Apple introduced two-factor authentication (or two-step verification if you'd like to call it that) with iCloud back in March, adding an extra layer of security to its cloud backup system. However, security researchers say that iCloud is still vulnerable to a break-in if your password is stolen.
ElcomSoft, a company that specializes in password-cracking software, says that there are security holes in Apple’s two-factor authentication process, saying that "Apple’s implementation does not apply to iCloud backups, allowing anyone and everyone knowing the user’s Apple ID and password to download and access information stored in the iCloud." When you log in to your iCloud account, you’ll have "full information to everything stored there without being requested any additional logon information."
The company says that they were able to download an iCloud backup using login details without ever using two-factor authentication, and the physical iOS device that the backup came from wasn’t needed for credential purposes. Of course, this doesn't mean your iCloud data is out in the open. As long as your password is secure, no one can access your iCloud backup.
ElcomSoft also mentions another security issue, which is the fact that Apple sends verification codes directly to an iOS device’s lockscreen. This means that the verification code is exposed to whoever can turn on the display and look at the lockscreen, meaning that you don't need to unlock an iOS device in order to see the code. ElcomSoft says that the code should obviously not be displayed on the lockscreen, but rather require users to unlock the device first in order to see it.
However, two-factor authentication does prevents hackers from resetting a user's Apple ID password, but it doesn't keep hackers from copying or deleting files that are stored in iCloud. ElcomSoft thinks that Apple’s two-factor authentication "does not look like a finished product," and "it’s just not as secure as one would expect this solution to be."
VIA: Ars Technica