Warning: This is geekier than most of my Smartphones for All posts. I wrote it to help me think through some chapter revisions.
The short version
Two factor authentication is inevitable (see below for why), but by design it makes it harder for a Guide to support an Explorer’s (dependent person’s) independence through ethical identity assumption (surrogacy).
The potentially good news is that as of May 2018 Apple’s 2FA supports a “trusted browser” option for access to iCloud.com. If an Explorer’s iPhone has enabled 2FA, a Guide can use the Explorer’s iPhone to “authenticate” the browser they are using [5] to manage the Explorer’s iCloud.com data.
To authenticate a browser (really, a “browser-identity” or “user” in Chrome-speak) the Guide will need the Explorer’s iPhone at hand. In my testing I first enabled 2FA on my test device. Using Chrome on my MacBook I then switched to the Chrome User assigned to my test iPhone, accessed iCloud.com, and entered my test device (“Explorer”) credentials. The iPhone responded with a verification query and provided a passcode. Once I entered the passcode into an iCloud.com dialog I was able to “Trust this browser”.
After enabling this Trust relationship I could connect to the “Explorer” iCloud account without providing any credentials.
Behind the scenes a token (“cookie”) was stored on my local browser-managed storage area (more on that below). I believe the cookie is X-APPLE-WEBAUTH-HSA-TRUST [6]:
I set this cookie on 5/25/2018 and the expiration date is shown as 8/22/2018 — three months from now. So three months is likely the upper limit on how long a browser identity can be “trusted”; physical access to an Explorer device will be needed at least every 3 months to reenable Trust.
I suspect there are other ways a browser identity can become “untrusted” but none of this seems to be documented. I’ll update this post as I experiment and learn more.
For now life is easier if you avoid 2FA for Explorers. After all, Explorers don’t need to know or type their strong password iCloud credentials, so they can’t accidentally expose them! If 2FA has been implemented you can disable it. 2FA is probably inevitable though, so it’s good to know there might be a practical way to continue identity assumption and digital life support.
Some (optional)background on how we got here, and the problems ahead…
Two factor authentication (2FA, also known as two factor verification), practically speaking, is the use of something besides a password to prove someone’s identity. We need it because humans are bad at creating and managing passwords [3], because even secure passwords are often harvested by malware, and because the typical secure password is impossible to tap or type reliably.
Given the failure of passwords the alternative to 2FA has been the (not) “Secret Question”. The Secret Question is known among security specialists as “security theater” or “Potemkin protection”. The less said about the “Secret Question” the better.
So it’s easy to see why 2FA is being aggressively promoted by Apple and Google. 2FA has problems, however. Different vendors have different standards for 2FA, and the approaches are changing quickly. For a while some used SMS messages [4], until some genius discovered that mobile numbers get reused (yes, this was obvious). Then we seemed to have a standards based approach, but Apple never adopted it and even Google seems to be moving to a proprietary solution [1].
The differing standards have consequences. Every vendor has a different approach to 2FA recovery when a device (typically a smartphone) is lost or unavailable, or a user is disabled or dead, or a device is replaced. Not one person in a thousand can keep track of all the options (ex: one-use bypass passwords) for all their services, and fewer still can manage it for all their family devices. Just imagine the directions that need to be written for one’s estate!
These consequences are going to be felt by everyone, but there are unique issues for Guides and Explorers (vulnerable persons with cognitive disabilities). Recovery options setup for children may not be available to vulnerable adults, even for Guardians. Most of all, two factor authentication is specifically designed to defeat identity assumption (aka identity assignation or surrogacy). So 2FA defeats the ethical identity assumption Guides use to manage an Explorer’s digital life.
Yes, Houston, we have a problem. Passwords are no longer sufficient [2], but 2FA defeats ethical identity surrogacy. In theory vendors could build in a surrogacy solution, but it’s easy to understand why they don’t want to do this. It’s a complex problem [2], though there is some hope. It’s not only the relatively powerless Explorer community that’s impacted, the children of aging adults are going to start running into the same problem with managing their parent’s digital life. Sooner or later vendors will have to come up with solutions for this bigger population. Unfortunately that is going to take a while.
– fn –
[1] Facebook, weirdly enough, might give the standard new life. Years ago there was serious discussion about using the Post Office as part of identity management, that could have helped with a standards approach. I’m sympathetic to that idea, but it seems unlikely these days.
[2] Problems like this are part of the reason my “Smartphones for All” book is taking so long to publish. I keep running into major landscape changes.
[3] Apple’s keychain approach to password management deserves more credit than it gets. It almost works as a password manager and it’s much more likely to be used than geek-centric products like 1Password. This is one area where on-device “AI” may help.
[4] Apple, worryingly, still uses SMS during part of their authentication. They also still use Secret Questions. Given where we are in managing validation this might be a necessary compromise.
[5] Chrome’s multi-user identity switching support is essential for managing an Explorer’s digital data. Safari doesn’t have native identity switching.
[6] Chrome’s browser dev tool inspectors are amazing. Incidentally, a search for X-APPLE-WEBAUTH-HSA-TRUST turned up very few references today.