Apple joins two-step verification trend; Outlook.com still lacks it [Update]

The growing trend for online services to offer some kind of two-step verification option for better security got bolstered today. Apple quietly joined the list of companies and services that now have a way for its customers to add this authentication features for its Apple ID and iCloud accounts.

The Apple ID site offers up more information on this additional security method. As with other two-step verification setups, the user register one or more devices, such as an iPhone or iPad. Then when a person signs onto their Apple ID or iCloud account, a four digit code is sent to the registered devices, either by SMS or the Find my iPhone iOS app. The four digit code is then typed in to complete the sign in process.

Other companies have had two-step verification options for some time, including Google with Gmail and other Google accounts, Facebook, Dropbox and others. Twitter has recently been rumored to be considering a similar option.

Microsoft also offers two-step verification for some services such as Xbox Live and SkyDrive but as of yet it has not put such a system into place for its Outlook.com email service. During its open beta period in August 2012, an unnamed Microsoft spokesperson was quoted as saying that it was working "to find a strong solution that everyone can use, vs. just the 1% of users that figure out how to navigate a bunch of additional setup options."

We have emailed Microsoft today to find out if Outlook.com will add some kind of two-step verification option at some point.

Update: A Microsoft spokesperson gave us this comment: "We don’t have two-factor auth and have nothing new to share at this time. We do, however, have single use codes, require strong passwords, and good server-side detection."

Source: 9to5Mac.com | Image via Apple

Report a problem with article
Previous Story

Two new Lenovo touchscreen Windows 8 PCs now on sale

Next Story

New video shows more of Windows 8-based Dell XPS 18

22 Comments

Commenting is disabled on this article.

So far I find perfectly adequate the single use code Microsoft has, I've been using the two step verification in gmail for a while but in a public place or at work don't feel comfortable enough to type my password.

I think I'll wait a while, cause I use a pretty solid password for Apple

Two-step verification should be supported by all major providers. I use it for Steam, Google, Microsoft and countless other services. It really isn't much hassle for the security it provides.

I'm not surprised that Outlook doesn't support it, as it's one of the weaker Microsoft services. The reliability is terrible (it was inaccessible again this past day) and all it really has to offer is a nice name and a pretty interface. My AIM and Gmail accounts are much more reliable.

Who cares about 2 step its more hassle than its really worth. I'd rather them concentrate on ways to improve their existing security without over complicating the end user experience.

Obry said,
Who cares about 2 step its more hassle than its really worth. I'd rather them concentrate on ways to improve their existing security without over complicating the end user experience.

People that get their accounts hacked probably care.

Don't use passw0rd or similar and use single use codes on non-trusted devices you'll be fine. If you need that much more security then you probably shouldn't rely on a free email service in the first place.

I use Google's two-step authentication method. Google does have some nice features like per-application passwords, but I think overall their two-step system is way too complicated for the average user. I think the better method is SMS authentication - sort of how Dropbox does it.

Chugworth said,
I think the better method is SMS authentication - sort of how Dropbox does it.

And how Outlook already does it.

Microsoft also offers two-step verification for some services such as Xbox Live and SkyDrive but as of yet it has not put such a system into place for its Outlook.com email service. During its open beta period in August 2012, an unnamed Microsoft spokesperson was quoted as saying that it was working "to find a strong solution that everyone can use, vs. just the 1% of users that figure out how to navigate a bunch of additional setup options."

Beacuse it isn't needed?

Outlook has had single use sign-in codes for years now. If you're at a public computer simply just select that and it texts you a code, and you don't have to enter your password. That way even if the public computer is infected nobody gets a hold of your password.

Mark said,
Way too much hassle

Indeed. I don't know why anyone would volunteer for such disruption of service access unless they were are complete security nut!

rfirth said,
Definitely. I hate how accessing my Windows Store dev account REQUIRES that you use two factor authentication.

Indeed although I would prefer to be able to use a longer PW.

it really isn't. With google you can set a 'always trust' option. this way you can access a public computer and it only having access throughout the session, while you personal devices don't have to verify everytime.

Karanlos said,
it really isn't. With google you can set a 'always trust' option. this way you can access a public computer and it only having access throughout the session, while you personal devices don't have to verify everytime.

Ah similar to what Microsoft does, it sends me a text message every time I sign in anywhere that's not a recognized device. It gives temporary access, can easily be revoked.
And Hotmail used to have a two step verification, so its a matter of time before it returns to Outlook/Microsoft Account.

Fritzly said,
Because it would,take longer to crack it.

16 characters of alpha numeric only (ignoring special characters) yields:
47,672,401,706,823,533,450,263,330,816 (62^16) possible combinations. So, for the sake of this argument lets use 8 characters which is about 218 Trillion combinations.

Now, lets say you're allowed to pull off 10 guesses per second against microsoft's authentication servers. This of course assumes you have amazing latency to the servers and they wouldn't notice what you're doing. It would take you 11.5k Years to complete all possible iterations (8 characters).

The concept that brute force attacks are what you need to worry about with online services hosted by companies of the caliber of Microsoft/Google/Apple is a little... well... nuts. Even at 8 characters you're perfectly fine. Now, if the attacker is able to get the hash and run a rainbow table crack on it that's a different story when trying to log into the server as you. However, they're probably salting which pretty much kicks the rainbow crack in the nuts.

Anywho... wanting greater than 16 characters serves nothing but epeen.