Why Two-Factor Authentication Isn’t Protecting Your Apple Account

**Update: Apple has since patched the problem**

Users that turn on Two Factor Authentication (2FA) have the expectation that every access point to their account is protected by more than just their password, but for many of Apple’s core services, 2FA is not enforced.

Even if you have 2FA enabled, Apple will not prompt for 2FA if someone is trying to login to your account on many of their services.

Watch me login without 2FA to iMessage:

To iTunes:

To FaceTime:

To App Store:

And to Apple’s website:

For an account that has 2FA enabled:

And for these several login attempts, only the FaceTime login was deemed important enough to alert me with an email:

With just a password, I could impersonate someone, sending iMessage from their account.

With just a password, I could see someone’s billing address, credit card type and last 4 digits and phone number in their iTunes settings—where on the top of the page, it proudly displays the words Secure Connection.

I can see in App Store what purchases someone has made, even if they’re as personal as apps for diabetic care or a depression hotline.

After a leak of celebrity iCloud photos this year, Apple CEO Tim Cook promised that:

“Apple will broaden its use of an enhanced security system known as ‘two-factor authentication,’ which requires a user, or a hacker, to have two of three things to access an account: a password, a separate four-digit one-time code, or a long access key given to the user when they signed up for the service.” — WSJ

It’s been four months.