Is Apple’s Two-Step Security Too Weak?
In March, Apple (NASDAQ:AAPL) unveiled a two-step verification process for digital purchases and password resets to help improve the security of users’ information. However, according to the computer security company Elcomsoft, Apple’s two-step authentication process is less secure than the two-step login process used by Google (NASDAQ:GOOG) and Microsoft (NASDAQ:MSFT).
This relatively new feature is supposed to add another layer of security by requiring a 4-digit verification code every time a user logs in to the My Apple ID webpage. The additional verification passcode is then sent to a device that the user selects through Apple’s Find My Phone app.
However, Elcomsoft chief executive Vladimir Katalov outlines several inherent weaknesses in Apple’s two-step verification process on his blog. Katalov states that, “In its current implementation, Apple’s two-factor authentication does not prevent anyone from restoring an iOS backup onto a new (not trusted) device. In addition, and this is much more of an issue, Apple’s implementation does not apply to iCloud backups, allowing anyone and everyone knowing the user’s Apple ID and password to download and access information stored in the iCloud.”
Another security flaw that Katalov identifies in Apple’s current security system is how the verification code is displayed on the user’s trusted device. The verification code that Apple sends is openly displayed on the lock screen of the iPhone.
This means that someone who has stolen the device could easily obtain the verification code without even knowing the unlock code for the phone. Katalov notes that the only way a user can stop this is by disabling the Find My Phone service. The Moscow-based executive also notes that even Apple’s “half-hearted two-factor authentication scheme” is unavailable in Russia.
Per Thorsheim, an independent security consultant, agrees with Katalov’s conclusions. However, he notes via The Register that although Apple’s system does not securely protect users’ data, it does “protect my account with Apple from being exploited in terms of direct financial loss (unauthorised purchases, password change etc).”
Via his blog, Katalov concludes that, “Apple’s approach in implementing two-factor authorization does not look like a finished product. It’s just not as secure as one would expect this solution to be.”
F-Secure’s Sean Sullivan also concurred with Katalov’s assessment of Apple and added that, “the Google and Microsoft Authenticator apps offer a nice approach.”
Apple closed down 0.41 percent, or $1.85, at $449.73 on Friday. Here’s how Apple has traded over the past week.
Follow Nathanael on Twitter (@ArnoldEtan_WSCS)