Apple rolls out two-factor authentication, iForgot service is back up

23 Mar 2013

Apple’s iForgot password reset page is back up and running after a security hole that allowed unauthorised resets was discovered. In recent days Apple launched two-factor authentication.

Apple this joined internet giants like Dropbox, Facebook and Google to deploy two-factor authentication to keep password hackers at bay. Instead of just putting in a password each time you want to download an app, a unique 4-digit verification code is sent to a trusted device and has to be inputted before the transaction goes ahead.

However, just as Apple was rolling out the new service a security hole was discovered that allowed unauthorized password resets to occur on accounts still using single-step authentication. Users who had already moved to two-factor authentication were free of the threat.

Apple took down its iForgot password reset page to fix the vulnerability.

According to iMore the vulnerability enabled a hacker who had access to a victim’s date of birth and Apple ID to send Apple a URL that allowed them to reset the password without needing to answer any security questions.

Cloud security image via Shutterstock

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years

editorial@siliconrepublic.com