PDA

View Full Version : Having imac & iphone with same apple ID



digital
07-11-2016, 12:30 AM
I am a very long-term Windows user and got my imac 1 year ago and have only used it for email, general web, Word & Excel. (I use it a lot, but for very standard things. I have a laptop too so even less is done on the imac) I haven't even used itunes yet - no need.

I was given an iphone 5 last week, and although I've set it up with the same apple ID, I'm worried about the connection - having multiple devices with the same ID.

If something happens to my iphone I don't want anybody to have access to the content of my imac because we're using the same ID. Know what I mean?

What can happen?

What does it mean to share an ID across multiple devices?

What are the risks?

Is there anywhere that I can read up about it?

Thanks VERY much everyone! :)

chscag
07-11-2016, 12:47 AM
I have two iPhones, 1 iPad, and 1 iMac all using the same Apple ID. Why would you think that because you're using the same Apple ID on all your devices that someone could have access to any of your devices if one were lost?

1. Make sure that you have a password lock on your iPhone and have activated "Find My iPhone".

2. Set a password for log on to your iMac and also your portable computer. If your portable computer is likewise a Mac you can set that up with "Find My Mac". You can read up on "Find My iPhone" and "Find My Mac" on the Apple KB website and that should give you a pretty good understanding of the protection it provides.

Bottom line... just because someone may gain access to your iPhone does not mean they can access your iMac unless you're extremely careless and allow it by not using the protections that Apple has built in.

Ember1205
07-11-2016, 01:49 AM
The use of the same ID across multiple devices that you own is encouraged because it opens up things like "Find My iPhone" and the ability to access your messages across all devices easily. Yes, there are certain aspects of security to be considerate of, but not necessarily -to be concerned about-.

Use a longer passcode on the iPhone (not the 4-digit PIN), require the passcode "immediately" after screen lock, and set a short timeout for the screen to auto-lock. If you're really "paranoid", you can enable the Erase feature that will wipe the phone after ten failed attempts at the passcode.

I use a common ID with my MacBook Air, iMac, iPad Pro 12.9", and two iPhones. Tremendous flexibility for me, and I don't give security a second thought. I use strong password on all of my devices AND fingerprint security on the phones (the iPhone 5 does not support this, the 5S and newer phones do).

IWT
07-11-2016, 05:40 AM
@digital

+1 to all of the above. I have 2 iMacs, 2 iPhones and 2 iPads — all using the same Apple ID.

Ian

digital
07-12-2016, 07:12 AM
Thanks everyone for the quick replies .... really appreciated :) :)


Why would you think that because you're using the same Apple ID on all your devices that someone could have access to any of your devices if one were lost?

I thought that it they were able to log in remotely with my username & password, they'd find it easy to hack into the contents of my imac hard drive. Nothing fancy for a stranger, but still something that I wouldn't want happening. Couldn't this happen? Although I have the imac password protected each time I turn on the imac. I always thought this was useless, but I've kept doing it until I could get around to researching if it was really necessary. (After all, I'd had Windows (at home) for almost 20 years and never logged in to use my own computer etc)



1. Make sure that you have a password lock on your iPhone and have activated "Find My iPhone".

2. Set a password for log on to your iMac and also your portable computer. (snip) You can read up on "Find My iPhone" and "Find My Mac" on the Apple KB website and that should give you a pretty good understanding of the protection it provides.



Use a longer passcode on the iPhone (not the 4-digit PIN), require the passcode "immediately" after screen lock, and set a short timeout for the screen to auto-lock.

Thanks to both of you for the tip about the password etc. I know quite a lot of people with iphones and I've never seen them punch in passwords, but then maybe it hasn't timed out when I've seen them......

I've actually taken off the passWORD and put the passcode .... to make it easier for ME, but what I'll do is put it back on passWORD, and have it need the password only in certain situations. Since I'm almost exclusively at home at the moment, I don't want to be typing in a password in each time I use it *** What do you guys recommend as when I should have to activate the password while I'm at home and no risk in the iphone being stolen etc?

