Microsoft & Twitter should look to Apple for how security is done, says feds

iCloud has good security

In a speech delivered Monday at Carnegie Mellon University, Cybersecurity and Infrastructure Security Agency Director Jen Easterly mentioned Apple as a good example of accountability and transparency in security. For example, she cited Apple's statement that 95% of iCloud users have multi-factor authentication (MFA) enabled, according to CNBC.

MFA is a recommended security feature in which users need to enter a unique code sent to their Apple devices when logging in with an Apple ID under specific circumstances. For example, Apple requires turning on MFA for features and services such as Apple Pay and Sign in with Apple.

According to Easterly, Apple making MFA the default is the reason for the high adoption rate. As a result, "Apple is taking ownership for the security outcomes of their users," she said.

In comparison, Easterly said that Microsoft and Twitter had low MFA adoption rates among users. Roughly one-quarter of Microsoft's enterprise customers use MFA, while fewer than 3% of Twitter users enable it, results she said were "disappointing."

In February, Twitter even placed its SMS security authentication feature behind its paid Twitter Blue subscription — though free users can still enable MFA via an authentication app or security key, which are more secure than SMS authentication anyway.

However, Easterly still commended the two companies for their transparency in disclosing the adoption numbers.

"By providing radical transparency around MFA adoption, these organizations are helping shine a light on the necessity of security by default," she said. "More should follow their lead — in fact, every organization should demand transparency regarding the practices and controls adopted by technology providers and then demand adoption of such practices as basic criteria for acceptability before procurement or use."

Easterly further remarked that new legislation should "prevent technology manufacturers from disclaiming liability by contract, establishing higher standards of care for software in specific critical infrastructure entities, and driving the development of a safe harbor framework to shield from liability companies that securely develop and maintain their software products and services."

Apple has more layers of security on its devices and services than just multi-factor authentication. For instance, it added end-to-end encryption to most of its services in 2022 with the release of Advanced Data Protection.

And as part of ADP, users have a new MFA option with physical security keys, which are small USB devices that can plug into a computer or wirelessly connect to a device using NFC or Bluetooth. Then, it can authenticate an Apple ID or other online login using the device instead of a one-time passcode.