Tao of Mac

Aug 8th 2012 · 1 min read · #apple #authentication #icloud #security #two-factor

An Open Letter to Tim Cook Regarding Apple ID Security

Dear Tim,

I find it somewhat disturbing that a single username and password provides access to all my personal data on and to my iTunes Store account - and urge you to consider allowing customers to opt in to higher-grade security and allowing for privilege separation between different kinds of IDs.

I am aware that it is already possible to do this to some extent (setting up a new prompts me to set up a separate ID for store purchases) but, as a former and user, I am prevented from doing exactly that - which, ironically, places me at higher risk than a new user.

I suggest you change that and allow users to either:

a) migrate their purchases to another ID for iTunes use only, or

b) set up application-specific usernames and passwords for services (and developer IDs)

Which, again, is what new customers can do when they buy their first device. But it’s a once-only option, and older customers can’t take advantage of it.

In this way, if their mail account is compromised, their iTunes and AppStore purchases are safe (and vice-versa). As a developer, I’m also concerned with the havoc it would cause if my developer ID (which is the same as my ID until this Friday, when I’m allowing it to expire to register a new one) were compromised.

Ideally, I would like to have the ability to have two-factor authentication when accessing my account as well as the ability to manage application-specific passwords for mail, calendaring, Messages, etc., but I understand that may not be immediately possible.

So I urge you to consider implementing something along the lines of the two-factor authentication system - at the very least, as an opt-in feature for users that are more security-conscious.

After all, devices already have most of the required technological components in place, and you are in the unique position of being able to leverage complete integration between the end-user stack and your cloud services.

I strongly suggest you take the lead on this, and set the gold standard.

Regards,

R.

This page is referenced in: