Apple to Add Manual Authentication to iMessage

Signal has had the ability to manually authenticate another account for years. iMessage is getting it:

The feature is called Contact Key Verification, and it does just what its name says: it lets you add a manual verification step in an iMessage conversation to confirm that the other person is who their device says they are. (SMS conversations lack any reliable method for verification­—sorry, green-bubble friends.) Instead of relying on Apple to verify the other person’s identity using information stored securely on Apple’s servers, you and the other party read a short verification code to each other, either in person or on a phone call. Once you’ve validated the conversation, your devices maintain a chain of trust in which neither you nor the other person has given any private encryption information to each other or Apple. If anything changes in the encryption keys each of you verified, the Messages app will notice and provide an alert or warning.

Tags: , ,

Posted on November 22, 2023 at 7:08 AM2 Comments

Comments

Fazal Majid November 22, 2023 9:39 AM

What difference does it make, when the threat model features Apple itself prominently? By acceding to the principle that the iMessage client will scan photos for CSAM prior to uploading them to iCloud, even if they later reversed that decision, Apple has forfeited any trust in their end to end encryption claims.

Yoda November 22, 2023 4:05 PM

@Fazel Majid

Was that real? Imagine they’re pressured to do something. They go public with a ridiculous plan in compliance, and predictably no one accepts it. They turn around and say, “See? We can’t do it.” (And now they offer Advanced Data Protection.)

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.