And "Find My iPhone" - I wanted to have this but I've disabled the location tracker feature because I didn't want people to know where I am at all times of the day .... if you know what I mean. But I think I read that you can still have "Find My iPhone' even if you don't have location set on your phone. Is this right? And what is the Apple KB website (Google wasn't helpful .... the 'best' place it gave me was https://support.apple.com/ )


Security-wise, what 'bad' things happen to iphones? Virus & malware from opening up dubious websites, images or emails .... but can anything go wrong using the imessage or text messages themselves, without following any links? I won't be surfing much, if at all.

Thanks VERY much everyone .... :)

Ember1205
07-12-2016, 08:28 AM
There are a few different security options on the iPhone - 4 digit passCODE, 6 digit passCODE, passWORD, and Touch ID (iPhone 5S and newer, uses your fingerprint to unlock the phone). Those are the ones I remember, anyhow. :)

I have a 6 digit passCODE on my phone and I have configured Touch ID as well. I very seldom actually enter the passcode and I have my phone set to require the passcode IMMEDIATELY on screen lock (with the timeout set to 60 seconds). I have developed the habit of force-locking the screen (with the lock button) every time I'm done using the phone, so it's always locked. With the 6S/6S Plus phones, the fingerprint reader is VERY fast and the phone unlocks basically just by pressing the Home Button. The previous phones required that you held your finger there for a half second or so to get it to read.

Find My iPhone requires access to the Location of the phone so that the geo location of your device can always be uploaded to Apple and stored in your iCloud account. In the event that you ever misplace or lose the device, or if it's stolen, the location will be updated in near real-time and you can locate it by logging in to icloud.com and clicking the Find My iPhone app. This information is available to YOU (meaning your iCloud account) and no one else (small exception for children that are part of a Family Share plan - parents can track their kids) unless you are using your iCloud account on another device that someone else has access to.

In the time I've owned iPhones (about four years?), I've never encountered an issue or known anyone that has that was related to malware, viruses, or the like. The only issue I am aware of off the top of my head is when there was a specific text message that you could receive that would cause your phone to power off. The next closest thing was a bug in the iOS that would "brick" the phone if you set the date back before 1/1/70 (or something like that). Both have been fixed. Don't do odd things with your phone and you shouldn't have an issue. :)

digital
07-19-2016, 07:42 AM
Thanks Ember1205 for the great reply ..... I changed the password to 6 digits .... I've delayed replying because I was trying to think of any other related questions (also because had to reset the phone after an issue)

I'm just reluctant to use my Apple ID for everything, especially itunes .... I've spent the last 20 years filling out forms with hotmail addresses, thereby avoiding using my private provider address etc. I've read of people being sorry that they used certain email addresses for their apple IDs etc. Plus I've seen people's Apple ID's being displayed online too ..... eg. if someone's ID is Ember1205@aol.com it displayed the ID as Ember1205@a......com or something similar (if I remember correctly ..... it was over a year ago that I had to go through all of this ....)

Anyway, thanks again for the help .... much appreciated :)

And if anybody has got any comments on the above, please share them ..... I'd be really grateful :)

digital
07-19-2016, 07:58 AM
eg. the thread on this page is an example of a potential problem. I'll be texting a lot of different people, not all of whom are friends ....

https://www.reddit.com/r/applehelp/comments/3m8bmt/q_keeping_my_appleid_email_completely_private/

Ember1205
07-19-2016, 10:34 PM
Your Apple ID does not have to be one of the options for iMessage or FaceTime, and your iTunes and iCloud account names do not have to be the same either (mine are not). The iCloud account that would be used for cloud-based services (iMessage, FaceTime, iCloud mail, Find my iPhone, etc.) can be completely different from everything else and never shown to anyone (presuming you never send them an email from your iCloud.com address).

chscag
07-19-2016, 11:28 PM
You know... that's kind of like you never want to write a check to anyone because it has your bank's name on the check, your signature, and your account number. I believe we are all getting a bit paranoid nowadays with identity theft and protecting ourselves from all these demons. Identity Theft protection is inexpensive and probably something everyone should have.

