Two-step systems aren't a panacea for all security breaches. Rather, they deter phishing, in which someone is fooled into giving up a password. The password and the second factor by themselves are both useless: gain one and the other is still required. It also helps when passwords are stolen from other sites at which people have accounts that they re-use the same credentials elsewhere: the same email and password used for multiple sites. It shifts the point of attack typically from the whole world to physical proximity, reducing exposure by means and likelihood.
Apple has consistently used the term two-step verification before, as its system didn't require that the code was sent to a device other than the one you were using. A code can be sent via SMS to any number as well as to any registered iOS device, but not any OS X device. SMS isn't precisely secure, and because of SMS forwarding with Continuity starting in Yosemite and iOS 8.1, you might log in on a computer to which an confirming token sent via SMS appears onscreen. (I wrote about this in depth in an October 2014 Private I column.)
Two-factor authentication includes the benefit of two-step verification, deterring remote-only attacks. But it also helps with ones in which someone has physical proximity to equipment or devices. To qualify as separate factors, an element like a password (something you know), a phone (something you own), or a biometric measurement (something you are) shouldn't be stored together or accessible in the same way. If someone gains access to one thing — hopefully not your fingertip! — they can't access the others, too.
On its iOS 9 preview page, Apple shows both what appears to be its new method, described above, and an iPhone screen in which a six-digit code has to be entered (also up from four digits as today). Its text description doesn't explain the new method, nor why they picked a new term. We should start learning more about this soon, but it's a good sign.
Any improvement in two-step or two-factor identity proofs that increases the number of people who enable it, the less susceptible they are to exploitation, identity theft, and worse.
Sign up for Computerworld eNewsletters.