How Apple’s iCloud authentication system fails to protect your account when using a browser

Update 4/15/19: Apple says the problem isn’t with iCloud’s two-factor system, but rather with the way browser is treated. A representative explained that browsers are treated as separate trusted devices, thus sending the code to all other devices, including the one you’re using.

With an iCloud account and an Apple device, two-factor authentication is quite different than it is on any other device or account. As is the Apple way, 2FA on your iPhone or Mac is baked into the device you own, setting up a system that is theoretically as secure as a security key. Except when it’s not.

Here’s how it works. When you’re trying to log into your iCloud or Apple Music account account on your iPhone, you’ll first be prompted to enter your password. Once that is recognized, you will then be asked to input a code that has been sent to one of your trusted devices, say an iPad. You’ll get a message on your iPad informing you that someone is trying to log into your account and asking whether you want to allow it. Then you’ll receive a six-digit code that you’ll enter into the boxes on your iPhone.

If you don’t get the code (which happens from time to time), you can request a standard SMS code or use one of the randomly generated ones in the Settings app on your iPhone or System Preferences. Just tap on your iCloud name on the iPhone or Account Details on the Mac, then Password & Security, and Get a Verification Code. A six-digit code will appear, which can them be entered into the appropriate boxes on your other device.

While it appears as though Apple has all of the 2FA bases covered, its proprietary system of trusted devices isn’t without its flaws. For one, it works best when you have more than one iOS device. Not only does it add an extra layer of protection by bringing a second device into the mix, it’s true 2FA, pairing something you know (your password) with something you have (your device).

Holes in the security system

But if you only have a single Apple device, you’re kind of out of luck, and that’s where the trouble starts. If an iPhone is your only Apple device, for example, you’ll basically be stuck using SMS. Obviously you won’t be able to get a code on another Apple device, but Apple limits trusted devices to iPhone, iPad, or iPod touch with iOS 9 and later, or a Mac with OS X El Capitan and later. That means you can’t use a PC, Chromebook, or Android phone, which is a major limitation. And since you’ll be signing into iCloud in the Settings app, you won’t be able to get a verification code using the built-in authenticator tab either.

2fa icloud account IDG

When you need to log into your iCloud account using a browser, your 2FA code goes to the same device.

While you’re technically protecting your account and services via 2FA, it’s the least secure way. The issues with spoofing and straight-up stealing text-based codes as they arrive are well-documented. Granted, most Android users use one of those two options on their phone as well, but at least they have the option to download an authenticator with biometric authentication. Since Apple doesn’t yet support hardware security keys for iCloud, you really have no other choice but to use a second Apple device.

If the implementation of iCloud 2FA with a single Apple device is bad, however, it’s downright defective when you need to manage your account over the web. When you input your password to log into your Apple ID account page, whether or not it’s stored in the iCloud Keychain, Apple will automatically prompt you to enter a 2FA code, as it should.

However, that code goes to all of your trusted devices—including the one you’re using. If you’re using Safari on your Mac, the 2FA code will pop up on the same screen, which kind of defeats the purpose and leaves your most sensitive data vulnerable if your Mac gets stolen. That means all someone would need is the password for your Mac (since most models don’t have Touch ID) and they could get access to your entire account, assuming you have iCloud Keychain enabled on the Apple ID page.

That’s the case no matter where you log in—iPhone, Mac, PC—Apple will send your 2FA code to whomever is trying to log into your account from one of your trusted devices. Apple told me that the issue  isn’t with iCloud’s two-factor system, but rather with the way browser is treated. As a representative explained, under iCloud 2FA browsers are treated as separate trusted devices, which is why codes are sent to the same device you are using. That makes sense, but it’s still giving users a false sense of security and makes Apple’s otherwise strong 2FA system into a less-secure 1FA one.

Let’s block ads! (Why?)

Link to original source

Skype adds screen sharing to its iOS and Android apps


Skype

Having spruced up its web service, Skype is turning its attention to mobile. Its latest beta feature adds screen sharing to its iOS and Android apps. It may not seem as significant as Skype’s other recent iterations, including group calls for 50 people (up from 25) and background blur in video calls, but it gives workers and friends another reason to stay locked in the app.

Microsoft imagines you’ll use it to show a colleague your PowerPoint presentation or to swipe through Tinder with a BFF. It also sets Skype apart from its biggest rivals (Messenger, WhatsApp, Snapchat) which all surprisingly lack the feature. Its absence on bigger platforms has allowed smaller apps that offer mobile screen sharing, like Squad, to fill the void.

