iCloud Account Two Factor - Is it just me...

[Ember1205]

... or is this the dumbest implementation of 2FA (two-factor authentication) ever?

The whole concept of what Apple is advertising is solid - when you log in to your iCloud account through a browser, or on a new device (like when you're initially setting up access to your account), Apple will require not only your iCloud password but also a six digit passcode. When you go through the 2FA setup on your iCloud account, they ask you for a phone number to text that passcode to (so, now, you would need to have your phone handy as well).

First off, this is completely STUPID because so many of us are using text forwarding to our Mac's and other devices. If someone breaks into my iCloud account -ON- my Mac, and Apple were to text the secondary password to my phone... Guess what? It would show up in Messages as either an iMessage that's right on the Mac OR it would show up as a forwarded text message in Messages - giving the hacker the second password they need. The exact same is true if they gain access to ANY of my active devices.

What's even MORE STUPID is that they don't text you the code AT ALL!!! It shows up ON THE DEVICE YOU'RE USING so that you can key it right in! WTH is the value in this?

Am I completely missing something? Not to mention that it effectively rendered my iCloud account UNUSABLE for syncing data among my devices until I cleared it out and re-set everything.

 

[chscag]

Have to agree with you. I have avoided 2FA for a number of reasons but foremost is that it is not fool proof and can easily be hacked (as you pointed out). Aside from that, once 2FA goes awry, you will have nothing but headaches and trouble trying to get Apple to help you straighten it out.

 

[Ember1205]

The whole point behind 2FA is to separate out the two passwords and ensure that they are completely disassociated with each other. It seems that Apple has gone out of their way to to actually LINK them! This is NOT 2FA, it's TWO STEP authentication which provides exactly ZERO additional security.

 

[ferrarr]

I believe it is the same as using any "authenticator" app. Except this app is in the cloud, not on your device. There are some parts of Apple 2FA where the user has a choice of where to send the code, like any trusted device associated with that Apple/iCloud/iTunes ID. Or, maybe I'm not understanding the 2 factor part?

 

[Ember1205]

I believe it is the same as using any "authenticator" app. Except this app is in the cloud, not on your device. There are some parts of Apple 2FA where the user has a choice of where to send the code, like any trusted device associated with that Apple/iCloud/iTunes ID. Or, maybe I'm not understanding the 2 factor part?

That was something I commented on earlier... They ask you how to get the code, you tell them to text it to you, give them a phone number, and then they don't bother to actually use that method to send it to you.

 

[Rod]

I too have avoided 2FA for the reasons chscag mentioned. "once 2FA goes awry, you will have nothing but headaches and trouble trying to get Apple to help you straighten it out." I had problems a year or more back and due to the fact that I had used my Australian Mob number but was in Indonesia at the time with no access to that number. Since then I have added my Indo number to my Apple ID but I still refuse to use it mostly for the reasons Ember mentions above. As is it's annoying and less than secure.

 

[travismm]

I was just about to call Apple Support because it doesn't make any sense to me how I can "authorize" my Mac by clicking "Allow" via the pop-up... on my Mac.

 

[neilf]

And so far, for me, the authentication code never actually arrives on any of my devices. I have to click on "send code to mobile". This does work, but I wished I hadn't bothered with this 2FA malarky.
As an aside, whilst I still like Apple's products, I can't help but feel they are losing their way. Even contemplated moving to MS and Android.

 

[Ember1205]

And so far, for me, the authentication code never actually arrives on any of my devices. I have to click on "send code to mobile". This does work, but I wished I hadn't bothered with this 2FA malarky.
As an aside, whilst I still like Apple's products, I can't help but feel they are losing their way. Even contemplated moving to MS and Android.

I have somewhat regularly flip-flopped between Apple and Android. There are some things about Android that just irritate me to no end (like an absolutely horrendous backup / restore / migration process) while other things are super appealing (like being able to configure pretty much any thing that I want to any setting that I want).

I have two Mac's, an iPad Pro, and my personal and work phones are both iPhones. There's a LOT of integration there for me. Not entirely sure what my next step will be although I'm waiting for the iPhone 7 to be an available option through work. I'll test it out on their dime and make my decision from there.

The 2FA stuff is just horrendously confusing to me.

Is there no way to disable it once you've had it tied to your account to a period of time?

 

[IWT]

Ember,

Is there no way to disable it once you've had it tied to your account to a period of time?

These Links might help. It can be turned off, I think, but even Apple (in the second link) comment on the confusion between 2 Step and 2 Factor.

Might help you:

https://teensafe.zendesk.com/hc/en-us/articles/206160465-Disabling-Apple-Two-Step-Verification
https://support.apple.com/en-gb/HT204915

Ian

 

[Ember1205]

Thanks for the links, Ian.

The write-up from Apple confirms (in my mind) that this is not a real step forward for security at all. The concept of simply adding a device as "trusted" by using these codes from other trusted devices ONLY gives an additional layer of protection to the iCloud account if someone were to try and access the account WITHOUT a trusted device in hand. It doesn't absolutely NOTHING to add security if someone has a trusted device of yours in-hand (like a stolen phone or Mac).