Checklist 306: Safety Features on the Way and Features You’re Not Using

On this edition of The Checklist:

• Apple enhances data protection for high-risk users
• A big change to iCloud security
• Getting more out of your password manager

Apple and the high-risk user

Most computing platforms are built with the average user in mind. But over the past few years, it has become clear that in terms of cyber risk, not all computer users are the same. 

Journalists, activists, and people living in authoritarian regimes all face extraordinary cybersecurity threats—often from extremely well-resourced nation-state actors and the commercial spyware industry that serves them. 

To address the unique needs of high-risk people, Apple is introducing two powerful new data protection features for its platforms.

iMessage Contact Key Verification is a feature that prevents bad actors from using advanced tactics to insert themselves into end-to-end encrypted communications. It helps high-risk users “verify that they are messaging only with the people they intend.” As Apple explains the feature:

Conversations between users who have enabled iMessage Contact Key Verification receive automatic alerts if an exceptionally advanced adversary, such as a state-sponsored attacker, were ever to succeed breaching cloud servers and inserting their own device to eavesdrop on these encrypted communications. And for even higher security, iMessage Contact Key Verification users can compare a Contact Verification Code in person, on FaceTime, or through another secure call.

Security Keys for Apple ID is another security feature aimed at high-risk users—and especially people who are more likely to face sophisticated attempts to breach or take over their accounts. It is essentially a beefed-up version of two-factor authentication that requires a hardware security key—arguably the gold standard in terms of 2FA implementations—to be used as one of the Apple account holder’s authentication factors.

iCloud security and privacy gets a boost

Apple also introduced a data protection feature aimed at all users: 

Advanced Data Protection for iCloud lets people protect the majority of their iCloud data with end-to-end encryption (E2EE).

At present, only highly sensitive iCloud data—think Keychain, Health, and payment data—is protected via E2EE. With Advanced Data Protection, users will be able to expand this protection to the following categories as well:

• iCloud Backups
• iCloud Drive
• Photos
• Notes
• Reminders
• Safari Bookmarks
• Siri Shortcuts
• Voice Memos
• Wallet passes

This is a significant move on Apple’s part—and may have a profound effect on the wider cybersecurity and privacy ecosystem. As Matthew Green, a professor of cryptography at Johns Hopkins, puts it:

Why is this a big deal? Because Apple sets the standard on what secure (consumer) cloud backup looks like. Even as an opt-in feature, this move will have repercussions all over the industry as competitors chase them. 

Are you really using your password manager?

If you have a password manager…well first of all, good for you! We think everyone should get a password manager. 

But even if you do have a password manager, you still might not be using it to full effect. 

The folks at ZDNET have put together a list of all the things password managers can do (in addition to managing passwords, that is). It’s worth reading in full, but if you only have time for the highlights version, here are a few less well-known benefits of password managers:

• Multi-device support: If you have a password manager, use it on everything—including in web browsers via the password manager’s browser extension. This lets you create and save new passwords on the fly, even if you’re not using your main device at the time.
• 2FA protection: Many password managers support it. Many people don’t use it. Turning on 2FA for your password manager is like getting super-security for all your passwords!

• Secure data storage: Password managers don’t just store passwords securely. They store all kinds of things securely! Use your password manager to safeguard bank information, photos of ID documents, sensitive contact details, secret notes, and more.

• Strong password generation: Humans are bad at creating good passwords—mostly because we’re truly awful at generating the kind of true randomness that makes a password strong. Password managers, on the other hand, excel at this task. If you aren’t using a password manager to create your passwords, start now!