I currently use my iCloud id/password to login to my Macs. I feel like I read somewhere that you can't do that if you turn on 2FA. Is that true? What happens if you turn on 2FA when already using iCloud id to log-in to Macs?
What version of macOS are you using? I used to use my iCloud password to log into my mac with 2FA activated but after updating to High Sierra the os displayed a message that it was no longer allowed to use my iCloud passsword and requested a new one to continue. At first I thought it was a High Sierra requirement but reading your comment made me think that maybe it's a High Sierra + 2FA thing.
The problem is that it doesn't always work properly. As shown in the article, a message box to enter the code pops up on the device you want to use for the two factor. The other day, I decided to move my iPad Pro 12.9" to two factor. I went through the first steps. After a short while, my phone popped up a notification giving me a code, telling me to type that in. But my iPad showed no window to type it. Then a while later, Apple sent another code, but still, no window to type in. So, still no two factor for my iPad.
I've heard stories like the for years but I can't recall ever having a problem. If you state it I don't doubt there was an issue, but I do wonder how common it is.
Recently I've received two phishing attempts by email. They informed me that my AppleID had been used in Australia or France, and that I needed to change my password to "unlock" my account. They even gave me a link with which to do it. How nice of them. It looked pretty close to what you get from Apple when you add a device to iCloud.
No one should ever click a link from an email except for some very rare instances. So rare that it's the exception, not the norm. For example, you've accessed a website via bookmark or by typing it into your browser, and you've requested a password reset when the website tells you it's sending you a link. Then, and only then in that short window of a under a minute should you click on a hyperlink from your email for an account as verification. Frankly I'm surprised that these spammers aren't making better looking fake emails these days. That's the easiest part of the spoofing process.
Sooner or later companies are going to have to move beyond password schemes entirely. They are the weakness that's causing the ever more complex login setups, it's just passwords upon passwords and security questions. This has already been solved with servers using encryption keys. You don't need to remember anything or type anything. You setup an encryption key pair automatically and keep the private key. Then the server can use challenge-response authentication automatically to establish the connection. The only issue to deal with is storing the private keys and syncing them between devices but this is trivial for Apple and they can be secured behind touch id and/or the secure enclave and have an API that has no read access to the keys but can only send messages to a system that decodes data.
This eliminates the possibility of people reusing passwords or having common password schemes across different services. It is already compatible with online login systems. It eliminates the possibility of anyone stealing passwords through a security breach because there would only be public keys on the server, which can't be used to compromise anything on their own.
In the event that someone needs to access a service where they don't have the keys on the system like at work when logging into Facebook but don't want the keys stored there, a smartphone can authenticate the login and generate a time-limited code. This can be a 4 character code because when it's tied to the account id and the time limit, it's not going to be compromised. On Macs, they can can even do handoff-style logins so you don't have to type anything but this particular system can work cross-platform too.
Microsoft uses it for Azure but they can use it for everything like email, Skype etc. The big tech companies use this themselves to securely login to things I don't know why they don't at least experiment with it for everyday logins.
I don't see a memorized passcode as becoming obsolete anytime soon. Using another device to authenticate means that someone else in possession of this tangible device will have potential access to your accounts. Even with the example you give that device used as a key will still have a memorized passcode as its default protection. How do we get away from that so that no passcode is ever needed, so that no passcode will ever have to be committed to memory?
NEVER. Apple presumes you have a device always at hand to get the authentication message. Heaven forfend if you do not. Apple 2FA works great for iPhone users, because they have essentially two virtual devices in their hand (one the Internet device, the other the phone). But if you don't have an iPhone, or have your phone nearby, or can't get to the "authorizing" device, you are stuck. Try reading your iCloud mail on your wife's iPad. Go ahead. I dare you. (BTW, that's impossible even if 2FA is turned off).
NEVER. Apple presumes you have a device always at hand to get the authentication message. Heaven forfend if you do not. Apple 2FA works great for iPhone users, because they have essentially two virtual devices in their hand (one the Internet device, the other the phone). But if you don't have an iPhone, or have your phone nearby, or can't get to the "authorizing" device, you are stuck. Try reading your iCloud mail on your wife's iPad. Go ahead. I dare you. (BTW, that's impossible even if 2FA is turned off).
They offer another option if you can't access your trusted devices.
