Apple’s two-factor authentication is not very thorough

Elcomsoft reported on the Norway incident in February. It was not real hacking, suggested the company, but social engineering. “What seems to be happening is teenage hackers are using their classmates’ names, dates of birth and answers to ‘secret’ questions to ‘recover’ (or, actually, reset) their iCloud passwords... and it does not take much for teenagers to guess (or know) the answer to teenage girls’ security questions.” 

A month later Apple started to roll out two-factor authentication, a process designed to mitigate against guessed passwords, but Elcomsoft now suggests they haven’t done a very good job. Even if the optional extra security is set (and it’s not yet available throughout the world), intruders can still access users’ data. “Apple’s implementation does not apply to iCloud backups”, warned Elcomsoft yesterday, “allowing anyone and everyone knowing the user’s Apple ID and password to download and access information stored in the iCloud.” In other words, the very methodology the Norwegian hackers used before Apple’s two-factor authentication will still work after the two-factor authentication.

“This is easy to verify,” blogged CEO Vladimir Katalov yesterday; “simply log in to your iCloud account, and you’ll have full information to everything stored there without being requested any additional logon information.” Apple, for its part, does not claim complete security; it merely states that its 2FA “reduces the possibility of someone accessing or making unauthorized changes to your account information at My Apple ID or making purchases using your account.” Users, however, could well expect more.

“Apple's 2FA isn't nearly as broad as I believe most people expect it to be,” comments password researcher Per Thorsheim. “To me the story here is all about Apple offering a 2FA solution that doesn't really add much extra security for you (files, documents etc), but it protects them (and you) from unauthorized money transactions and changes to your account. People are not made aware of this at all, and it will be a false layer of security when people enable 2FA and put sensitive and secret documents into iCloud.”

Thorsheim goes further. “It’s the weakest 2FA solution launched so far by the big and well-known services. It will only add an additional layer of false security to people's minds, which may have dangerous results.” For his part, Katalov believes that Apple is trapped in its own desire to remain the ‘friendly’ system: “Apple is torn between creating a secure environment and scaring away its customers by implementing security measures that are simply too tough.”

iPhone backups to iCloud – if set by the user – are done automatically. Interrupting this process to demand second factor authentication would seem not to fit in with Apple’s ease-of-use construct. But without it, the type of attack that wiped out Mat Honan’s iCloud last year remains a possibility.

What’s hot on Infosecurity Magazine?