In the first part of this series I discussed the minimum you should do to secure data on Apple devices:
- Use a Passcode/Password and Face ID/Touch ID
- Log in to iCloud and Enable Find My
- Use a Password Manager
For this post, we’ll talk about operating system updates and authentication methods that enhance account security.
Keep Your Device’s OS Up to Date
Operating systems have major releases and “dot” releases—iOS 16.0 would be considered a major release and iOS 16.1, 16.2, etc. would be considered dot releases. Dot releases fix bugs and add features that were announced but did not ship with the initial major release. Apple’s major releases ship each fall, and dot releases occur throughout the year.
Every release includes security enhancements or patches, whether it is a major or dot release. You should always run the latest dot release available for your device, but when you update to a major release is a matter of preference. I tend to update to major releases when they are available, but I am also willing to deal with bugs that may exist in those initial releases. Many recommend waiting until the first .1 dot release comes out so Apple has time to fix those initial release bugs.
Staying up to date on Apple devices is easy, and I recommend automating the update process as much as possible:
Use Multi-factor Authentication (MFA)
Let’s get this out of the way: no one likes multi-factor authentication. Having to validate your identity after entering a password is enough of a friction point that many schools and businesses have resisted its implementation to avoid irritating staff. However, MFA is one of the best ways to protect yourself in the event your login credentials are obtained via a breach. From the Cybersecurity & Infrastructure Security Agency:
MFA is a layered approach to securing your online accounts and the data they contain. When you enable MFA in your online services (like email), you must provide a combination of two or more authenticators to verify your identity before the service grants you access. Using MFA protects your account more than just using a username and password.
Users who enable MFA are significantly less likely to get hacked. Why? Because even if a malicious cyber actor compromises one factor (like your password), they will be unable to meet the second authentication requirement, which ultimately stops them from gaining access to your accounts.
MFA has several names—Multifactor Authentication, Two Step Authentication, 2-Step Verification, Two Factor Authentication, 2FA—and you may have already experienced it unknowingly. For example, some banking sites send you a text message containing a code when you log in, and require you to enter that code on their web site to proceed. That’s one type of MFA.
Many services have started to support “authenticator” apps for MFA because text messages are not secure. Those services use a system that generates codes based on a time signature and text key, and the authenticator app is used to look up those codes. Apple’s password manager can act as an authenticator and, through its integration with Safari, it makes entering those codes much easier.
Receiving a code via text message is the most comfortable first step into MFA, and where I would recommended everyone start, but step up to an authenticator app when you’re comfortable enough.
Keep an eye on Passkeys
Passkeys are a new authentication method that are designed to replace passwords, and were developed by a consortium that includes Microsoft, Google, Apple and other tech giants. Tom’s Guide provides a good overview of passkeys and how they work:
Passkeys aim to make all of your accounts more secure by using passwordless login in place of traditional passwords since each passkey is a unique digital key that can’t be reused. They’re also stored in an encrypted format on your devices instead of on a company’s servers which keeps them safe in the event of a data breach.
Apple devices running iOS/iPadOS 16 or later, and macOS Ventura or later have support for passkeys built-in, but it will take some time before web sites and apps fully embrace this new authentication method. Because passkeys are more secure than passwords, they are a MFA method to watch and adopt as support for them grows.