Last time I tried to enable 2FA was when Homekit went live and I enabled my Apple TV as the remote hub. Soon thereafter my older Apple TV's refused to take my Apple ID password so I can watch content...once I turned off 2FA they worked again, but now I can't remotely Homekit my house. Has anyone come across this?
NEVER. Apple presumes you have a device always at hand to get the authentication message. Heaven forfend if you do not. Apple 2FA works great for iPhone users, because they have essentially two virtual devices in their hand (one the Internet device, the other the phone). But if you don't have an iPhone, or have your phone nearby, or can't get to the "authorizing" device, you are stuck. Try reading your iCloud mail on your wife's iPad. Go ahead. I dare you. (BTW, that's impossible even if 2FA is turned off).
If you don't mind letting your wife read your emails, she can add your iCloud account to her iPad. Obviously, you will need her to set it up, unless you can already access her iPad Settings, then you can do it. If you add your iCloud account, it can be restricted to Mail only (leave Contacts, Calendars, and Notes turned off).
iOS 11: Settings>Accounts & Passwords>Add Account>[choose iCloud and enter email and Apple ID or password].
It is relatively easy to do, so you might consider adding your account, then signing out when done. (Oddly, there is an option at the bottom of the screen for all other Accounts to "Delete Account" but iCloud accounts only have a "Sign Out" option at the bottom). I have my wife's iCloud email only account on my phone, and I just noticed this.
(FWIW, I don't have her main email account on my phone, just her iCloud email, which she doesn't use. Having her iCloud email just helps me manage Apple related notifications for her).
The problem is that it doesn't always work properly. As shown in the article, a message box to enter the code pops up on the device you want to use for the two factor. The other day, I decided to move my iPad Pro 12.9" to two factor. I went through the first steps. After a short while, my phone popped up a notification giving me a code, telling me to type that in. But my iPad showed no window to type it. Then a while later, Apple sent another code, but still, no window to type in. So, still no two factor for my iPad.
This is generally resolved by a hard reboot of the iPad, and in some extreme cases a restore from backup.
Well, I tried the hard reboot, and that didn't work. A restore from back-up is something I didn't try. I'll try that later, though I made an encrypted back-up right before I tried this, so I can't see what might be different.
I think that a hard reboot is the wrong advice. Assuming that you are trying to access iCloud on a Mac or iPad and the two factor authentication code comes through on your iPhone, but the "enter your six digit code" window does not pop-up automatically, you then need to go to Settings WITHIN ICloud (not Settings on your device). I'm away from my Mac right now, but my memory is that you then go to Mange ID and then there is an option to enter 2FA and when you click on that the missing window pops up and you can enter the code from your phone. Anyone reading this and sitting at a Mac might just confirm the last few steps please. BTW, this advice is impossible to find on the web, even Apple Support doesn't seem to know this, so anyone running a support service or blog might like to make it better known. When I was solving this for myself I remember seeing threads with nearly 1000 people hitting the "I have this problem too" button, but no proper answer.
The added inconvenience is ok for yourself but unbearable if you manage your parents accounts since you no longer have web access to their iCloud.
Or, a grandparent managing their kid's iPhones, iPods & iPads...
One way around it is: I keep an old no longer used iPad logged into their ID so I can manage this as well as see what they bought with my credit card under the Family Plan...
The added inconvenience is ok for yourself but unbearable if you manage your parents accounts since you no longer have web access to their iCloud.
Good point.
I think I'll be staying away from 2FA for a while... it still seems half baked.
No, it's not "half baked". Rather, it is designed to prevent that exact situation: Allowing somebody to log into an iCloud account without receiving authorization from a second, personal device.
It's not that it isn't working well - it just doesn't fit your particular situation.
For myself, I manage things for my grandson and I keep an old, semi-functional iPad around just for these kind of situations....
Sooner or later companies are going to have to move beyond password schemes entirely. They are the weakness that's causing the ever more complex login setups, it's just passwords upon passwords and security questions. This has already been solved with servers using encryption keys. You don't need to remember anything or type anything. You setup an encryption key pair automatically and keep the private key. Then the server can use challenge-response authentication automatically to establish the connection. The only issue to deal with is storing the private keys and syncing them between devices but this is trivial for Apple and they can be secured behind touch id and/or the secure enclave and have an API that has no read access to the keys but can only send messages to a system that decodes data.
