OS / Software

Apple IDs vulnerable even after 'two-factor authentication'

Shailesh Shrivastava

Apple was looking at its new two-factor authentication to improve the security for the Apple ID and iCloud access, but it seems like the Cupertino-based tech giant has to work harder to provide better protection to its users' data.

According to a new research, Apple has not made its users' data stored in iCloud completely secure. The two-way authentication also has some loop hole that can be exploited by the person who gets a user's Apple ID and password and wants to use it with malicious intentions.

In the two-way authentication procedure, whenever a user logs into his account, a onetime password is sent to his registered Apple device just to make sure any other person doesn't get access to the account.

However, the code is usually sent via a message using Apple's Find My iPhone service. The research found that the code is directly visible on the lockscreen of the iPhone and it is visible to everyone.

The second and most important find of the research done by Elcomsoft's Vladimir Katalov is that backing up an Apple device via iCloud doesn't support and require the two-factor authentication. It means the person who gets the right combination of the Apple ID and password can download everything stored in iCloud onto his Apple device.

Adding salt to the injuries of the victim, Apple sends a mail to the authentic device stating that the particular Apple ID was used to sign in to iCloud on a particular Apple device. Then the mail asks to change the password of the Apple ID if the user was not involved in the particular procedure.

The findings show that despite the lengthy process of two-factor authentication, the Apple devices and the data stored in the iCloud service becomes more vulnerable with time.

Apple has been criticized many times for taking the security of its users and their data lightly.

The research report has accused the Cupertino-based company for not doing its job properly.

"According to our research, Apple did a half-hearted job, still leaving ways for the intruder to access users' personal information bypassing the (optionally enabled) two-factor authentication," the report states.

"In its current implementation, Apple's two-factor authentication does not prevent anyone from restoring an iOS backup onto a new (not trusted) device. In addition, and this is much more of an issue, Apple's implementation does not apply to iCloud backups, allowing anyone and everyone knowing the user's Apple ID and password to download and access information stored in the iCloud," the report adds.

© Copyright 2020 Mobile & Apps, All rights reserved. Do not reproduce without permission.

more stories from OS / Software

Back
Real Time Analytics