The majority of Apple's internet-delivered services remain unprotected by two-factor authentication, meaning stolen passwords can be used to capture data and potentially make unauthorised purchases, a security researcher has discovered.
Last year, Apple introduced the optional two-factor challenge and response authentication security layer for its iCloud cloud storage service, after a widely publicised attack on celebrities' accounts that saw their intimate personal photographs stolen and leaked onto the web.
The protection, however, does not extend to all Apple properties. Security researcher Dani Grant this week noted that the 2FA security measure is not enforced for many popular Apple products such as iTunes and the App Store.
Despite having 2FA enabled for her account, Grant was able to log into iMessage, FaceTime, iTunes, App Store and the main Apple website with just an Apple ID and password. iTnews was able to replicate Grant's findings.
Only the FaceTime login generated an emailed alert from Apple that that service had been accessed, Grant reported.
After the hacks of the celebrities' accounts, Apple encouraged users to enable 2FA to protect their accounts and Apple IDs.
"Officially, Apple promises that 2FA will 'prevent anyone from accessing or using your account, even if they know your password,' Grant said, quoting from Apple's official FAQ page.
iTnews has contacted Apple for comment on the matter.
Grant said Apple confirmed to her that while two-factor authentication is enforced for any access to iCloud, this isn't the case for other products such as iTunes.
The company was relatively late to introduce 2FA compared to its rivals. Microsoft rolled out the security measure a year earlier, and intends to integrate it in its upcoming Windows 10 operating system.