Here's something I don't understand. Why does Apple's 2FA send a login notice and code to the same device you're trying to log into something with (ie your iCloud or Apple Support account etc). Doesn't that defeat the purpose, even if it is a "trusted device”?
So tell me, what about users who have only one Apple device, say an iPhone? Nothing else. There are lots of them apparently because they scream about this on the Apple Discussion Forums all the time. What is their ‘trusted device’?
I have a whole lot of devices, however I only have my iPhone, watch and AirPods when I’m not home, so does my wife and most probably overall majority of users. Therefore sending the 2FA SMS to my other devices is not an option most of the time.
Here's something I don't understand. Why does Apple's 2FA send a login notice and code to the same device you're trying to log into something with (ie your iCloud or Apple Support account etc). Doesn't that defeat the purpose, even if it is a "trusted device"?
The trusted device is to help "prove" that they are fairly certain that the owner of the device is logging in. This is because it's an internet-facing access point, which means that someone in Russia can't simply obtain your email and password from the dark web to access your account. That means they'd the to also have to go through the effort to spoof your SMS (i.e.: trick carrier into thinking they're the user) so they can pretend to your device when Apple sends a 2FA code to your phone number. Unless you're being targeted directly this is usually too much trouble.
I meant the macOS dialog that pops up with the map that says "Someone is trying to log into your account, do you want to allow them" and then provides the 6 digit code to enter in Safari. So I literally drag the modal window from covering up the 6 digit fields and type in the number. I get that it prevents someone from logging in elsewhere, but let's say someone snatched my Mac while it wasn't locked and they were then able to get into iCloud.com or anything else that uses that 2FA system. The alternative would be, send that modal to every other device on your list so I'd have to get the code from my iPhone or iPad, etc.
I see what you're getting at and I've brought this up at an Apple Store with a Genius when I've had to input the temporary code on the device that received it. They didn't really have a great answer for me, but I think it's probably a lot like getting a code to SMS (which often gives me a 2FA code to the device I'm using). Since Apple knows which devices are yours and you just inputted your password it's probably reasonably sure that you're getting that temporary code. It's not the most secure option, but it probably can't be spoofed as easily as SMS (if so, I've never heard of it), and is certainly better than having no direct access to one of your devices for entering the temporary code.
Yeah, that makes sense. And yes, others — I hadn't really considered if you only had one device as I have several, clearly. And I'm NOT talking about SMS here, I'm talking about the thing baked into the OS.
Comments