They are also required to enter a four-digit code that is either texted to a trusted mobile phone number or sent via Apple’s Find My iPhone app.<\/p>\n
If the person does not enter the code, they are refused access to iCloud and are blocked from making an iTunes, iBooks, or App Store purchase.<\/p>\n
They can, however, use a 14-character recovery key to regain access to the account in the event their trusted device is lost or stolen. They are told to keep this in a safe place to avoid being locked out.<\/p>\n
![\"Apple](\"http:\/\/news.bbcimg.co.uk\/media\/images\/77638000\/jpg\/_77638019_72e06bc1-6ef8-427f-847a-253dcbc9d441.jpg\")
Apple published this graphic to explain how to use two-factor authentication<\/div>\nWhile Apple had offered the two-step verification system in the past, until now it had not come into play when device owners used the firm’s back-up service.<\/p>\n
That meant that even if people had switched on the two-step feature to prevent cyber-thieves logging into their accounts with a stolen or guessed password, the attackers could still download a complete back-up of their data by using Elcomsoft’s Phone Password Breaker.<\/p>\n
Several hackers’ forums contain discussions about using of pirated copies of Elcomsoft’s “forensic” software, which is marketed as a tool for law enforcement agencies to access iCloud content without needing to be in possession of a suspect’s iPhone or iPad.<\/p>\n
ElmcomSoft’s Moscow-based owner told the BBC earlier this month that he believed his software had been used in the recent hacks, as it was “the only one able to do that”.<\/p>\n
![\"Elcomsoft\"](\"http:\/\/news.bbcimg.co.uk\/media\/images\/77638000\/jpg\/_77638022_c47ee5e7-ec6d-4823-88ac-6d77a65eecd7.jpg\")
Elcomsoft said its software could recover password-protected back-ups<\/div>\nHe has now acknowledged that Apple’s changes guard against the technique he had used.<\/p>\n
“I think that implementation is secure, and so there is no workaround,” Vladimir Katalov told the BBC, adding that his program could no longer even get a list of devices and back-ups linked to a user’s account.<\/p>\n
“The other security improvement, which I like, is that now the owner of the Apple account gets a notification by email immediately when a back-up starts downloading – whether or not two-factor authentication is enabled.”<\/p>\n
However, he added that he still had concerns about Apple’s security system.<\/p>\n
“The recovery key is hard to remember. And as far as you are not going to use it frequently – it is not needed at all while you have the trusted device handy – there is a good chance that you lose it,” he said.<\/p>\n
“And if you lose your device too, there will be no way to get your data back.<\/p>\n
“Secondly, the recovery key might be stolen. And someone who managed to get your Apple ID password and your security key could make a lot of trouble for you, not just downloading your selfies.”<\/p>\n
But another security expert downplayed the risk of lost recovery keys, and said that Apple should do more than just recommend people switch on the two-factor test.<\/p>\n
“We’ve seen so much in recent times that single-step verification – ie passwords – is vulnerable, we’re at the stage that two-factor authentication should be the default,” said Prof Alan Woodward, from the University of Surrey.<\/p>\n
“It’s a case of turn it on by default, and let people turn it off if they really don’t want it.<\/p>\n
“And that applies to not just Apple, but companies like Microsoft and Google too.”<\/p>\n