Rod Sprague
07-20-2016, 02:17 AM
chscag, I take it you are referring to software when you said, "Identity Theft protection is inexpensive and probably something everyone should have." Something like Life Lock or Identity Guard?

chscag
07-20-2016, 02:49 AM
chscag, I take it you are referring to software when you said, "Identity Theft protection is inexpensive and probably something everyone should have." Something like Life Lock or Identity Guard?

Yes. For less than $100.00/year in the US you can buy identity theft protection. Life Lock is more expensive because they give more protection, but in my opinion it's worth it. I have had my personal credit card and business credit card compromised a number of times. That's not necessarily identity theft, but it's scary none the less.

digital
07-20-2016, 06:01 AM
Thanks VERY much ......


Your Apple ID does not have to be one of the options for iMessage or FaceTime, and your iTunes and iCloud account names do not have to be the same either (mine are not). The iCloud account that would be used for cloud-based services (iMessage, FaceTime, iCloud mail, Find my iPhone, etc.) can be completely different from everything else and never shown to anyone

Are there any disadvantages to having and using an icloud ID? (there are advantages, but any DISadvantages?)

Of course some apps should have the same ID as other apps (eg. imessage, facetime) Are there any apps that should be paired up using the same ID as other ones? Or ones that should have the appleID (rather than the icloud) as the ID?

Regarding the iphone ...... you said that on your iMac you use your icloud account for imessage, Facetime, maybe itunes ..... but CAN you have 2 IDs on an iphone? ie. a general appleID for the phone, and then different IDs for apps? I t-h-i-n-k I read that you can't have different ones on iphones? (but I wouldn't be surprised if I"m wrong ...) I'm just asking so that I can be the same user on the iphone as the iMac for some, if not all apps ...... imessage, itunes, Facetime, findmyiphone .....

And as a way of describing it overall ....

The iMac itself has an identifying appleID (eg. so when you're booking in for service etc they know wht type of imac it is) but when you go and use individual apps, they can use a different, separate ID - the icloud ID. So some apps may use icloud ID and some may use the appleID (is this correct? or are there other IDs that can be used?)


(presuming you never send them an email from your iCloud.com address).

Is there a reason that you'd have to send them an email from the icloud address?
If you privatise the settings, they shouldn't see any email address. But the link above that I posted from reddit implies that for someone the settings got changed back to the default ones, and that actually exposed their email address. I wonder if this is still a problem with icloud ...


Plus after you've set up all apps with their IDs, I get the impression that it's near impossible to change the IDs associated with each app ... is this right?


Hope you can understand what I'm asking ..... sorry if they are really lame questions, but I just want to get a better understanding of it all. And from what I have heard, a LOT of people don't know all of this about their iphones (so I shouldn't feel so silly asking it all!!)

digital
07-20-2016, 06:56 AM
I have had my personal credit card and business credit card compromised a number of times. That's not necessarily identity theft, but it's scary none the less.

If you don't mind me asking - how were they able to get to both your personal and business credit card numbers?


PLUS About getting into my imac ..... it's not just identity theft but also invasion of privacy and blackmail et al that I don't like. It's far more far-reaching .....

Ember1205
07-20-2016, 10:00 AM
Thanks VERY much ......



Are there any disadvantages to having and using an icloud ID? (there are advantages, but any DISadvantages?)

Of course some apps should have the same ID as other apps (eg. imessage, facetime) Are there any apps that should be paired up using the same ID as other ones? Or ones that should have the appleID (rather than the icloud) as the ID?

Regarding the iphone ...... you said that on your iMac you use your icloud account for imessage, Facetime, maybe itunes ..... but CAN you have 2 IDs on an iphone? ie. a general appleID for the phone, and then different IDs for apps? I t-h-i-n-k I read that you can't have different ones on iphones? (but I wouldn't be surprised if I"m wrong ...) I'm just asking so that I can be the same user on the iphone as the iMac for some, if not all apps ...... imessage, itunes, Facetime, findmyiphone .....

And as a way of describing it overall ....

The iMac itself has an identifying appleID (eg. so when you're booking in for service etc they know wht type of imac it is) but when you go and use individual apps, they can use a different, separate ID - the icloud ID. So some apps may use icloud ID and some may use the appleID (is this correct? or are there other IDs that can be used?)



