Apple has announced that the two-step verification option for iCloud accounts now also extends to iCloud backups, preventing attackers who know the target’s password from installing the target’s backup on a new device and, thusly, from accessing the information contained in it.
The move was announced via an email sent on Tuesday to all users who are already using two-step verification to protect their Apple ID. The recipients were pointed towards the Two-Step Verification FAQ page for additional information.
If the two-step verification feature has been enabled, the second verification factor – the 4-digit verification code sent to the user’s phone – has to be entered when signing in to My Apple ID; in to iCloud; making an iTunes, iBooks, or App Store purchase from a new device; and when getting Apple ID related support from Apple.
The change was spurred by the recent leak of nude photos of celebrities, the theft of which was initially blamed on an iCloud hack.
A few days later, Apple had stated that iCloud hasn’t been hacked, and it now seems likely that the leaked photos were stolen by attackers who guessed or brute forced the victim’s Apple account passwords, or have social engineered or tricked the victims into revealing the passwords.
At the time, Apple advised users to use strong passwords and to enable two-step verification, but it was noted by security researchers that two-step verification didn’t protect iCloud.
Ars Technica has checked whether the change has been implemented correctly, and it has.
Unfortunately, specific password breaking tools can still be used to access accounts that haven’t been additionally protected with two-step verification, which is a good reason to turn it on – if you can.
Two-step verification is available in 59 countries at the moment (check out the Two-Step Verification FAQ page for the list).