Ever since a the celebrity nude photo scandal of 2014, in which many stars had their personal photos stolen out of their iCloud accounts, Apple’s been keen to beef up its security.
That’s meant two-factor verification for products including iMessage and FaceTime.
Now, it’s iTunes’s turn.
Apple on Wednesday released a new version of iTunes that delivers two-factor authentication when logging into the store, as well as bug fixes, to accompany its iOS 9 update.
Apple also fixed a handful of bugs in Apple Music, dealing with VoiceOver issues and recently played radio stations not being listed, among other things.
The update also includes support for iOS 9 and El Capitan, which will be released on 30 September.
iTunes version 12.3 can be downloaded immediately via the Software Update mechanism in the Mac App Store or from the iTunes website.
This is the first time the bug-plagued desktop app is getting two-step verification.
Some of the more serious iTunes security holes have included a giant permissions hole that Apple fixed in May 2014, and the more recent invoice poisoning bug, fixed two months ago – a serious remote vulnerability in the AppStore and iTunes web applications that posed “a significant risk to buyers, sellers or Apple website managers/developers”.
If users opt to switch on two-step verification in iTunes 12.3 (and they should), they’ll be required to supply a PIN on top of passwords when performing tasks such as changing account details or logging in for the first time.
At Naked Security, we write and talk about two-step verification (2SV), or two-factor authentication (2FA), quite a bit.
As the endless stream of stories about stolen password databases, phishing attacks, malware that collects all of our keystrokes and even credit card skimmers installed in our local ATMs or at our favourite retailers all show, the old-school method of verification by passwords just isn’t cutting it. 2SV is a more robust method of verifying identification, so the iTunes update is a welcome thing.
Mind you, Apple hasn’t always gotten 2SV as thoroughly incorporated into its products as it could have: when it first turned on 2SV, it didn’t apply to iCloud at all (hence why the celebrity photos were reasonably easy to get hold of), as Naked Security writer Chester Wisniewski went out of his way to check.
Turning on 2SV only protected certain operations on your Apple account, such as editing your account details or buying products from iTunes or the App Store from a new computer or device.
But Apple has continued to forge ahead, incorporating 2SV into more of its products, as it’s done now with iTunes.
For that, we send kudos.
Image of iTunes logo courtesy of urbanbuzz / Shutterstock.com
Nicolas
I’m not at all pleased that Apple’s two-step requires a second device (phone, etc.) Banks aren’t requiring this, and I haven’t heard that a lot of them are being hacked. I’d be content with a second entry window with a security question, or some other option. The next thing I do is turn off two-step verification.
Paul Ducklin
The idea is to have a *second* factor, not the same one twice. (My bank requires this for 2FA. You need to validate your browser session via your mobile phone every time. So a crook has to get your password *and* SIM-swap your phone. Neither one alone will do.)
nsmartinworld
Because Apple’s Mac apps don’t work directly with password managers, my Apple ID is the least secure that I have. It’s the only one that isn’t long and random. There’s the problem.
Paul Ducklin
In what way do Apple Macs not support password managers? (You could use KeyChain if you trust it. Apple’s very own password manager :-)
What about LastPass, if you want a well-known, mainstream, third-party solution. I know loads of people who are OS X fans who are also LastPass fans.
nsmartinworld
They work within the browsers, but not with products like iTunes.
Kim
Yeah…downloading this update was a huge mistake. My iTunes locks up roughly 30 seconds after I open it. Every. Single. Time. It’s completely unsuable now.