Is there a reason that you'd have to send them an email from the icloud address?
If you privatise the settings, they shouldn't see any email address. But the link above that I posted from reddit implies that for someone the settings got changed back to the default ones, and that actually exposed their email address. I wonder if this is still a problem with icloud ...


Plus after you've set up all apps with their IDs, I get the impression that it's near impossible to change the IDs associated with each app ... is this right?


Hope you can understand what I'm asking ..... sorry if they are really lame questions, but I just want to get a better understanding of it all. And from what I have heard, a LOT of people don't know all of this about their iphones (so I shouldn't feel so silly asking it all!!)

To a certain extent, you're overthinking some of this. Having an iCloud account creates an @icloud.com address by default. If you don't want people to have that address, don't give it to them! That includes never sending them an email from that account. I have one, but I never use it for sending messages - only receiving as it allows instant notice on the iPhone via Push Notification where the Gmail accounts are polled accounts only. So, important messages have a rule in Gmail to forward them to my @icloud so I know about them right away.

iMessage, FaceTime, Photo Stream, and Find my iPhone all use your iCloud account - no exceptions. I've never tried it, but I suppose it might be possible to use DIFFERENT iCloud accounts for iMessage, FaceTime, and "the rest".

chscag
07-20-2016, 07:28 PM
If you don't mind me asking - how were they able to get to both your personal and business credit card numbers?

I asked that same question to the security person at my bank (Wells Fargo) where we have both our accounts. He said that it's common nowadays for thieves to use a credit card duplicator that spits out random numbers until one hits the jackpot. My business account was used by some thugs in Ireland to go on a buying spree. The charges were refused by Wells Fargo and reclaimed to the local bank in Ireland. But it was a real pain as we had to wait until new cards were issued and the account cleared.

Our personal credit card was compromised and used by some Wal-Mart employees in New York (I live in Texas). I'm sure an employee at a local Wal-Mart where we do business here in Texas was in on the credit card theft scheme. Again, a real pain to get our account cleared and new cards issued. I mention both of these incidents but there were others also. All my credit cards now have a chip embedded but I'm not sure that's protection enough.

We were fortunate in that we did not lose money out of either account as our bank restored the credit charges. But I know of people who were not so lucky. I advise everyone to keep a close eye on all your accounts and let your bank know immediately if you discover something out of the ordinary.

Ember1205
07-20-2016, 09:44 PM
I have a couple of cards with Chase. One of the things I like is that I can set charge thresholds and types of charges where it emails me when the charge is made. Makes it pretty easy to track usage.

I don't understand the combination of "a real pain to get our account cleared and new cards issued" and "I'm still their customer." No way would I -EVER- tolerate being jerked around over fraudulent charges, and the ONE time something was just a little quirky with one of my Chase cards, they locked it down, shut it off, and overnighted me new cards with NO questions asked. You know that "zero dollar fraud liability" thing they advertise? That means that they need to step up and take care of things when it isn't right. Immediately.

chscag
07-20-2016, 09:56 PM
I wish it were that easy to change banks but it's not. I have had problems with just about every credit card provider including Chase. Yes, they all send out new cards right away and lock down the account (standard procedure for any credit card provider) but it's still a hassle. I don't care which bank you do business with, none of them will clear your account until they verify the false charges were indeed false. Sure, they provide you with temporary credit for the false charges, but no bank is going to completely clear your account until those charges have been verified.

Rod Sprague
07-21-2016, 04:40 AM
I think a little bit of paranoia is healthy but it is possible to go over the top. A lot of personal information can be and is obtained from discarded mail in the rubbish bin.
Personal security is mostly about not keeping crucial information idly lying about. I friend of mine has photos of both his and his wife's passports in Photos on his iPhone. He thinks his iPhone passcode is security enough.
Still some things have to be taken on trust. I use a VPN for all internet banking transactions but I know people who do not and others who simply wont use internet banking at all which really sums it up, the only way to be 100% secure online is not to be online.
If you do use it there are many mechanisms in place to protect us. Banks can freeze accounts after suspicious activity or refund your money if you can prove you have been scammed. My credit card was scanned in KL and purchases in excess of $2000.00 were made but my passport showed I was not in the country when the purchases were made so the bank claimed on their insurance and refunded my money.
The point is if you leave valuable stuff on a portable device, laptop or desktop computer or enter it into a new website it's like forgetting your wallet on the table at a restaurant or bar. Maybe some honest person will return it or maybe not but if a highly skilled pickpocket takes it on the street, well you did everything you could do and beyond that you just have to cancel those credit cards and notify the police and maybe your drivers license authority.
Too much security can be as much of a barrier to ourselves as others.