This eliminates the possibility of people reusing passwords or having common password schemes across different services. It is already compatible with online login systems. It eliminates the possibility of anyone stealing passwords through a security breach because there would only be public keys on the server, which can't be used to compromise anything on their own.
In the event that someone needs to access a service where they don't have the keys on the system like at work when logging into Facebook but don't want the keys stored there, a smartphone can authenticate the login and generate a time-limited code. This can be a 4 character code because when it's tied to the account id and the time limit, it's not going to be compromised. On Macs, they can can even do handoff-style logins so you don't have to type anything but this particular system can work cross-platform too.
Microsoft uses it for Azure but they can use it for everything like email, Skype etc. The big tech companies use this themselves to securely login to things I don't know why they don't at least experiment with it for everyday logins.
I think one of the main reasons why the Azure style security model is not more widely used is the lack of something akin to a "universal" and fully functional public key infrastructure (PKI) that works across all possible touch points. There are many isolated silos and domains of support, like Azure, and there is some cross domain support, but scaling it up to support multiple domains without sacrificing security or breaking existing/legacy security models is a much tougher problem to solve. But it will have to be solved if newer broad initiatives like Internet of Things (IoT) and Industrie 4.0 are going to become a reality.
Dealing with legacy concerns is a huge challenge for individual applications but the situation is much worse for systems and systems of systems. Most of the 2FA issues that AI members have identified in their comments above are related to legacy support, and this is just within Apple's isolated ecosystem/domain. I've found that Apple's 2FA model works pretty well in most cases for devices that fully support the model as intended. However, for older devices like my old iPod Touch 2G and iPod Touch 4G it is somewhat cryptic, awkward, and barely documented. For example, when I access iCloud from my old iPods and it deems that an authentication code is needed I will get an authorization request on a separate trusted device, e.g., my iPhone, but the iPod will not put up a dialog to enter the code. It will put up a dialog asking for my iCloud password. Unbeknownst to most people, in these cases the legacy support in Apple's 2FA expects that the user will type in their iCloud (or iTunes) password with the 2FA code appended to the password, e.g., "myPassword7864" where the "7864" part is the code sent to the trusted device. Will the old device give you a hint of any kind that this is the expected response? Hell no. Will you truly know that it actually works? Maybe.
Another nagging issue with Apple's 2FA is the location identified in the prompt. I'm not certain about where the location information comes from but it's not at all uncommon for me to get a 2FA prompt, often because of a legacy device like my iPod 2G that's permanently docked in an alarm clock or the iPod 4G in the bathroom, that has the location identified that's many counties away and sometimes in a different state. When you get a 2FA request for a device in a different state of course you're going to respond with "W.T.F." usually followed by "N.F.W." Turns out that it's really coming from the bedroom or bathroom. Go figure.
Last time I tried to enable 2FA was when Homekit went live and I enabled my Apple TV as the remote hub. Soon thereafter my older Apple TV's refused to take my Apple ID password so I can watch content...once I turned off 2FA they worked again, but now I can't remotely Homekit my house. Has anyone come across this?
Yes. See whether you are getting a prompt on your trusted device that indicates that another device (possibly with a bizarre location) is trying to access your account. It should give you the option of generating a 2FA key. Get the key. Next, on the old Apple TV you then have to enter your iCloud password with the 2FA key appended to the password.
Sooner or later companies are going to have to move beyond password schemes entirely. They are the weakness that's causing the ever more complex login setups, it's just passwords upon passwords and security questions. This has already been solved with servers using encryption keys. You don't need to remember anything or type anything. You setup an encryption key pair automatically and keep the private key. Then the server can use challenge-response authentication automatically to establish the connection. The only issue to deal with is storing the private keys and syncing them between devices but this is trivial for Apple and they can be secured behind touch id and/or the secure enclave and have an API that has no read access to the keys but can only send messages to a system that decodes data.
This eliminates the possibility of people reusing passwords or having common password schemes across different services. It is already compatible with online login systems. It eliminates the possibility of anyone stealing passwords through a security breach because there would only be public keys on the server, which can't be used to compromise anything on their own.
