Verification Codes

This is a minor rant

I love verification codes. Always fun to be prevented from using features on very expensive devices because of unnecessary complications.

I thought I might read a book in iBooks - enter verification code.

No phone signal so no codes.

Apparently a code can be found using Settings on my iPhone. Tried that - enter verification code.
Tried the iCloud ID method - enter verification code.

So having walked all over the house trying to find enough signal to receive a code I looked up how to turn the wretched thing off. Go to iCloud account page, sign in - enter verification code.

Thanks for nothing Apple. So iBooks is now completely useless on my Home iMac as I will never be able to get a code fast enough to use it.

Not all of us live somewhere with a permanent 4G phone signal, nor Superfast Broadband for that matter

Maybe tomorrow in Warwick I will be able to turn off this useless device so the various features of these expensive toys become available to the person who paid for them

I'm supposing that you're referring to Apple's Two Factor Authentication?

If so, it's wretched. I've already written a post about it on here and how STUPID it is.

Even better - I found the email I received confirming it was setup, with a link to disable it which was valid until today.

Needless to say when I followed the link yesterday it didn't work

Managed to remove it at last.

I will get by with just the password and security questions. Why don't they use something like the various Authenticator Apps, which produce a code without requiring an external connection? Or they could use Wifi instead of needing an actual phone signal

Why do they send you the code ON the device you're trying to log in with instead of to an ALTERNATE device? Completely defeats the purpose of 2FA if both factors are on the same device like that.

Ember1205 said:

Why do they send you the code ON the device you're trying to log in with instead of to an ALTERNATE device? Completely defeats the purpose of 2FA if both factors are on the same device like that.

Click to expand...

That is the way you set it up. If you are using the device, then you have the device to Authenticate it, but if someone else tries to "Authorize" something, you will get the notification. You are only seeing your half of the two factors, but you are in all actuality, using and getting (2FA). It is supposed to be if someone else tries to access your account info. They, either will not have the device for the 2FA, or hopefully, physical access to the device that authorizes the 2FA. I mean, come on, do you expect Apple to know who is controlling your device and be able to tell it is not you?

ferrarr said:

That is the way you set it up. If you are using the device, then you have the device to Authenticate it, but if someone else tries to "Authorize" something, you will get the notification. You are only seeing your half of the two factors, but you are in all actuality, using and getting (2FA). It is supposed to be if someone else tries to access your account info. They, either will not have the device for the 2FA, or hopefully, physical access to the device that authorizes the 2FA. I mean, come on, do you expect Apple to know who is controlling your device and be able to tell it is not you?

Click to expand...

WRONG.

The second factor code appears on the device AFTER I have successfully input my username and password into someplace like my iCloud account. And it always appears ON the device I'm using. If that device had been stolen and someone were using it to access my iCloud account, they would have the keys to the kingdom in front of them.

ON THE DEVICE I AM USING, I get a "do you want to allow" pop up AND the second factor code. This is absolutely the dumbest implementation of 2FA I have ever seen. Why does Apple bother giving me the option of choosing to send the second factor by text message when A) text messages are sync'ed across all devices and B) they aren't actually sending them via text anyway.

That is because you have physical access to the device. If someone else was a to try to get in to your iCloud account, you would still get the code on your device, but they would not. If you do not have a passphrase or other security measure to get in to your phone, is it then Apple's responsibility to know that you do not have "your" phone?

Where do you want Apple to send the code? To your mac, what happens when you are not near it? To another device you are not near? The only difference between an "Authenticator" app and what Apple is doing, is the key is generated by iCloud and displayed on "your devices" screen, just like an Authenticator app. There is no difference.

ferrarr said:

That is because you have physical access to the device. If someone else was a to try to get in to your iCloud account, you would still get the code on your device, but they would not. If you do not have a passphrase or other security measure to get in to your phone, is it then Apple's responsibility to know that you do not have "your" phone?