Ember1205
07-21-2016, 10:35 AM
I think a little bit of paranoia is healthy but it is possible to go over the top. A lot of personal information can be and is obtained from discarded mail in the rubbish bin.
Personal security is mostly about not keeping crucial information idly lying about. I friend of mine has photos of both his and his wife's passports in Photos on his iPhone. He thinks his iPhone passcode is security enough.
Still some things have to be taken on trust. I use a VPN for all internet banking transactions but I know people who do not and others who simply wont use internet banking at all which really sums it up, the only way to be 100% secure online is not to be online.
If you do use it there are many mechanisms in place to protect us. Banks can freeze accounts after suspicious activity or refund your money if you can prove you have been scammed. My credit card was scanned in KL and purchases in excess of $2000.00 were made but my passport showed I was not in the country when the purchases were made so the bank claimed on their insurance and refunded my money.
The point is if you leave valuable stuff on a portable device, laptop or desktop computer or enter it into a new website it's like forgetting your wallet on the table at a restaurant or bar. Maybe some honest person will return it or maybe not but if a highly skilled pickpocket takes it on the street, well you did everything you could do and beyond that you just have to cancel those credit cards and notify the police and maybe your drivers license authority.
Too much security can be as much of a barrier to ourselves as others.

Why? Unless the VPN terminates AT THE BANK, you've not increased your security posture overall from using the bank's web site with its encryption certificate.

Rod Sprague
07-22-2016, 03:05 AM
Ember, I am in Indonesia and my VPN gets my data to Australia in an encrypted state, from there it is reasonably safe to transmit the data over the Australian network using the bank's web site encryption but between here and there that's another question because I already know that the Indonesian ISP is both monitored, regulated and insecure.

digital
07-22-2016, 08:42 AM
@Ember1205, @chscag, @Rod and anybody else reading this thread! ;)

- how do you communicate with itune vendors?
ie. is there a way to message them back and forth without exposing your email (ID) address? (like you can on ebay) The advantage being that then you're not exposing the email address .....

- any DISadvantages to having & using an icloud ID for the apps (rather than just using the apple ID)

- OK - an imac has an Apple ID but the itunes, messenger etc all use the icloud ID.
Can the corresponding iphone use the same setup? Are there any limitations on the iphone setup that don't exist on the imac? eg. using different IDs etc.

Thanks :)

IWT
07-22-2016, 10:34 AM
@digital

I'm not sure this what you had in mind; but if you have an iCloud, you can create multiple (up to five I think) alias email addresses. Lots of people do this when the subscribe to a new website; usually one that sends you an email that requires to to open a link thereby confirming your status. After this they disable that alias email or delete it altogether so ensuring they don't get any spam.

You could do the same for once-only use in corresponding with whoever.

Just a thought.

Ian

ManoaHi
07-23-2016, 12:01 AM
I sort don't get the OPs frst post. First of all, you don't login to your iMac and access your iPhone using your Apple ID, or have you set it up that way? I don't know how to do that. On my Macs there are two logins, me and admin, neither of them match my Apple ID. Mail on the other hand, I do login with my Apple ID as well as iTunes. Now you can use different Apple IDs for iTunes, iCloud (Mail), Messages. Messages using iMessages is secure end to end, where as SMS is clear text. Why use different Apple IDs, consider this case, you want to have the same login for iTunes for the family, but you don't want them wandering through your messages and you don't want them in your iCloud storage or Mail as well so you use a different Apple ID for that. My mother is setup that way as well, since her Mail Apple ID is the same as her RoadRunner account. Her iTunes Apple ID is one she created. For iCloud, its her RoadRunner account. She has a MacBook Air an iPad and an iPhone SE. She uses Continuity between all three devices. She is on the latest OS on all of them. On the Mac side, you need at least Yosemite and on the iDevices iOS 8. I think there is a disconnect, an Apple ID does not get you into any of your devices. It does get you into your "stuff" like Mail, Messages and iTunes (for buying/getting content) and iCloud. So, if there is concern about people wandering about your iMac, only if you give out the account and password. If someone figures out your Apple ID, for iTunes and you have a credit card associated with that account, you could be at risk, but again don't give it out. I have gift cards on my iTunes account, no credit cards. Also, turn on 2-factor authentication on your Apple ID.