Of course, the feature is still only available in preview for Skype Insiders (aka beta testers). And, according to The Verge, it still hasn’t gone live on the Skype for iOS beta. If Skype’s other experiments are anything to go by, screen sharing could roll out in less than a month.

Let’s block ads! (Why?)

Link to original source

The Morning After: Disney's streaming service will cost $6.99


Disney+ app running on a smart TV platform.

After much teasing, Disney has revealed all the details of its streaming service, bringing the full might of its animated movie back-catalog alongside all… those… Marvel… characters. The service is set to launch in November, and we’re already hearing about the new movies and shows that will come to the service.


It has also introduced leasing and made Autopilot standard.
Tesla’s $35,000 Model 3 is only available as a special order

Tesla has halted online sales of the $35,000 Model 3 and will only sell it by telephone or in its stores. It also made the Autopilot driver-assist features standard on all its vehicles (except the aforementioned $35K model) and increased prices accordingly. The Model 3 Standard Plus, for instance, used to cost $37,500 plus $3,000 for Autopilot, and it now starts at $39,500.
Intriguingly, Tesla has also introduced leasing. US customers can choose from 10,000, 12,000 and 15,000 mile annual-usage options. Lease customers won’t get the option to buy back their vehicles at the end of the term, with the company planning to use those older vehicles in its autonomously driven ride-hailing network.


Incredibly customizable, incredibly niche.
Alienware Area-51m review: A gaming desktop stuffed inside a laptop

Alienware’s Area 51m is a truly unique laptop. It’s portable, but it packs all the power and customizability you’d want from a gaming desktop. Still, when other modern laptops are significantly thinner, cheaper and almost as powerful, it’s a tough sell for most gamers. If anything, it’s a testament to Dell’s ingenuity. And for players who demand power above all else, it’s a solid choice.


Disney+ launches November 12th for $6.99 per month
The Netflix-fighter is coming.

After more than a year of waiting, Disney took the wraps off of its subscription streaming service Thursday night in a presentation for investors. Disney+ will launch November 12th across most mobile and connected TV platforms, ready to draw in streamers with day-one content including Captain Marvel, all 30 seasons of The Simpsons, Pixar movies, a new Star Wars live-action series called The Mandalorian and even Disney’s impressive library of animated movies.

While we saw some of the apps in action, we didn’t get much in the way of tech details beyond confirmation it supports 4K and HDR. Disney promised more than 25 original episodic series, more than ten original movies, more than 7,500 episodes of old shows, more than 100 recent titles and more than 400 archive titles, all in year one alone. Still, the biggest news is the price: It all costs $6.99 per month or $69.99 annually.


SpaceX launched its rocket after a delay due to inclement weather.
Falcon Heavy successfully completes triple-booster landing

SpaceX launched its Falcon Heavy rocket on Thursday evening, following a one-day delay due to inclement weather. The plan is for the rocket’s side boosters and central core stage to return to Earth, which will be particularly challenging. Space X failed on the center core part during last year’s launch. If they are successful this time, it will be the world’s first successful triple rocket landing.

But wait, there’s more…


The Morning After is a new daily newsletter from Engadget designed to help you fight off FOMO. Who knows what you’ll miss if you don’t Subscribe.

Craving even more? Like us on Facebook or Follow us on Twitter.

Have a suggestion on how we can improve The Morning After? Send us a note.

Let’s block ads! (Why?)

Link to original source

This robot can sort recyclable materials without even so much as a peek at them

[unable to retrieve full-text content]

TwitterFacebook

Developed by MIT CSAIL, RoCycle is a robotic system that can automatically identify and sort recyclable materials using pressure sensors.

The robot can differentiate between paper, metal, and plastic with 85 percent accuracy just by touching them. Read more…

More about Mashable Video, Robot, Robotics, Recycling, and Mit

Link to original source

'The Perfect Date' delivers a rude entitled jerk version of Peter Kavinsky

Heartthrob Noah Centineo stars as Brooks Rattigan in Netflix's 'The Perfect Date.'
Heartthrob Noah Centineo stars as Brooks Rattigan in Netflix’s ‘The Perfect Date.’
Image: netflix

The following is a spoiler-free review of Netflix’s The Perfect Date.

