Apple has offered two-factor authentication for a while, although its iCloud storage service has remained curiously unprotected. In the wake of some furor surrounding the service's security, Apple's two-factor authentication now applies to iCloud as well — if, and only if, you activate it.
Ars Technica put the new two-factor authentication through its paces. As recently as last week, anyone with an Apple username and password could access a user's iCloud storage, which backs up documents and photos from iPhones and iPads by default. Apple passwords are not terribly difficult to acquire; software like the Elcomsoft Phone Password Breaker (intended for legitimate password recovery) can usually do the trick.
After activating two-factor authentication on iCloud, the Ars Technica researchers found that they received an unspecified HTTP request error when trying to download backups with Elcomsoft. Two-factor authentication will also protect against those who try to access your iCloud account directly — if they've come across your password from a data breach, for example.
In case you've never used two-factor authentication, it's a simple idea that can thwart just about any kind of online account compromise. Instead of logging in with a simple username and password, the service in question will also send a unique code to your phone or another e-mail address. Unless a malefactor also has your phone or email login details in his or her possession, your data remains safely yours.
There's only one problem: as two-factor authentication is an optional process, most iCloud users are still unprotected. Not only does this leave their data potentially unprotected, but also opens up another potential catastrophe: If an unauthorized user activates two-factor authentication, that effectively locks the legitimate owner out of his or her account.
If you use iCloud, consider activating two-factor authentication by following the instructions on Apple's website.Alternatively, back up your data manually rather than automatically syncing it to iCloud. The process is more cumbersome, but also less prone to intrusion.