iTunes 12.3 brings support for two-factor authentication

Ever since a the celebrity nude photo scandal of 2014, in which many stars had their personal photos stolen out of their iCloud accounts, Apple’s been keen to beef up its security.

That’s meant two-factor verification for products including iMessage and FaceTime.

Now, it’s iTunes’s turn.

Apple on Wednesday released a new version of iTunes that delivers two-factor authentication when logging into the store, as well as bug fixes, to accompany its iOS 9 update.

Apple also fixed a handful of bugs in Apple Music, dealing with VoiceOver issues and recently played radio stations not being listed, among other things.

The update also includes support for iOS 9 and El Capitan, which will be released on 30 September.

iTunes version 12.3 can be downloaded immediately via the Software Update mechanism in the Mac App Store or from the iTunes website.

This is the first time the bug-plagued desktop app is getting two-step verification.

Some of the more serious iTunes security holes have included a giant permissions hole that Apple fixed in May 2014, and the more recent invoice poisoning bug, fixed two months ago – a serious remote vulnerability in the AppStore and iTunes web applications that posed “a significant risk to buyers, sellers or Apple website managers/developers”.

If users opt to switch on two-step verification in iTunes 12.3 (and they should), they’ll be required to supply a PIN on top of passwords when performing tasks such as changing account details or logging in for the first time.

At Naked Security, we write and talk about two-step verification (2SV), or two-factor authentication (2FA), quite a bit.

As the endless stream of stories about stolen password databases, phishing attacks, malware that collects all of our keystrokes and even credit card skimmers installed in our local ATMs or at our favourite retailers all show, the old-school method of verification by passwords just isn’t cutting it. 2SV is a more robust method of verifying identification, so the iTunes update is a welcome thing.

Mind you, Apple hasn’t always gotten 2SV as thoroughly incorporated into its products as it could have: when it first turned on 2SV, it didn’t apply to iCloud at all (hence why the celebrity photos were reasonably easy to get hold of), as Naked Security writer Chester Wisniewski went out of his way to check.

Turning on 2SV only protected certain operations on your Apple account, such as editing your account details or buying products from iTunes or the App Store from a new computer or device.

But Apple has continued to forge ahead, incorporating 2SV into more of its products, as it’s done now with iTunes.

For that, we send kudos.

Image of iTunes logo courtesy of urbanbuzz /

Leave a Reply