digital
07-23-2016, 09:22 AM
Thanks @IWT & @ManoaHi

After I set up Messages on the imac I was going to look into making sure that the imac & iphone were a "mirror" .... thanks for the heads-up about Continuity :)

It's only me at home so I don't have other people's devices to share apps with, so I'm free to do whatever I want :)

I think I'll just setup everything with an icloud ID. I gather that won't be a problem. itunes set up with an icloud ID doesn't get sent to the cloud, does it? I didn't think so, but the thought just came to me .....

Thanks :)

Slydude
07-23-2016, 11:53 AM
itunes set up with an icloud ID doesn't get sent to the cloud, does it? I didn't think so, but the thought just came to me .....



Not quite sure what you mean. Are you asking whether your music automatically gets stored in the cloud? If that's what you're asking then no it doesn't. It can but you have to set that up.

digital
07-24-2016, 06:35 AM
Are you asking whether your music automatically gets stored in the cloud? If that's what you're asking then no it doesn't. It can but you have to set that up.

That's what I was asking - that by signing in to itunes with your icloud ID you weren't (by default) approving for it to be stored in the icloud. But judging by what you've said, you have to specifically upload anything to the cloud separately.

Thanks :)

ManoaHi
07-25-2016, 11:26 PM
I'm not a semantics expert, but, everything is an "Apple ID". You can associate one Apple ID with iCloud and you can have another Apple ID for iTunes/App Store. You can use one Apple ID for both, I do. Totally up to you. I know families that have one Apple ID for iTunes/App Store so that they can share each other's music, sort of family music and they build playlists individually. But each person has their own Apple ID for iCloud (and thus Mail and Messages) to keep their messages and mail private. I'd like to also urge you to enable 2-Step Verification (sometimes called 2-Factor Authenication): https://support.apple.com/en-us/HT204152

ManoaHi
07-25-2016, 11:43 PM
So, OP's original question about security. The Apple ID doesn't give you access to your Mac nor your iPhone. It is access to your "stuff". So, you say you don't use your Apple ID for Mail. At least one of your Apple IDs is for accessing iCloud. So, only what is kept on iCloud will be accessible if someone gets a hold of your Apple ID for iCloud. That is why I keep my mail on iCloud and I've enabled two-step verification everywhere that I can. (I've even turned it on at Amazon, so no one will be able to shop via my account). So, if someone tries to access my Apple ID, I get a text and that person is denied access. It is a fairly secure, at least from a hacking point of view - I'm not saying it is 100% and someday it might be attacked, but no worse than any other 2-step verification capable mail (Gmail, Yahoo Mail, Outlook.com, Hotmail, etc. all have that feature). Having 2-step verification is key, so they hacker needs to know your Apple ID and the password and the code that your phone will have and I doesn't ask for the code until a valid password is entered. I can't think of any reason to not turn it on.

Xenia
07-26-2016, 03:35 PM
So, OP's original question about security. The Apple ID doesn't give you access to your Mac nor your iPhone. It is access to your "stuff". So, you say you don't use your Apple ID for Mail. At least one of your Apple IDs is for accessing iCloud. So, only what is kept on iCloud will be accessible if someone gets a hold of your Apple ID for iCloud. That is why I keep my mail on iCloud and I've enabled two-step verification everywhere that I can. (I've even turned it on at Amazon, so no one will be able to shop via my account). So, if someone tries to access my Apple ID, I get a text and that person is denied access. It is a fairly secure, at least from a hacking point of view - I'm not saying it is 100% and someday it might be attacked, but no worse than any other 2-step verification capable mail (Gmail, Yahoo Mail, Outlook.com, Hotmail, etc. all have that feature). Having 2-step verification is key, so they hacker needs to know your Apple ID and the password and the code that your phone will have and I doesn't ask for the code until a valid password is entered. I can't think of any reason to not turn it on.

