Apple's two-factor authentication leaves holes for hackers

Apple
Apple's two-factor authentication process.Apple

Breaking News Emails

Get breaking news alerts and special reports. The news and stories that matter, delivered weekday mornings.
SUBSCRIBE
By Devin Coldewey

If you signed up for Apple's latest security feature, known as two-factor authentication, you'd be right to feel that your online info is a bit more secure — but researchers have found that there are still some major gaps in its protection that you should be aware of.

Two-factor authentication is where a service or account requires you to put in not only your password to log in, but also a code sent to a trusted device like your phone. This prevents hackers from logging in with just stolen credentials, and if they were to try, the system would alert you that someone is trying to access your data.

Apple's approach, however, only requires the second factor in certain circumstances: When changing account details, seeking support, or when making a purchase. Those are indeed protected, but as security researchers at Elcomsoft demonstrate, your data is still at risk.

"Apple did a half-hearted job," writes Elcomsoft's Vladimir Katalov in the blog post describing the flaws, "Still leaving ways for the intruder to access users’ personal information bypassing the (optionally enabled) two-factor authentication."

Your data can also be accessed by installing an iCloud backup on a new device.Elcomsoft

If you use an iCloud account, which many iPhone and Mac users do, that information is free for the taking if someone has your Apple ID and password. Two-factor authentication won't protect it at all.

This is because when you log into your iCloud account, all your backups and stored documents are available for download without any further ado. If you backed up your iPhone when you plugged it in today to add a few new albums, that backup is now available to a hacker who's collected your username and password through nefarious means. They could log in, download it, and peruse your private information at their leisure, and you'd never be the wiser.

The attacker could also activate a new iPhone and simply put in your Apple ID and password, and iCloud would obligingly restore all your documents, apps, and texts to their device! This would result in Apple sending you an email after the fact, but it would be too late for your private data.

"Apparently," continued Katalov, "Apple is torn between creating a secure environment and scaring away its customers by implementing security measures that are simply too tough."

After all, if you had to wait for a code to arrive on your phone every single time you popped onto your account for one reason or another, you would quickly tire of the security feature and perhaps disable it. Apple chose to make it less invasive, but in doing so it appears to have left the door open for some possible security breaches.

Two-factor authentication is helpful, but it isn't a silver bullet. Strong passwords and being on the lookout for scams are your best defense against losing control of your data.

Devin Coldewey is a contributing writer for NBC News Digital. His personal website is coldewey.cc.