Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Microsoft & Twitter should look to Apple for how security is done, says feds

The US' top cybersecurity official commended Apple's iCloud security, and believes Twitter and Microsoft should look to Cupertino for inspiration on how to get it done.

In a speech delivered Monday at Carnegie Mellon University, Cybersecurity and Infrastructure Security Agency Director Jen Easterly mentioned Apple as a good example of accountability and transparency in security. For example, she cited Apple's statement that 95% of iCloud users have multi-factor authentication (MFA) enabled, according to CNBC.

MFA is a recommended security feature in which users need to enter a unique code sent to their Apple devices when logging in with an Apple ID under specific circumstances. For example, Apple requires turning on MFA for features and services such as Apple Pay and Sign in with Apple.

According to Easterly, Apple making MFA the default is the reason for the high adoption rate. As a result, "Apple is taking ownership for the security outcomes of their users," she said.

In comparison, Easterly said that Microsoft and Twitter had low MFA adoption rates among users. Roughly one-quarter of Microsoft's enterprise customers use MFA, while fewer than 3% of Twitter users enable it, results she said were "disappointing."

In February, Twitter even placed its SMS security authentication feature behind its paid Twitter Blue subscription — though free users can still enable MFA via an authentication app or security key, which are more secure than SMS authentication anyway.

However, Easterly still commended the two companies for their transparency in disclosing the adoption numbers.

"By providing radical transparency around MFA adoption, these organizations are helping shine a light on the necessity of security by default," she said. "More should follow their lead — in fact, every organization should demand transparency regarding the practices and controls adopted by technology providers and then demand adoption of such practices as basic criteria for acceptability before procurement or use."

Easterly further remarked that new legislation should "prevent technology manufacturers from disclaiming liability by contract, establishing higher standards of care for software in specific critical infrastructure entities, and driving the development of a safe harbor framework to shield from liability companies that securely develop and maintain their software products and services."

Apple has more layers of security on its devices and services than just multi-factor authentication. For instance, it added end-to-end encryption to most of its services in 2022 with the release of Advanced Data Protection.

And as part of ADP, users have a new MFA option with physical security keys, which are small USB devices that can plug into a computer or wirelessly connect to a device using NFC or Bluetooth. Then, it can authenticate an Apple ID or other online login using the device instead of a one-time passcode.



7 Comments

jpellino 18 Years · 707 comments

Recently had biz email moved to MS.  I definitely understand why their 2FA is under-used.  

blastdoor 15 Years · 3594 comments

She should give that speech to the FBI. 

FileMakerFeller 6 Years · 1561 comments

Are they counting FaceID/TouchID as MFA? 95% seems awfully high...

coolfactor 20 Years · 2342 comments

Are they counting FaceID/TouchID as MFA? 95% seems awfully high...

In some ways, Apple's 2FA/MFA implementation is automatic. For example, purchasing a movie on an Apple TV prompts another device connected to that same iCloud account to authorize that purchase. No setup or activation was required for that to happen. It's automatic, and a brilliant way to secure the ecosystem.

Google also achieves this with YouTube-based authorization when signing into an account on another device. The YouTube app puts up a prompt on a secondary device. Zero configuration, as Google's systems already know that a device is logged in using YouTube.