Of all the boys I’ve loved before, Brooks Rattigan isn’t one of them.

At first, Netflix’s The Perfect Date seems like a delightful companion to the rom-com hit To All The Boys I’ve Loved Before. Noah Centineo — aka internet boyfriend and TATBILB heartthrob Peter Kavinsky — stars as Brooks Rattigan, an ambitious teenager willing to do anything to go to his dream school, Yale. 

To raise money for tuition, Brooks launches an app that can help pair him up with girls in need of the perfect date. Customers fill out the app’s criteria and create a made-to-order boyfriend out of the young entrepreneur. Brooks dons costumes, tries out accents, and otherwise makes the most of this pseudo-27 Dresses format.

Of course, Brooks’s service isn’t aimed at finding true love — and it certainly isn’t sex work (a point the film felt the need to make many times over, for some reason). Rather, the purpose of the app is to make it look like Brooks is dating whomever he is out with. Ultimately, he falls for one of his customers.

Sounds a whole lot like TATBILB, right? Well, beyond the casting and fake date premise, little about The Perfect Date lives up to that other film’s charm. Instead of offering up a cautionary tale on the perils of false affection or a cute look at teen romance in 2019, The Perfect Date delivers a portrait of an insufferable, entitled jerk of a teen boy in desperate need of some serious parenting. 

It’s not Centineo’s fault that Brooks sucks so much. Brooks Rattigan (ugh, that name) is about as two-dimensional as a character can get, and no amount of Centineo charisma can save him.

Brooks likes cars, sports, money, girls, and the Ivy League. He dislikes feeling unpopular, boring, and not special. He idolizes Steve Jobs, Michael Jordan, and Elon Musk. Brooks wants to change the world, but he just doesn’t know how he’s going to do it! Imagine the most basic version of a privileged teenage boy and yeah, you’ve got Brooks.

But dull stereotypes aren’t what make Brooks such an abominable douchey character. It’s the terrible way he treats nearly everyone else in this thin story, and then gets rewarded for that behavior. 

It’s not Noah Centineo’s fault that Brooks sucks.

An example: Brooks’s relationship with his dad. Charlie Rattigan, played by Matt Walsh, is a down-on-his-luck writer, reeling from his recent divorce and a mountain of career setbacks. He’s depressed, frustrated, and deeply concerned for his son, since he’s not sure paying for Yale is a real possibility for their family. Charlie instead encourages Brooks to consider going to the University of Connecticut, a more affordable option.

Brooks doesn’t react well to that suggestion, ultimately mocking his dad’s unemployment and asserting his superiority, saying, “Look. I’m sorry, I just haven’t worked my ass off for the past three and a half years to go to a public college.” Yeah… okay, dude

Brooks eventually evolves beyond this elitist perspective, but it doesn’t excuse the fact this condescending outburst goes largely unpunished. Later in the movie, Charlie even commends Brooks for pursuing his goals so tenaciously, entirely forgetting the horrible interaction and jokingly offering to sell one of his kidneys for Brooks’s Yale tuition. It’s a comically repulsive scene, devoid of any moral comeuppance.

“No, thanks.”

Image: netflix

Brooks isn’t the only shallow character in this exhausting story. His dueling love interests Shelby and Celia, played by Riverdale‘s Camila Mendes and Laura Marano, get written into similar corners. (Celia likes combat boots and Shelby likes money… but they both like Brooks?! Gasp!)

Oh, and Brooks’ best friend, Murph (Odiseas Georgiadis)? Well, he’s the closest to a multi-dimensional character this story has, but ultimately gets relegated to an underwhelming B-plot. (Brooks’s app is taking up a lot of his time, and Murph is angry about being bailed on so much. But then Brooks apologizes and Murph is totally okay with it. The end.)

In short, The Perfect Date is far from perfect, and won’t scratch the TATBILB itch fans have been struggling with since last August. To see the real Peter Kavinsky — and not this cheap impostor — we’ll just have to wait for P.S. I Still Love You, due out next year. Bye, Brooks!

Uploads%252fvideo uploaders%252fdistribution thumb%252fimage%252f90996%252f469a5d35 a652 4f88 9b83 3dbfb8ce3787.jpg%252foriginal.jpg?signature=t5bkuqv1c  itp cf hdv4xxkpq=&source=https%3a%2f%2fblueprint api production.s3.amazonaws

Let’s block ads! (Why?)

Link to original source