Apple implemented an optional two-factor authentication for Apple IDs back in March in an effort to provide users with tighter security over their account but according to one security software company, Cupertino isn’t doing enough.
ElcomSoft noted in a recent blog post that Apple’s optional security measures do work under certain circumstances. For instance, those using two-factor authentication should still be protected from someone signing into their account to make changes, purchasing items from iTunes, the App Store or iBookstore and receiving Apple ID-related tech support.
The problem, according to ElcomSoft, is that two-factor authentication does nothing to protect a user’s iOS backups and iCloud data. That means that if a hacker could manage to obtain a user’s Apple ID and password, they could log into the account and download all of the information the user has saved in the cloud, regardless of whether two-factor authentication is enabled or not.
If that weren’t enough, ElcomSoft discovered that verification codes sent to a trusted handset are delivered and displayed right on the user’s lock screen (assuming the “show subject field” is enabled in the Messaging settings). This means that someone with your Apple ID and password wouldn’t even need your handset’s passcode to thwart the two-factor authentication.
At the end of the day, ElcomSoft said the system is just not as secure as one would expect it to be and that Apple’s two-factor authentication does not look like a finished product.