Posts Tagged ‘2FA’

Passwords are probably the oldest authentication method. Despite their age, passwords remain the most popular authentication method in today’s digital age. Compared to other authentication mechanisms, they have many tangible benefits. They can be as complex or as easy to remember as needed; they can be easy to use and secure at the same time (if used properly).

The number of passwords an average person has to remember is growing exponentially. Back in 2017, an average home user had to cope with nearly 20 passwords (presumably they would be unique passwords). An average business employee had to cope with 191 passwords. Passwords are everywhere. Even your phone has more than one password. Speaking of Apple iPhone, the thing may require as many as four (and a half) passwords to get you going. To make things even more complicated, the four and a half passwords are seriously related to each other. Let’s list them:

  • Screen lock password (this is your iPhone passcode)
  • iCloud password (this is your Apple Account password)
  • iTunes backup password (protects backups made on your computer)
  • Screen Time password (secures your device and account, can protect changes to above passwords)
  • One-time codes (the “half-password” if your account uses Two-Factor Authentication)

In this article, we will provide an overview on how these passwords are used and how they are related to each other; what are the default settings and how they affect your privacy and security. We’ll tell you how to use one password to reset another. We will also cover the password policies and describe what happens if you attempt to brute force the forgotten password.

(more…)

In Apple’s land, losing your Apple Account password is not a big deal. If you’d lost your password, there could be a number of options to reinstate access to your account. If your account is not using Two-Factor Authentication, you could answer security questions to quickly reset your password, or use iForgot to reinstate access to your account. If you switched on Two-Factor Authentication to protect your Apple Account, you (or anyone else who knows your device passcode and has physical access to one of your Apple devices) can easily change the password; literally in a matter of seconds.

But what if you do know your password and your passcode but lost access to the only physical iOS device using your Apple ID and your SIM card at the same time? This could easily happen if you travel abroad and your phone is stolen together with the SIM card. There could be an even worse situation if your trusted phone number is no longer available (if, for example, you switched carrier or used a prepaid line and that line has expired).

It’s particularly interesting if you have a child under the age of 13 registered in your Family Sharing, and the child loses their only iOS device (at that age, they are likely to have just one) and their phone number (at that age, they are likely to use prepaid service). So let us explore what happens to your Apple Account if you lose access to your secondary authentication factor, and compare the process of regaining control over your account in Apple and Google ecosystems. (more…)

iOS 11 introduced multiple changes to its security model. Some of these changes are highly welcome, while we aren’t exactly fond of some others. In this quick reference guide, we tried to summarize all the changes introduced by iOS 11 in the security department.

Compared to iOS 10 and earlier versions of the system, iOS 11 introduced the following security changes:

–  Reset password to local backups (passcode required), which makes logical acquisition trivial

–  For 2FA accounts, reset Apple ID password and change trusted phone number with just device passcode (possible for both iOS 11 and iOS 10)

–  Health data sync with iCloud (users can disable)

+  Passcode required to establish trust relationship with a PC (Touch ID/Face ID can no longer be used to pair)

+  Quickly and discretely disable Touch ID/Face ID via S.O.S. mode

+  Automatically call emergency number (push side button 5 times in rapid succession)

+  iOS 11 strongly suggests enabling Two-Factor Authentication in multiple places

+  Two-Step Verification (2SV) is no longer available

Additionally, in macOS High Sierra, Desktop and Documents folders now sync with iCloud (user can disable).

What are iCloud authentication tokens? How they are better than good old passwords? Do they ever expire and when? Where to get them? Is there anything else I should know about tokens? This publication opens a new series on token-based authentication.

A Brief History of iCloud Extraction

When we started working with Apple iCloud more than 5 years ago to allow users download their backups, we only supported the most straightforward authentication path via login and password. Since you had to supply an Apple ID and password anyway, many people wondered what the big deal with our software was. If it required a password anyway, could you just do the same by some standard means?

The thing is there is no “standard” means. All you can do with an iCloud backup without additional software is restoring a new Apple device from it; from there, you’re on your own. Also, you can only restore over Wi-Fi, and the process is extremely slow. It takes several hours to finish, and the iPhone you’re restoring will consume a lot more traffic than just the backup (it’ll also download and install app binaries from the App Store, which can be significantly larger than the backup itself).

(more…)

We loved what Apple used to do about security. During the past years, the company managed to build a complete, multi-layer system to secure its hardware and software ecosystem and protect its customers against common threats. Granted, the system was not without its flaws (most notably, the obligatory use of a trusted phone number – think SS7 vulnerability – for the purpose of two-factor authentication), but overall it was still the most secure mobile ecosystem on the market.

Not anymore. The release of iOS 11, which we praised in the past for the new S.O.S. mode and the requirement to enter a passcode in order to establish trust with a new computer, also made a number of other changes under the hood that we have recently discovered. Each and every one of these changes was aimed at making the user’s life easier (as in “more convenience”), and each came with a small trade off in security. Combined together, these seemingly small changes made devastating synergy, effectively stripping each and every protection layer off the previously secure system. Today, only one thing is protecting your data, your iOS device and all other Apple devices you have registered on your Apple account.

The passcode. This is all that’s left of iOS security in iOS 11. If the attacker has your iPhone and your passcode is compromised, you lose your data; your passwords to third-party online accounts; your Apple ID password (and obviously the second authentication factor is not a problem). Finally, you lose access to all other Apple devices that are registered with your Apple ID; they can be wiped or locked remotely. All that, and more, just because of one passcode and stripped-down security in iOS 11.

