In March, Apple released a “two-factor authentication” login method for its Apple ID. This security tool was already used by Google, Facebook and Dropbox, and it is actually a basic method, involving not only a password but also a piece of additional data like a succession of numbers sent in a text message.
Therefore, users who have two-factor verification enabled, are required to enter both the password and a 4-digit code to verify their identity. According to Apple’s support page, users need this information whenever they sign in to My Apple ID to manage their account, make an iTunes / App Store / iBookstore purchase from a new device or get Apple ID-related support from Apple.
However, Apple was accused by the security software company ElcomSoft of doing “a half-hearted job”. The reason why Apple received such accusation was because, according to new information offered by ElcomSoft, Apple’s new measures seem to be protecting users only in a couple of situations, such as managing an Apple ID account or receiving customer support related to Apple ID and purchasing app and music. Unfortunately, it does not appear to be protecting valuable information like photos and other files stored on its iCloud service.
Therefore, even though a user has the two-factor system enabled, his Apple ID and password could be figured out by hackers, who would be able to log into that user’s iCloud account, and download all of the personal information stored there.
That means that, without the two-factor protection implemented on iCloud data backups, anybody could use a compromised Apple ID account to log in and restore a device’s settings through an iCloud backup in order to download that data. Also, a user’s iCloud data could be downloaded onto a computer with just a simple program.
As stated by ElcomSoft in a blog post, Apple’s implementation of a two-factor authorization does not look like a finished product. However, the method cannot be labeled as being flawed as it does exactly what it claims to be doing, the only problem being the fact that it does not actually protect users’ personal information stored in the iCloud from unauthorized access.
Although the two-factor authentication does not seem to be enough, enabling it on all accounts still sounds as a great idea as it offers protection for the situations exposed above.