By Leo Kelion Technology desk editor
Apple has expanded its use of “two-step verification” checks to protect data stored online by its customers.
It follows suggestions third-party software had been used to steal intimate photos of celebrities – posted online last month – from iCloud.
The action should stop the tool from being able to infiltrate Apple’s internet storage service if the safety measure is implemented.
However, the security facility remains an opt-in choice.
One expert suggested that Apple should instead make it the default option.
The process works by introducing an extra step after an account holder has typed their username and password into a device they have not used before.
They are also required to enter a four-digit code that is either texted to a trusted mobile phone number or sent via Apple’s Find My iPhone app.
If the person does not enter the code, they are refused access to iCloud and are blocked from making an iTunes, iBooks, or App Store purchase.
They can, however, use a 14-character recovery key to regain access to the account in the event their trusted device is lost or stolen. They are told to keep this in a safe place to avoid being locked out.
While Apple had offered the two-step verification system in the past, until now it had not come into play when device owners used the firm’s back-up service.
That meant that even if people had switched on the two-step feature to prevent cyber-thieves logging into their accounts with a stolen or guessed password, the attackers could still download a complete back-up of their data by using Elcomsoft’s Phone Password Breaker.
Several hackers’ forums contain discussions about using of pirated copies of Elcomsoft’s “forensic” software, which is marketed as a tool for law enforcement agencies to access iCloud content without needing to be in possession of a suspect’s iPhone or iPad.
ElmcomSoft’s Moscow-based owner told the BBC earlier this month that he believed his software had been used in the recent hacks, as it was “the only one able to do that”.
He has now acknowledged that Apple’s changes guard against the technique he had used.
“I think that implementation is secure, and so there is no workaround,” Vladimir Katalov told the BBC, adding that his program could no longer even get a list of devices and back-ups linked to a user’s account.
“The other security improvement, which I like, is that now the owner of the Apple account gets a notification by email immediately when a back-up starts downloading – whether or not two-factor authentication is enabled.”
However, he added that he still had concerns about Apple’s security system.
“The recovery key is hard to remember. And as far as you are not going to use it frequently – it is not needed at all while you have the trusted device handy – there is a good chance that you lose it,” he said.
“And if you lose your device too, there will be no way to get your data back.
“Secondly, the recovery key might be stolen. And someone who managed to get your Apple ID password and your security key could make a lot of trouble for you, not just downloading your selfies.”
But another security expert downplayed the risk of lost recovery keys, and said that Apple should do more than just recommend people switch on the two-factor test.
“We’ve seen so much in recent times that single-step verification – ie passwords – is vulnerable, we’re at the stage that two-factor authentication should be the default,” said Prof Alan Woodward, from the University of Surrey.
“It’s a case of turn it on by default, and let people turn it off if they really don’t want it.
“And that applies to not just Apple, but companies like Microsoft and Google too.”
Apple has told the Wall Street Journal that it “plans to more aggressively encourage people” to turn two-factor authentication on and use stronger passwords.
“When I step back from this terrible scenario that happened and say what more could we have done, I think about the awareness piece,” chief executive Tim Cook told the newspaper.
“I think we have a responsibility to ratchet that up. That’s not really an engineering thing.”