Apple took a big step forward when it expanded the scope of its two-step authentication last year, since it's now relatively hard to peek at someone's sensitive content unless you also have their device. However, this extra security measure still isn't the all-encompassing safety net you might expect it to be. Need proof? Just ask Dani Grant: she recently gave a friendly reminder that two-factor doesn't even enter the picture with a number of Apple's services. You only need an Apple ID's email address and password to get into FaceTime, iMessage, iTunes and the company's website. You'll need verification if you change account details, sign in to iCloud or try to buy an app, but that basic login is enough to see people's contact information, view their app download history or impersonate them on iMessage. You don't always get email alerts (they typically appear when signing into FaceTime, iCloud or iMessage for the first time on a new device), so it's possible for someone to misuse your account without your knowledge.
We've reached out to Apple for its response, although it's important to note that the issue isn't strictly new. If you've used two-factor authentication recently, you may have noticed how easy it was to get into some services. Also, Apple tells you just when it will kick in through a support page. However, Grant's post makes it apparent that the company still has work to do on its promise that it would "broaden" the use of two-factor in the future. Ideally, potential intruders can't do a thing when they only have your password -- Apple ID isn't there yet.