Breaking iCloud: iCloud’s two-factor authentication can be bypassed
November 15, 2013

Two-factor authentication provides a layer of protection that passwords simply can't offer. Login details are often easily guessed or cracked by knowledgeable hackers, so many companies are stepping up their safeguards to require device-based authentication or another secondary means of verifying an Internet users identity. 

Breaking into the iCloud
However, the process only works when it's required across all channels or had all the kinks worked out. Otherwise, there are a number of ways to circumvent it, as security research Vladimir Katalov revealed at the 11th annual HITB Security Conference, as ZDNet recently reported. Katalov discussed how Apple's iCloud could be accessed by external parties. He explained that the platform's two-factor authentication could be bypassed with only a login and password. With that information, malicious attackers could then backup iCloud data remotely with the account holder none the wiser. 

If the ability to copy someone's data remotely weren't problematic enough, an account holder wouldn't even be notified about the trespass. ZDNet noted that when users typically download an iCloud backup, they're sent an email about the process. With remote downloads, however, no message is ever sent. 

Privacy issues remain a concern
For data privacy advocates, the way Apple stores information may also be troubling. Although the iCloud data's encrypted, Katalov also found that the keys exist with the data. He also mentioned that the iCloud uses Microsoft and Amazon cloud-based services to store users files and records. Although Apple previously stated that it "does not give law enforcement access to its servers," iCloud data doesn't appear to be on the company's servers. Due to these factors, Apple could provide someone's iCloud contents to the government and other law officials. Furthermore, location data is stored for up to 6 hours after location tracking is turned off. 

While some individuals may think these issues are merely an oversight or bug, Katalov told ZDNet that he believes two-factor authentication on the iCloud was "only an afterthought," and that the apparent holes in the system are simply a feature of the iCloud. 

Because of the flaws in Apple's verification process, teenage girls in Norway had their private data stolen by a number of boys who were able to guess their ID and passwords, ZDNet reported. The girls' photos and other sensitive content was then sold. 

Should two-factor authentication be required?
Another issue that some organizations may want to consider is requiring multi-factor authentication. Naked Security highlighted the iCloud's other problem is making two-factor authentication optional, and that it only exists in some countries. The news source suggested that it should be mandatory due to password vulnerability, and more widespread across Apple services, rather than just iTunes, Apple ID changes and when working with technical support. While there is some merit to the idea, the process should be implemented in such a way that people want to use the service, as they otherwise might try to get around it. 

Two-factor authentication can protect people's data more securely than passwords alone, but organizations must ensure that they're using a system that actually works across all platforms and regardless of the circumstances. If the process can be bypassed by someone without access to the device's registered for the procedure, it defeats the entire purpose of the system. A more encompassing solution should also be applied, to avoid potential backdoors into sensitive records. With passwords having essentially failed as an identity safeguard, it's important that their replacement succeeds. Rather than being an afterthought, new verification methods should be carefully planned out and emphasized. Otherwise, exploits will be discovered, and not always by security experts intent on making consumers aware of the problem.