(more…)

Who am I to tell you to use two-factor authentication on all accounts that support it? This recommendation coming from someone whose business is supplying law enforcement with tools helping them do their job might be taken with a grain of salt by an average consumer. Yet we still strongly believe that, however good a password you have to encrypt your local documents or NAS drives, any remotely popular online service absolutely requires an additional authentication factor.

We covered the risks related to passwords more than once. There is no lack of horror stories floating on the Internet, ranging from leaking private photos to suddenly losing access to all data and devices registered on a certain account. Today, smartphones store excessive amounts of information. If any of that data is synced with a cloud, the data will be shared with something other than just your device.

So what is that “other” thing that you need to secure access to your account? It might be something you have in addition to something you know. Something that cannot be easily stolen or accessed remotely. This is exactly what two-factor authentication is for.

All three major mobile companies, Apple, Google and Microsoft, offer very different implementations of two-factor authentication. Speaking Google, you have several convenient options: SMS (which is not really secure, and Google knows it), the recently added Google Prompt, the classic Google Authenticator app, printable backup codes, FIDO keys and a few more. (Spoiler: if you are on a different side and need to extract the data as opposed to protecting it, we have an app for that).

What about Apple? There are a few things you should definitely know about Apple’s implementation. The problem with Apple is that Apple accounts protected with two-factor authentication can be actually less secure at some points. Surprised? Keep reading.

(more…)

Two-factor authentication is essential to secure one’s access to online accounts. We studied multiple implementations of two-factor authentication including those offered by Apple, Google and Microsoft. While Google’s implementation offers the largest number of options, we feel that Apple has the most balanced implementation. The closed ecosystem and the resulting deep integration with the core OS makes it easy for Apple to control exactly how it works and on which devices.

Suppressing the Prompt

Since Apple introduced Two-Factor Authentication (as a replacement of the older and much less secure Two-Step Verification), Apple customers are alerted immediately of someone’s attempt to access their Apple account. A 2FA prompt is pushed instantly and concurrently to all devices the user has in their Apple account once someone attempts to log in. This has always been a hassle for forensic experts trying to perform investigations without alerting the suspect, as merely entering a login and password and seeing a 2FA prompt would mean it’s already too late, as the suspect has been alerted with a prompt.

Or, better to say, it used to be an issue. Just not anymore! Elcomsoft Phone Breaker 8.1, our newest release, now carries out an additional check (which wasn’t exactly easy to make since there is no official API and obviously no documentation), allowing the tool to detect whether or not Two-Factor Authentication is enabled on a given Apple account without triggering a 2FA prompt. The expert will now have the choice of whether to proceed (and potentially alert the suspect) or stop right there.

(more…)

Google has started its journey on convincing people to move away from SMS-based verification, and start receiving push messages via the Google Prompt instead of using six-digit codes. Why does Google want us away from SMS, and why using Google Prompt instead? Let’s try to find out.

SMS Are Insecure, Aren’t They?

In late July 2016, the US National Institute of Standards and Technology’s (NIST) released an updated set of guidelines that deprecated SMS as a way to deliver two factor authentication because of their many insecurities. A year later, NIST took it back, no longer recommending to “deprecate” SMS usage. Are we, or are we not at risk if we choose to have our two-factor authentication delivered over the (arguably) insecure SMS channel?

(more…)

In the US, Factory Reset Protection (FRP) is a mandatory part of each mobile ecosystem. The use of factory reset protection in mobile devices helped tame smartphone theft by discouraging criminals and dramatically reducing resale value of stolen devices. Compared to other mobile ecosystems, Apple’s implementation of factory reset protection has always been considered exemplary. A combination of a locked bootloader, secure boot chain and obligatory online activation of every iPhone makes iCloud lock one exemplary implementation of factory reset protection.

All one needs to do is enable the Find My Phone option in iCloud settings. In fact, this option is enabled by default once you set up your new iPhone. After that, even if you lose your iPhone and someone else attempts to reset it to factory defaults, the device will be still locked to your iCloud account. Unlocking the device (removing iCloud lock) requires access to your Apple ID, password, and secondary authentication factor if you have Two-Factor Authentication enabled. Sounds pretty secure so far?

(more…)

Apple is about to launch its next-generation iOS in just a few days. Researching developer betas, we discovered that iOS 11 implements a number of new security measures. The purpose of these measures is better protecting the privacy of Apple customers and once again increasing security of device data. While some measures (such as the new S.O.S. sequence) are widely advertised, some other security improvements went unnoticed by the public. Let us have a look at the changes and any forensic implications they have.

Establishing Trust with a PC Now Requires a Passcode

For the mobile forensic specialist, one of the most compelling changes in iOS 11 is the new way to establish trust relationship between the iOS device and the computer. In previous versions of the system (which includes iOS 8.x through iOS 10.x), establishing trusted relationship only required confirming the “Trust this computer?” prompt on the device screen. Notably, one still had to unlock the device in order to access the prompt; however, fingerprint unlock would work perfectly for this purpose. iOS 11 modifies this behaviour by requiring an additional second step after the initial “Trust this computer?” prompt has been confirmed. During the second step, the device will ask to enter the passcode in order to complete pairing. This in turn requires forensic experts to know the passcode; Touch ID alone can no longer be used to unlock the device and perform logical acquisition.

(more…)