getting the four digit code, then it is a two step process. If the code is sent to a different device, then it is a two factor process. A true two factor method requires the separation of information. Having the same device doing the verification (being a trusted device, e.g., a person’s iPhone or a person’s iPad) and running the app where you input your password (on which most people will store their password via iCloud’s password system) will not provide that separation.
Thus the same device holds the password and is the trusted device — making it a single point of information. Verification and password hosting in a single device results in a two step process, not a two factor process.
I don’t get the two factor prompt on icloud.com yet, but through the AppleID site only ios devices were listed as trusted devices to send the code to for its two-factor login. So it looks like two-factor fits the bill here.