TECH
09/03/2014 03:09 pm ET Updated Sep 03, 2014

Even If You Use Apple's Two-Step Verification, Your Photos Are Still At Risk

Charles Sykes/Invision/AP

Is Apple doing enough to protect our privacy?

On Tuesday, in the wake of the well-publicized hacking of several female celebrities, the company recommended that anyone who uses Apple's iCloud service set up something called two-step verification.

But as Michael Rose at TUAW, an Apple news site, noted on Tuesday, it's not clear that enabling that security measure would have actually prevented hackers from accessing the celebs' photos.

For the uninitiated, two-step verification gives you enhanced security beyond your password. To log in to an account with two-step verification, you must first enter your password, then enter a randomly generated code from another device like a smartphone. This verifies that it is you -- rather than someone who has obtained your password -- actually accessing your account.

Security experts say that in addition to using strong, unique passwords, people should also enable two-step verification wherever they can. Google, Facebook, Twitter and Apple are among the companies that offer the additional security measure.

But the problem is that Apple's version of two-step verification isn't as protective as you might think.

Apple hasn't been specific about how the photos were obtained, but reports -- and a tweet from Kirsten Dunst, one of the affected celebrities -- suggest they were accessed through iCloud, Apple's remote storage service that backs up music, documents and photos and syncs them to devices. Apple itself has said that its iCloud and Find My Phone systems weren't breached, but that "certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions."

But Apple only triggers two-step verification in certain instances -- when you buy a movie or app with a new device, get support for your Apple ID or try to sign in to your Apple account to change your account preferences (things like your password or address).

Missing from that list is iCloud: Apple doesn't ask for a verification code if you log in to your iCloud account to access photos, contacts and music, even if you have two-step verification enabled.

That means that someone who is able to obtain your email address and password for your Apple ID -- which, of course, hackers can do through various methods -- would be able to access your backed up photos. I was able to download my own backed up iCloud photos to a new Mac just by entering my Apple ID and password, even though I have two-factor authentication enabled.

A notification came up on my iPhone telling me that another computer had accessed my account, but that doesn't do much if someone already has your photos.

Rose wrote, "It's pretty clear that Apple's doing its best to guard your wallet with this implementation -- anything that might cause a credit card charge via an unfamiliar iOS device is going to force you to authenticate. Other than that, [two-factor authentication] doesn't get involved in guarding your privacy as far as I can tell." (TUAW, like The Huffington Post, is owned by AOL.)

Apple did not respond to a request for comment.

Unlike some other companies, Apple, at least until Tuesday, didn't seem to push two-step verification very hard.

I'm a technology reporter who takes my online security very seriously, and I didn't even know until the news of the photo hack that Apple offered two-step verification. (And yes, I enabled it yesterday.)

I recall Google encouraging me a couple of years ago to sign up for it. I also remember seeing the search giant's huge ad campaign on the New York City subway in 2012, which featured ads for two-step verification. (The ad campaign also came at the time that Google made controversial changes to its privacy policy, and also included information about how the company uses your data.)

But until Apple's statement on Tuesday, I'd never seen anything from Apple encouraging me to take this extra security measure -- no pop-ups, no notices and certainly no ad campaign.

Perhaps this is because two-factor authentication is a pain, and Apple is known for making things very easy and consumer-friendly.

"Convenience trumps security very often when it comes to various services," Satnam Narang, a security response manager at Symantec, a security software company, told HuffPost.

It's still a good idea to enable two-factor authentication -- if you haven't, you definitely should -- though for some reason Apple is now making people wait three days in order to implement it. Perhaps after this huge PR nightmare, Apple will make two-factor authentication available on more services.

"I hope recent events push Apple to expand what users can protect with two-factor authentication, such as access to iCloud from any new device," Rich Mogull, the CEO of Securosis, a security research firm, wrote in an email to HuffPost. "It is becoming an essential security option for cloud services, especially in the face of targeted attacks and the problems with passwords alone."

CONVERSATIONS