In the event that someone needs to access a service where they don't have the keys on the system like at work when logging into Facebook but don't want the keys stored there, a smartphone can authenticate the login and generate a time-limited code. This can be a 4 character code because when it's tied to the account id and the time limit, it's not going to be compromised. On Macs, they can can even do handoff-style logins so you don't have to type anything but this particular system can work cross-platform too.
Microsoft uses it for Azure but they can use it for everything like email, Skype etc. The big tech companies use this themselves to securely login to things I don't know why they don't at least experiment with it for everyday logins.
I don't see a memorized passcode as becoming obsolete anytime soon. Using another device to authenticate means that someone else in possession of this tangible device will have potential access to your accounts. Even with the example you give that device used as a key will still have a memorized passcode as its default protection. How do we get away from that so that no passcode is ever needed, so that no passcode will ever have to be committed to memory?
Having a device password is ok, it's mainly to get rid of passwords for online services. I have no less than 50 passwords for online accounts and services and there's no way of remembering all of them. A separate device isn't needed with keys, the keys are stored on the device and they are protected with passcode and/or biometrics.
Let's say someone signs up to an account with Apple today. They choose a password and Apple stores the password on their end. Assume either this person has been subjected to a phishing compromise, someone installed a keylogger, the password was reused elsewhere that was compromised, the password was simple enough to brute-force or the password was reset using a hacked email account. The solution companies have come up with is to use 2 factor authentication meaning another device is required to login to anything.
Using encryption keys, when someone signs up to an account, the online service just stores the public key and the device stores the private key. When an authentication is needed, the online service encrypts a random message with the account's public key. Only the owner of the private key can decrypt this. They do so and send back the message for verification. No password is required to be transmitted to the service nor stored by the service.
This way it doesn't actually matter if the same keys are used across services because even if a service gets hacked entirely, they can only get public keys, which can't be used to login to anything. There are no passwords to think up, no passwords to type in, no need for multiple devices to authenticate. The private keys just have to be protected but that's easy enough with secure hardware like the secure enclave. They can process payments using token generation and no passcodes, pincodes, 2FA needed, the same can be done for logins. The biometric input just does authentication locally. No direct access to the local keys, just via a messaging system to the OS, which decodes/encodes the messages.
One added difficulty is syncing the keys securely between multiple devices but again this be done with encryption and authenticating a new shared device temporarily can be done with codes. Say you are at some shared device and need to check something, authenticate on the phone and get a code and use that on the device. It will expire in a set period of time and as soon as it's logged out. Using keys means no one can phish for login details, a keylogger can only get the key to decrypt messages but not access the keys, it's not possible to reuse passwords across services, no brute force possible. Resetting an account may still be possible via email but if email used the same authentication system, they can't hack that either.
If someone steals a device that has the keys and somehow compromises the system protecting the keys e.g the device passcode then they have all the keys. But the user would know their device is gone and they'd be able to flush these using an iCloud service. Replacing dozens of passwords using keys is far simpler than thinking up new passwords.
Comments
I used to use my iCloud password to log into my mac with 2FA activated but after updating to High Sierra the os displayed a message that it was no longer allowed to use my iCloud passsword and requested a new one to continue.
At first I thought it was a High Sierra requirement but reading your comment made me think that maybe it's a High Sierra + 2FA thing.
No one should ever click a link from an email except for some very rare instances. So rare that it's the exception, not the norm. For example, you've accessed a website via bookmark or by typing it into your browser, and you've requested a password reset when the website tells you it's sending you a link. Then, and only then in that short window of a under a minute should you click on a hyperlink from your email for an account as verification. Frankly I'm surprised that these spammers aren't making better looking fake emails these days. That's the easiest part of the spoofing process.
I don't see a memorized passcode as becoming obsolete anytime soon. Using another device to authenticate means that someone else in possession of this tangible device will have potential access to your accounts. Even with the example you give that device used as a key will still have a memorized passcode as its default protection. How do we get away from that so that no passcode is ever needed, so that no passcode will ever have to be committed to memory?
Apple presumes you have a device always at hand to get the authentication message.
Heaven forfend if you do not.
Apple 2FA works great for iPhone users, because they have essentially two virtual devices
in their hand (one the Internet device, the other the phone).
But if you don't have an iPhone, or have your phone nearby, or can't get to the "authorizing"
device, you are stuck. Try reading your iCloud mail on your wife's iPad.
Go ahead. I dare you.
