Apple fielded a barrage of criticism and negative press following the iCloud celebrity photo hack last fall. Although the company claimed they weren’t at fault over the debacle, Apple CEO Tim Cook vowed to broaden its use of two-factor authentication and alert users via e-mail and push notifications when someone logs into their account from a new device, restores an iCloud backup, or changes their password.
Roughly four months later, however, two-factor authentication is still missing from several of Apple’s core applications and services.
As blogger Dani Grant recently demonstrated, she was able to log into iTunes, FaceTime, the App Store and even Apple’s main website with nothing more than her AppleID and a password. At no point during the process was she prompted for a second form of verification despite the fact that two-factor authentication was enabled on her AppleID.
With regard to more frequent updates, only the FaceTime login generated an alert which was sent via e-mail.
Grant highlights the fact that, with just a password, she could impersonate someone by sending iMessages from their account, see someone’s billing address, credit card type, the last four digits of said credit card, their phone number and what app purchases someone has made.
If Apple truly intends to broaden its use of two-factor authentication, they clearly have a lot of work left to do. And while I get that not everyone wants to put up with the “hassle” of added security, it seems that it should at least be an option for those that value their privacy.