Actually, isn't it the case that the hacker would have to have or have access to two of your trusted devices, because the one-time, temporary code is sent to that second device, to be read and entered wherever the hacker is trying to break into your account?

I'm new to the two-factor authentication, so I might not be know all the workings of it. Still learning!

ManoaHi
07-26-2016, 05:02 PM
Actually, isn't it the case that the hacker would have to have or have access to two of your trusted devices, because the one-time, temporary code is sent to that second device, to be read and entered wherever the hacker is trying to break into your account?
Not really, just one device to receive the code, or derived code, in the case of some authenticator app. It is working on the same principle as RSA SecurID (<-- that is not a misspelling).

Are you really new to two-factor authentication? I don't know many people who are. The three factors are:
1. something you know: typically a passcode or password (sometimes there are multiple password layers, so many things are 1 factor two times)
2. something you have: a FOB or in this case your smartphone to either receive a text message, or in the case of Authentication app, a generated code.
3. something you are: biometrics like your fingerprint, retinal scans, facial recognition

Two factor authentication (or in some instances: 2-Step Verification although some argue that they are not synonymous), operationally they're the same. But two factor authentication is using two of the above, not two of one factor. The argument is that if you receive a code, then it's still something you know but it really isn't. Do you know your code now? I don't think so.

I'm fairly sure (I'm actually willing to wager) you've used this "technology" before. Consider using an ATM, you insert/scan your card (something you have) then you enter in your PIN (something you know). You are not new to two factor authentication.

Ember1205
07-26-2016, 09:10 PM
So, OP's original question about security. The Apple ID doesn't give you access to your Mac nor your iPhone. It is access to your "stuff". So, you say you don't use your Apple ID for Mail. At least one of your Apple IDs is for accessing iCloud. So, only what is kept on iCloud will be accessible if someone gets a hold of your Apple ID for iCloud. That is why I keep my mail on iCloud and I've enabled two-step verification everywhere that I can. (I've even turned it on at Amazon, so no one will be able to shop via my account). So, if someone tries to access my Apple ID, I get a text and that person is denied access. It is a fairly secure, at least from a hacking point of view - I'm not saying it is 100% and someday it might be attacked, but no worse than any other 2-step verification capable mail (Gmail, Yahoo Mail, Outlook.com, Hotmail, etc. all have that feature). Having 2-step verification is key, so they hacker needs to know your Apple ID and the password and the code that your phone will have and I doesn't ask for the code until a valid password is entered. I can't think of any reason to not turn it on.

A) It depends on whether you consider the iCloud Account to be the same as the Apple ID or not and B) use of your iCloud Account to log on to your Mac is an option.

bobtomay
07-26-2016, 11:19 PM
For those that missed my post while it was here - See this thread (http://www.mac-forums.com/security-awareness/335446-lot-misunderstanding-appleid-and-icloud-and.html?highlight=).

digital
07-27-2016, 07:00 AM
For those that missed my post while it was here - See this thread (http://www.mac-forums.com/security-awareness/335446-lot-misunderstanding-appleid-and-icloud-and.html?highlight=).

Thanks VERY much Tom for the great reply :) I got an email telling me there was a reply, but I noticed that it had disappeared online and was waiting for it to get reposted before I could thank you . I think it's a great idea you had of making it a separate thread a keeping it as a single "sticky". So others in the future can read it too.

I'll read the other replies another time, but I couldn't leave without thanking you! (insert the FB thumbs up here! ;-) )

I'll be back with more questions in a day or three!! ;-)

Xenia
07-27-2016, 07:45 PM
Not really, just one device to receive the code, or derived code, in the case of some authenticator app. It is working on the same principle as RSA SecurID (<-- that is not a misspelling).

