Defeating Apple two-factor authentication with a Mac

Joined
Jul 13, 2015
Messages
2
Reaction score
0
Points
1
I have two-factor authentication set up on my Apple account. They require that you have a phone number for your device and then you can add additional trusted devices (like an iPad). Here's the thing...if someone steals my Macbook, they can easily defeat my two-factor authentication. Since all my text messages come through the Messages app, this means the code sent from Apple comes right onto my computer. There's no way to disable or "not trust" a laptop unless either I don't include my real phone number in my Apple ID settings or don't use Messages. Am I missing something?
 
Joined
Sep 30, 2007
Messages
9,962
Reaction score
1,235
Points
113
Location
The Republic of Neptune
Your Mac's Specs
2019 iMac 27"; 2020 M1 MacBook Air; macOS up-to-date... always.
I have two-factor authentication set up on my Apple account. They require that you have a phone number for your device and then you can add additional trusted devices (like an iPad). Here's the thing...if someone steals my Macbook, they can easily defeat my two-factor authentication. Since all my text messages come through the Messages app, this means the code sent from Apple comes right onto my computer. There's no way to disable or "not trust" a laptop unless either I don't include my real phone number in my Apple ID settings or don't use Messages. Am I missing something?

If you add a trusted iDevice, the code goes directly to that device and only that device as a pop-up notification, not as a text message.
 
OP
J
Joined
Jul 13, 2015
Messages
2
Reaction score
0
Points
1
If you add a trusted iDevice, the code goes directly to that device and only that device as a pop-up notification, not as a text message.

Yes...this is true and I know how this works. But the other way to verify a log in to send a text to your phone number. With the Message App in OSX, text messages appear here as well, so anyone with your computer can access your account. This is without making my Mac a trusted device simply because Messages can access all text messages (v. just iMessages as in the past)
 
Joined
Sep 30, 2007
Messages
9,962
Reaction score
1,235
Points
113
Location
The Republic of Neptune
Your Mac's Specs
2019 iMac 27"; 2020 M1 MacBook Air; macOS up-to-date... always.
Yes...this is true and I know how this works. But the other way to verify a log in to send a text to your phone number. With the Message App in OSX, text messages appear here as well, so anyone with your computer can access your account. This is without making my Mac a trusted device simply because Messages can access all text messages (v. just iMessages as in the past)

Then don't add a phone number as a method of authenticating.

EDIT: Or... don't let iMessage on the Mac receive text messages. It is optional. Or improve the security of your MacBook and make sure it auto-locks when you shut the lid or go to sleep, and require a password every time you log into it.
 

bobtomay

,
Retired Staff
Joined
Dec 22, 2006
Messages
26,561
Reaction score
677
Points
113
Location
Texas, where else?
Your Mac's Specs
15" MBP '06 2.33 C2D 4GB 10.7; 13" MBA '14 1.8 i7 8GB 10.11; 21" iMac '13 2.9 i5 8GB 10.11; 6S
Or add a phone # prior to your notebook being stolen, not after it's been stolen.
 

Shop Amazon


Shop for your Apple, Mac, iPhone and other computer products on Amazon.
We are a participant in the Amazon Services LLC Associates Program, an affiliate program designed to provide a means for us to earn fees by linking to Amazon and affiliated sites.
Top