Apple's Two Factor Authentication Doesn't Protect iCloud Backups Or Photo Streams
L33tdawg: Hate to say we told you so, but well, Vladimir Katalov did - last year at that! Take a look at his presentation slides (PDF) if you haven't already
One of the common bits of advice you’ll see people giving you around this celebrity picture hack is to enable two-factor authentication on your accounts — including Apple’s. That’s good advice, but it wouldn’t have protected any of these celebrities and it doesn’t protect the other accounts that are compromised by hackers that are able to obtain an Apple ID email and password.
While Apple has offered two-factor authentication on accounts for some time now, there is an omission in that system that hackers are taking advantage of. iCloud backups are not protected by two-factor authentication, and can be installed on new devices with only an Apple ID and password.
Of course, that’s still a very big ‘only’. Your email and password are as much protection as almost any service on earth offers you by default — and once a hacker obtains those you’re probably in trouble in any case. The early evidence, and Apple’s statement on the matter, indicates that hackers obtained passwords through guessing security questions, social engineering, phishing or other ‘targeted’ attacks — rather than a leak of the password data itself by Apple. Notably, access to iPhone backups can also be accessed using an authentication token (a file created by iTunes) which can be obtained using malware or phishing — and which does not require a password at all.