(BTW, that's impossible even if 2FA is turned off).
iOS 11: Settings>Accounts & Passwords>Add Account>[choose iCloud and enter email and Apple ID or password].
It is relatively easy to do, so you might consider adding your account, then signing out when done. (Oddly, there is an option at the bottom of the screen for all other Accounts to "Delete Account" but iCloud accounts only have a "Sign Out" option at the bottom). I have my wife's iCloud email only account on my phone, and I just noticed this.
(FWIW, I don't have her main email account on my phone, just her iCloud email, which she doesn't use. Having her iCloud email just helps me manage Apple related notifications for her).
One way around it is: I keep an old no longer used iPad logged into their ID so I can manage this as well as see what they bought with my credit card under the Family Plan...
It's not that it isn't working well - it just doesn't fit your particular situation.
For myself, I manage things for my grandson and I keep an old, semi-functional iPad around just for these kind of situations....
Dealing with legacy concerns is a huge challenge for individual applications but the situation is much worse for systems and systems of systems. Most of the 2FA issues that AI members have identified in their comments above are related to legacy support, and this is just within Apple's isolated ecosystem/domain. I've found that Apple's 2FA model works pretty well in most cases for devices that fully support the model as intended. However, for older devices like my old iPod Touch 2G and iPod Touch 4G it is somewhat cryptic, awkward, and barely documented. For example, when I access iCloud from my old iPods and it deems that an authentication code is needed I will get an authorization request on a separate trusted device, e.g., my iPhone, but the iPod will not put up a dialog to enter the code. It will put up a dialog asking for my iCloud password. Unbeknownst to most people, in these cases the legacy support in Apple's 2FA expects that the user will type in their iCloud (or iTunes) password with the 2FA code appended to the password, e.g., "myPassword7864" where the "7864" part is the code sent to the trusted device. Will the old device give you a hint of any kind that this is the expected response? Hell no. Will you truly know that it actually works? Maybe.
Another nagging issue with Apple's 2FA is the location identified in the prompt. I'm not certain about where the location information comes from but it's not at all uncommon for me to get a 2FA prompt, often because of a legacy device like my iPod 2G that's permanently docked in an alarm clock or the iPod 4G in the bathroom, that has the location identified that's many counties away and sometimes in a different state. When you get a 2FA request for a device in a different state of course you're going to respond with "W.T.F." usually followed by "N.F.W." Turns out that it's really coming from the bedroom or bathroom. Go figure.
Let's say someone signs up to an account with Apple today. They choose a password and Apple stores the password on their end. Assume either this person has been subjected to a phishing compromise, someone installed a keylogger, the password was reused elsewhere that was compromised, the password was simple enough to brute-force or the password was reset using a hacked email account. The solution companies have come up with is to use 2 factor authentication meaning another device is required to login to anything.
Using encryption keys, when someone signs up to an account, the online service just stores the public key and the device stores the private key. When an authentication is needed, the online service encrypts a random message with the account's public key. Only the owner of the private key can decrypt this. They do so and send back the message for verification. No password is required to be transmitted to the service nor stored by the service.
This way it doesn't actually matter if the same keys are used across services because even if a service gets hacked entirely, they can only get public keys, which can't be used to login to anything. There are no passwords to think up, no passwords to type in, no need for multiple devices to authenticate. The private keys just have to be protected but that's easy enough with secure hardware like the secure enclave. They can process payments using token generation and no passcodes, pincodes, 2FA needed, the same can be done for logins. The biometric input just does authentication locally. No direct access to the local keys, just via a messaging system to the OS, which decodes/encodes the messages.
One added difficulty is syncing the keys securely between multiple devices but again this be done with encryption and authenticating a new shared device temporarily can be done with codes. Say you are at some shared device and need to check something, authenticate on the phone and get a code and use that on the device. It will expire in a set period of time and as soon as it's logged out. Using keys means no one can phish for login details, a keylogger can only get the key to decrypt messages but not access the keys, it's not possible to reuse passwords across services, no brute force possible. Resetting an account may still be possible via email but if email used the same authentication system, they can't hack that either.
If someone steals a device that has the keys and somehow compromises the system protecting the keys e.g the device passcode then they have all the keys. But the user would know their device is gone and they'd be able to flush these using an iCloud service. Replacing dozens of passwords using keys is far simpler than thinking up new passwords.