Thoughtful, detailed coverage of the Mac, iPhone, and iPad, plus the TidBITS Content Network for Apple consultants.

Elcomsoft Details Gaps in Apple’s Two-Factor Authentication Approach

When Apple added optional two-factor authentication for Apple IDs recently, many applauded the move (as we did in “Apple Implements Two-Factor Authentication for Apple IDs,” 21 March 2013). Requiring both a static password and a temporary code for logins from new devices reduces the chance of an undesirable party — online criminal, spurned lover, or repressive government — gaining access to your account. Two-factor authentication doesn’t eliminate the possibility of an account being compromised, but it sets the bar significantly higher.

Alas, Apple’s two-factor authentication isn’t as helpful as it might be. Elcomsoft, a Russian firm that makes password-cracking software intended primarily for investigators and security testers, posted a blog entry that explains a number of gaps in Apple’s system. Apple seems to have designed the two-factor system in reaction to documented cases of account hijacking, and while it addresses weaknesses that allowed those attacks, it’s not yet comprehensive.

For starters, if an attacker has acquired your Apple ID account name and password, that’s sufficient, according to Elcomsoft’s Vladimir Katalov, to gather a fair amount of your data, even if you turned on two-factor authentication. For instance:

  • The attacker can log in to and access any of your information available via the Web site.

  • iCloud-based backups from an iOS device can be retrieved using a variety of forensics and other cracking packages, such as one sold by Elcomsoft. These backups aren’t encrypted, instead relying on user authentication for protection.

  • An iCloud backup can be restored to a fresh or reset iOS device. (Apple sends email notification of the restore. However, if the attacker has access to a restored device and your Apple ID password, he can delete the message from your iCloud email account.)

Katalov also points out that the authentication code for two-factor access, sent via Find My iPhone, appears even on lock screens. Someone who obtains your password and can arrange to either get or view your device without you around can thus obtain the second factor as well. This seems like an obvious flaw, but Apple and other mobile OS developers show regular SMS text messages on the lock screen as well, unless you disable that setting. Twitter and others use SMS to send the verification code, so Apple isn’t alone here.

(The alternative to SMS or Find My iPhone is an authentication app, like Google Authenticator or Duo Security’s Duo Mobile, which require a device be unlocked to access the code. Apple should consider adding this method as an alternative, which relies on public algorithms for code generation, even though it cedes an aspect of security to third-party apps.)

But the other gaps should be plugged. Apple started with low-hanging fruit, including all the ways in which we purchase digital and physical stuff that the company sells, as well as access to our Apple ID account settings. should be upgraded to require a verification code, too, and it’s a little baffling why Apple didn’t make such a change alongside the Apple ID site update. (The reason likely has to do with the significant amount of cruft in Apple’s back-end systems. The Apple ID system must be running some code that’s at least a decade old, based on how it works — the string “WebObjects” in the system’s URIs (Uniform Resource Identifiers) reveals the dealt hand of the past — and its limitations.)

The next steps are harder because they involve either changing client software or the use of application-specific passwords. Google offers such passwords with its two-factor system. For email, calendar sync, and other client-based access, you go to Security settings to generate a unique password for a single service or app. As soon as you use it, it’s hidden and can’t be retrieved again, although you can revoke it if necessary. (At Google’s account page, log in and click Security in the left-hand navigation bar. Next to 2-step Verification — assuming you have it on — click Settings. Finally, click Manage Application-Specific Passwords.)

This sort of complexity is anathema to Apple, which wants everything to be explained easily to regular users in a couple of steps. Thus, Apple should develop a better approach to make this work more effectively. Perhaps the company needs to release something like an Apple Two-Step app for Mac OS X and iOS, which would be an Apple ID-specific way to generate (and copy to the system clipboard) a second-factor code or application-specific password.

Google is requiring third-party clients to move to OAuth logins, in which the login essentially occurs on Google’s servers via a pop-up window. You should be familiar with this from Twitter and Facebook “logins” at other sites. The Google Calendar-savvy BusyCal has already been updated to use OAuth, which allows two-factor logins, in its latest release.

Apple has suffered enough security stumbles in the last few years that it shouldn’t lag in this regard. The company has been behind the curve many times in ways that damage customers’ identities, online integrity, and safety. Apple needs to use its engineering prowess to solve this problem and solve it quickly. Google already has for its users.


Try productivity tools from Smile that will make your job easier!
PDFpen: PDF toolkit for busy pros on Mac, iPhone, and iPad.
TextExpander: Your shortcut to accurate writing on Mac, Windows,
and iOS. Free trials and friendly support. <>

Comments about Elcomsoft Details Gaps in Apple’s Two-Factor Authentication Approach
(Comments are closed.)

Ian Eiloart  2013-05-31 02:58
"…relies on public algorithms for code generation, even though it cedes an aspect of security to third-party apps…"

"How", one might ask? Well, the app generates a code based on the current time, and a secret shared between the app and (in this hypothetical case) Apple. If the App shared that secret and the user ID with, say, the App authors, then you'd be stuffed. But, the App doesn't necessarily have the user ID. Unfortunately, any app on an iPhone probably does have access to your Apple ID. So, Apple are in a unique position here. Perhaps they need to write their own Authenticator app.
Matt Leidholm  2013-05-31 06:36
You mention that the temporary authentication code "appears even on lock screens", but if the user has a PIN set up on his/her phone, the lock screen notification merely says "Unlock to view your verification code."
David S.  2013-06-01 16:17
No system can protect you if you allow your password to be known to others and/or allow the device that receives the one-time code to be accessed by others. It's always the responsibility of the user to keep their credentials confidential no matter what system is being used. (You'd better keep the emergency password recovery key Apple issue as part of 2FA somewhere secure that no one else can get at too, if the bad guys get their hands on that you are totally hosed.)

The only system with no security gaps is one no one can access. With Apple's 2FA system there are certainly still gaps, but whether you can legitimately call them "enormous" is debatable, and there are certainly fewer of them than before 2FA was introduced. Hopefully over time there will be fewer still, but their number will never be zero.