Where do you want Apple to send the code? To your mac, what happens when you are not near it? To another device you are not near? The only difference between an "Authenticator" app and what Apple is doing, is the key is generated by iCloud and displayed on "your devices" screen, just like an Authenticator app. There is no difference.

Click to expand...

What you are describing is 2FA that is useful only for my iCloud account. What about when I go to sign in to iCloud (in Settings) on one of my devices? What about access to iTunes on the devices? What about access to my email account on the devices?

Sending the code TO my device is inappropriate. Every other 2FA system out there either requires that I have a specific app on my device to generate codes and/or offers me the option of sending the second factor to and email, a text destination, or calling me. Apple's implementation is useless and does nothing except put the integrity of your account at risk.

Ember1205 said:

What you are describing is 2FA that is useful only for my iCloud account. What about when I go to sign in to iCloud (in Settings) on one of my devices? What about access to iTunes on the devices? What about access to my email account on the devices?

Sending the code TO my device is inappropriate. Every other 2FA system out there either requires that I have a specific app on my device to generate codes and/or offers me the option of sending the second factor to and email, a text destination, or calling me. Apple's implementation is useless and does nothing except put the integrity of your account at risk.

Click to expand...

But, if you did not have all your devices synced, this issue would be moot. The code generated by iCloud code generator app would only be on that device. You choose to have everything sync to make it easier for you, I'm sorry, for whoever has access to your devices.
It is Apple using the 2FA, which is the same app across all Apple products, Like macOS and iOS, just like Google Authenticator or whatever authenticator app being used.

Again, Apple can't control when someone has physical access to the device in question, just like with a mac, people will find a way to get into it, if they want.

ferrarr said:

But, if you did not have all your devices synced, this issue would be moot. The code generated by iCloud code generator app would only be on that device. You choose to have everything sync to make it easier for you, I'm sorry, for whoever has access to your devices.
It is Apple using the 2FA, which is the same app across all Apple products, Like macOS and iOS, just like Google Authenticator or whatever authenticator app being used.

Again, Apple can't control when someone has physical access to the device in question, just like with a mac, people will find a way to get into it, if they want.

Click to expand...

I disagree

I requested that codes be sent by text message and they never were. There is NO record of those codes in my Messages app on any of my devices.

Even if Apple WERE sending them via text, it would be a huge fail on Apple's part because they would effectively be telling me that I shouldn't be using one of their heavily touted enhancements (text message sync across devices for non-iMessage messages) or one of their base functions (iMessages fully synced across devices) depending on the delivery method they chose.

It's a terrible attempt at 2FA.

The point was that I didn't get a code as my iPhone had no phone signal.

Also, the email said the link to disable it expires today (30th September) but it had already expired yesterday.

Ember1205 said:

I disagree

I requested that codes be sent by text message and they never were. There is NO record of those codes in my Messages app on any of my devices.

Even if Apple WERE sending them via text, it would be a huge fail on Apple's part because they would effectively be telling me that I shouldn't be using one of their heavily touted enhancements (text message sync across devices for non-iMessage messages) or one of their base functions (iMessages fully synced across devices) depending on the delivery method they chose.

It's a terrible attempt at 2FA.

Click to expand...

So, what you are saying is, you want the security and the convenience?

Fair enough, we all make our own choices.

ferrarr said:

So, what you are saying is, you want the security and the convenience?

Fair enough, we all make our own choices.

Click to expand...

What I am saying is that Apple, or any vendor for that matter, should not introduce a new feature that is "interfered with" or weakened by use of another feature. And that's pretty much what they did here.

Ember1205 said:

What I am saying is that Apple, or any vendor for that matter, should not introduce a new feature that is "interfered with" or weakened by use of another feature. And that's pretty much what they did here.

Click to expand...

Sorry, you misunderstood, I was replying to Ember1205.

Which is why I responded

Ember1205 said:

Which is why I responded

Click to expand...

So you did, sorry about that.