With the recent security breaches on celebrity accounts on Apple’s iCloud I wanted to see if anything has changed with problems that I experienced with setting up Apple’s 2 step authentication. Apple’s 2 step authentication is an extra layer of security that you can add to your AppleID. In addition to having to use your AppleID and password to login you also have to supply a 4 digit code which Apple sends either via SMS to your cell phone or via Find My iPhone to one of your trusted devices. See here for more information on 2 step authentication.
Apple had announced the availability of 2 step authentication in Canada back in May 2013. The process required you to confirm you wanted to set it up and then wait 3 days until you got an email from Apple. Only then could you proceed with the series of steps. Apparently Apple had ran into some difficulties implementing it in Canada and withdrew it until earlier in 2014.
I and other users have tried over several months to set up 2 step authentication but the SMS code never shows up. I use a MVNO (Mobile Virtual Network Operator) cellular service which runs on the Rogers cell network. This same phone has no problem receiving similar codes from Google, MS or Yahoo for their 2 factor authentication. I know that this MVNO blocks short codes because these types of SMS texting can result in on going exorbitant fees on your monthly cell bill. That got me thinking. I wonder if Apple, instead of sending these SMS codes from a regular 10 digit phone number like Google, MS and Yahoo does, was Apple using short codes?
Sure enough after hunting through piles of posts on Apple communities I found a post from someone called “yohdaddy” confirming that indeed these 2 factor authentication codes from Apple are coming from a short code callerid like 504-72. Apple why the heck use short codes?
Apple are you indeed concerned about the security of your user accounts? If you are then loosen up the purse strings and send the SMS codes for 2 step authentication from a real 10 digit phone number that cell carriers will not normally block!!
This oversight and not having rate limiting implemented (locking an account after x failed attempts) until just recently on the logins makes one go hmm when Apple and login security is mentioned.