Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

thephantompain

macrumors newbie
Original poster
Aug 25, 2021
20
0
Hello. Just a question regarding the use of your iCloud/iPhones and it's security.

These days, people do almost everything on their phones. It has your photos, your emails, iCloud backups, passwords, etc.

Assuming you've got 2FA enabled (which is a no-brainer these days), how likely is it that someone could lock you out of your iPhone/Apple devices or even take control of your Apple ID if they've got your Apple ID/iCloud address?

I guess as a second part to this, is your Apple ID only used for your iPhone/Apple devices or do you use it for other things/as a main email?

Thanks you!
 
There isn't a universal answer to this. The potential for a breach of your iCloud account depends on many factors, including:
  • The types of accounts and data tied to your iCloud account and address
  • If you reuse account names and/or passwords
  • If you have taken personal information defensive measures such as setting up non-text message/non-email based 2FA as much as possible
  • How much personal information you post on social media
  • How much personal information others post about you on social media
In short, as the amount of information you make public and the number of accounts tied to your iCloud address increases, the likelier it is that your iCloud account could be successfully attacked.
 
Last edited:
  • Like
Reactions: thephantompain
If two factor authentication is used, a person with your Apple ID and its password can't totally take over your account or lock you out because they'll need your iPhone too to authorize the changes.
But if they found/stole your iPhone and it is unlocked and it's the two factor 2nd device - you're screwed.
 
There isn't a universal answer to this. The potential for a breach of your iCloud account depends on many factors, including:
  • The types of accounts and data tied to your iCloud account and address
  • If you reuse account names and/or passwords
  • If you have taken personal information defensive measures such as setting up non-text message/non-email based 2FA as much as possible
  • How much personal information you post on social media
  • How much personal information others post about you on social media
In short, as the amount of information you make public and the number of accounts tied to your iCloud address increases, the likelier it is that your iCloud account could be successfully attacked.

Right. And in case you want to go the extra-mile in terms of security, you can just have your Apple ID/iCloud email separate to your main email, right?
 
I had an incident with my AppleID (maybe 7 or 8 years ago. I don't even remember now what the problem was. But, I changed the email address associated with my AppleID. I don't use that email account for anything else except AppleID. I don't even check that account more than about once per year. I clean out old notifications, and other junk (if there is more than a few), but I don't use it for any kind of active communication. It's my AppleID - so I treat it nice :cool:
 
Right. And in case you want to go the extra-mile in terms of security, you can just have your Apple ID/iCloud email separate to your main email, right?
Yes. In fact, I have a primary iCloud account that is used for downloading software, syncing calendars, and handling non-confidential email. I also have a secondary iCloud account that is not tied to any of my devices and is used for emails I want to keep separate for security or privacy reasons. Finally, I have a third email account (non-Apple) that I use for mailing lists, people I don't know well, and websites that don't hold sensitive information about me.

Explain that - as the encryption keys in the Secure Enclave are certainly not stored on your SIM card.
Apple two factor verification can be vulnerable to SIM swapping or port outs, depending on how one's 2FA is set up. If one relies on a Trusted Phone Number or has not updated Apple 2FA since it became possible to move away from SMS (remember the confusion between 2 Step Authentication and 2 Factor Authentication?), losing control of a phone number can lead to an account takeover.
 
Last edited:
  • Like
Reactions: thephantompain
I had an incident with my AppleID (maybe 7 or 8 years ago. I don't even remember now what the problem was. But, I changed the email address associated with my AppleID. I don't use that email account for anything else except AppleID. I don't even check that account more than about once per year. I clean out old notifications, and other junk (if there is more than a few), but I don't use it for any kind of active communication. It's my AppleID - so I treat it nice :cool:
Thanks. I might head down that route myself. :)
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.