Are you really new to two-factor authentication? I don't know many people who are. The three factors are:
1. something you know: typically a passcode or password (sometimes there are multiple password layers, so many things are 1 factor two times)
2. something you have: a FOB or in this case your smartphone to either receive a text message, or in the case of Authentication app, a generated code.
3. something you are: biometrics like your fingerprint, retinal scans, facial recognition

Two factor authentication (or in some instances: 2-Step Verification although some argue that they are not synonymous), operationally they're the same. But two factor authentication is using two of the above, not two of one factor. The argument is that if you receive a code, then it's still something you know but it really isn't. Do you know your code now? I don't think so.

I'm fairly sure (I'm actually willing to wager) you've used this "technology" before. Consider using an ATM, you insert/scan your card (something you have) then you enter in your PIN (something you know). You are not new to two factor authentication.

Hi Manoah,

What I was meaning to indicate is that I have just recently added the Two Factor to my Apple ID log in. And therefore am new to their setup.

Thank you for giving the great explanation of Two Factor. You are clearly much more knowledgeable about all this, than am I. I look forward to learning new things from your threads and comments. :)

And yes, in the case of Apple's Two-Factor process, I won't ever know the code ahead of time, because it changes every time with the log-in process, and is available for my use for only a short time.

Ember1205
07-27-2016, 08:22 PM
Not really, just one device to receive the code, or derived code, in the case of some authenticator app. It is working on the same principle as RSA SecurID (<-- that is not a misspelling).

Are you really new to two-factor authentication? I don't know many people who are. The three factors are:
1. something you know: typically a passcode or password (sometimes there are multiple password layers, so many things are 1 factor two times)
2. something you have: a FOB or in this case your smartphone to either receive a text message, or in the case of Authentication app, a generated code.
3. something you are: biometrics like your fingerprint, retinal scans, facial recognition

Two factor authentication (or in some instances: 2-Step Verification although some argue that they are not synonymous), operationally they're the same. But two factor authentication is using two of the above, not two of one factor. The argument is that if you receive a code, then it's still something you know but it really isn't. Do you know your code now? I don't think so.

I'm fairly sure (I'm actually willing to wager) you've used this "technology" before. Consider using an ATM, you insert/scan your card (something you have) then you enter in your PIN (something you know). You are not new to two factor authentication.

Two factor authentication uses two different "passwords" - one is typically static (one half of a username / password pair) while the other is dynamic or single-use (OTP: One-Time Password). SecurID, Symantec VIP, and other token-based systems use a series of "components" to make up a mathematical formula and the token passcode is one part of the changing formula (time is the other). In the case of your ATM PIN, that is not only NOT a dynamic password, but it is a one-way hash algorithm. There is a unique string of characters on your ATM card that, when 'hashed' with your PIN, will produce another unique string of characters. The bank keeps a copy of both strings but not your PIN. When you enter the card into the machine, and then type in your PIN, the PIN is used at the ATM to create a possible "second string" which is then compared to the ACTUAL string retrieved from your bank. If it matches, the PIN must have been correct.

When you change your PIN, the bank re-hashes the first string to create a new second string and then stores it.

So, the ATM PIN is not really a good example of two factor authentication because the second "factor" (the PIN) is not dynamic and is not directly used in the actual authentication.

Two-step authentication is absolutely two-factor is one of the steps involves using something that is dynamic.

Cr00zng
07-29-2016, 09:22 AM
Is dynamic second factor is better than static? Certainly, but ATM card is still two factor authentication, a.i. "what you know and what you have".

OTP based two factor authentication flips how ATM card authenticate. Basically the token based system makes what the bank does portable, dynamically provides a string of characters that required for authentication, together with UID/PWD. Not having either components of "what you know or what you have" will result in authentication failure for both ATM and token based system.

In some respect, the code texted to the cell phones represent a dynamic two factor authentication system as well. This system just bypasses the expensive token based authentication vendors, at least for the end users...

Ember1205
07-30-2016, 09:19 AM
I still hold that a PIN for use with an ATM card is not two factor.

The "username" is your account number, and the only way to enter that is by inserting the card. The PIN is the "password". That combines to form one factor.