Attackers can bypass Apple's two-factor authentication to download and install a victim's iPhone and iPad backups, a security firm has revealed.
The Cupertino company deployed two-factor authentication for Apple identities in March, requiring a second form of verification for account management and iTunes or App Store purchases.
But it did not extend the security across its iCloud service, meaning an attacker with a target's username and password in hand could still download and restore an iOS backup.
“In its current implementation, Apple’s two-factor authentication does not prevent anyone from restoring an iOS backup onto a new device,” Elcomsoft chief executive Vladimir Katalov said in a blog post.
“... Apple’s implementation does not apply to iCloud backups, allowing anyone and everyone knowing the user’s Apple ID and password to download and access information stored in the iCloud.
“In ElcomSoft’s opinion, this is just not the right way to do this from a security point of view.”
Apple Australia did not immediately return a request for comment regarding whether the authentication would be extended across iCloud.
Two-factor authentication is not infallible because tokens can be intercepted by phone porting or stolen by trojans.
But the additional protection Apple's second layer afforded would, if it were extended across iCloud, help prevent the type of social engineering attack in which Apple devices owned by Wired writer Mat Horan were remotely wiped after his iCloud account was compromised.