The recent disclosure of hundreds celebrity pictures has raised the discussion on the level of security offered by the Apple iCloud stored service. To improve the security offered by the iCloud service, Apple’s CEO Tim Cook has announced the imminent implementation of a two-factor authentication mechanism to protect the access to the iCloud service from a mobile device. The introduction of the two-factor authentication will be effective with the iOS 8.0.
The login to iCloud service from iPhones and iPads will be allowed to users is possession of the couple Apple ID and password, plus the an authentication code sent to the device through SMS or generated at the time of sign-up.
Tim Cook highlighted the great importance reserved by Apple to the user’s privacy, confirming that the company will do even more to protect user’s data.
“When I step back from this terrible scenario that happened and say what more could we have done, I think about the awareness piece,” Tim Cook said. “I think we have a responsibility to ratchet that up. That’s not really an engineering thing.”
Apple confirmed that the recent incident was caused by unknown attackers which were able to access users’ iCloud accounts by getting their passwords through phishing attacks or social engineering attacks.
In reality, Apple had already 2FA available for iTunes and Apple ID accounts since 2013, anyway the company doesn’t apply to iCloud authentication mechanism.
According to Tim Cook the two-factor authentication implemented by Apple will include the delivery of email and push notifications to users for the execution of specific operations on their accounts.
Every data backup restoration for iCloud, every password change or logins from a new device will trigger a notification to the user, as explained by Tim Cook the notification services will start within a couple of weeks.
Despite 2FA is not a definitive solution against any kind of attacks on the user’s account and its data, it represents a further element of difficulty for threat actors. To bypass the 2FA mechanism the attacker would need to have physical access to the victim’s device, or anyway need to compromise it with a malicious code that is able to steal the one-time password generated for the authentication process.
Apple revealed a disconcerting truth, the majority of its users doesn’t use two-factor authentication, for this reason in the next months it will encourage customers to enable it on the new version of iOS.
Experts at Apple are sure, if the celebrities had enabled the two-factor authentication , the cyber criminals wouldn’t have had access to their account.
(Security Affairs – two-factor authentication , Tim Cook)