iCloud two-factor protection – security flaw or deliberate choice?

By Pierluigi Paganini, Editor-in-Chief, CDM

Jun 06, 2013, 11:30 am EST

iCloud could not properly protect the user’s data despite the implementation of a two-factor protection.

Millions of users access to the iCloud to store their data such as photos, music and documents and Apple has tried recently to improve their security introducing in March a two factor authentication system … Do users really know the security mechanisms that protect their data?

Last week I wrote a post on benefits and limits of a two-factor authentication process, the reflections made rise serious questions on possible incorrect implementations of security mechanism.

I started remarking to be deeply opposed to the storage of my information on a system of which I know very little as it can be any Cloud architecture managed by an enterprise.


The two-factor authentication has been introduced by Apple to preserve the use of user’s Apple Id for fraudulent purchases but it seems not sufficient to protect user’s files stored in the cloud.

The discovery has been done by researchers at ElcomSoft, a Russian company specialized in the providing of forensics software for cracking passwords and system auditing, in a post recently issued.

In case an attacker is able to access to user’s account credentials despite the Apple adopted a  two-factor verification he is anyway able to access data stored in user’s iCloud account.

The ElcomSoft CEO Vladimir Katalov has written in the post:

“In its current implementation, Apple’s two-factor authentication does not prevent anyone from restoring an iOS backup onto a new (not trusted) device,” “In addition, and this is much more of an issue, Apple’s implementation does not apply to iCloud backups, allowing anyone and everyone knowing the user’s Apple ID and password to download and access information stored in the iCloud. This is easy to verify; simply log in to your iCloud account, and you’ll have full information to everything stored there without being requested any additional logon information.”

“In ElcomSoft’s opinion, this is just not the right way to do this from a security point of view. iCloud has been exploited in the past (see Norwegian Teenagers Hacking iCloud Accounts) and will be exploited in the future.”

“To me the story here is all about Apple offering a 2FA [two-factor authentication] solution that doesn’t really add much extra security for you (files, documents etc), but it protects them (and you) from unauthorized money transactions and changes to your account,”

Although Apple hasn’t introduced the two-factor authentication to reinforce security of data stored in the iCloud architecture the flaw has puzzled researchers because the security mechanism not protect user’s data.

The security mechanism prevents in fact attackers from resetting a user’s iCloud password,but it doesn’t impede them from accessing data stored in an account. Apple two-factor authentication allows an attacker to restore backed up iPhone or iPad data to a new device or delete them permanently.

Cloud 2

Resuming the 2FA solution added by apple doesn’t provide extra security for data, on the contrary it adds a wrong perception of security to the users which could have serious consequences.

Probably the flaw found in the Apple implementation of 2FA in not casual but it is the compromise between level of security ensured to the users and usability of the solution.

Other 2FA solutions such as the ones implemented by Microsoft or Google request customers to come up with a “second piece of an ID when attempting to access their services from a new device” to prevent anyone stealing user’s credentials.

“The purpose of two-factor authentication is to prevent parties gaining unauthorized access to your account credentials from taking any real advantage.”

The CEO of Duo Security, a firm specialized in providing of two-factor authentication services, commented the technical choice with following statement:

“It’s a worthwhile discovery,” “It’s good for people to know and understand that their account is not 100-percent protected by this new feature that rolled out. But I don’t think it’s an unaddressable limitation, and to be fair to Apple, I don’t know if this was ever intended to protect this model.”

(Source: CDM & Security Affairs – Apple iCloud, 2FA)

FAIR USE NOTICE: Under the "fair use" act, another author may make limited use of the original author's work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material "for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright." As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner's exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.

Global InfoSec Awards 2021

We are in our 9th year, and these awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.