An Open Letter to Tim Cook Regarding Apple ID Security


Dear Tim,

I find it somewhat disturbing that a single username and password provides access to all my personal data on iCloud and to my iTunes Store account - and urge you to consider allowing customers to opt in to higher-grade security and allowing for privilege separation between different kinds of Apple IDs.

I am aware that it is already possible to do this to some extent (setting up a new Mac prompts me to set up a separate Apple ID for store purchases) but, as a former .Mac and MobileMe user, I am prevented from doing exactly that - which, ironically, places me at higher risk than a new user.

I suggest you change that and allow iCloud users to either:

a) migrate their purchases to another Apple ID for iTunes use only, or

b) set up application-specific usernames and passwords for iCloud services (and developer IDs)

Which, again, is what new customers can do when they buy their first Apple device. But it’s a once-only option, and older customers can’t take advantage of it.

In this way, if their mail account is compromised, their iTunes and AppStore purchases are safe (and vice-versa). As a developer, I’m also concerned with the havoc it would cause if my developer ID (which is the same as my Apple ID until this Friday, when I’m allowing it to expire to register a new one) were compromised.

Ideally, I would like to have the ability to have two-factor authentication when accessing my iCloud account as well as the ability to manage application-specific passwords for mail, calendaring, Messages, etc., but I understand that may not be immediately possible.

So I urge you to consider implementing something along the lines of the Google two-factor authentication system - at the very least, as an opt-in feature for users that are more security-conscious.

After all, iOS devices already have most of the required technological components in place, and you are in the unique position of being able to leverage complete integration between the end-user stack and your cloud services.

I strongly suggest you take the lead on this, and set the gold standard.

Regards,

R.