2 factor authentication...and Potential Lost iPhone

[mf409]

hello
i know 2 factor authentication cant be turned off, big disappointment

what if i take a trip, loose my phone and have no other device?
i will have access to icloud.com from a strangers computer but only for "find my phone" purposes,
but i will have no access to contacts, notes etc basically being locked out.

am i missing something or is this a big flaw ?

 

[chscag]

If you lose your phone or it's stolen while on a trip away from home, you have no other choice but to borrow another device and invoke "Find my iPhone" by using iCloud. However, since you would have no other trusted device to authenticate (2FA) you will have to call Apple and ask them for help. They may ask you security questions to verify your identity. I'm not sure how they would handle that.

I can tell you though, that it is not a flaw. That is the way it's designed to thwart fraud and theft of your devices.

 

[Lifeisabeach]

Agreed that this is not a flaw, it's an important security feature. You should add trusted numbers that are not your own number to your Apple ID so that you can get a 2FA code if you lose your own phone. When traveling, make sure that one of those trusted numbers is not traveling with you (in case you both are robbed or something like that). I actually removed my own number from my trusted numbers for the simple reason that SMS can be spoofed and if someone wanted to hack my account and knew my phone number, then it'd be trivial to do so.

You used to be able to disable 2FA, but Apple took the option away with some updates a while back. If you really want to insist on not having 2FA, then call Apple. From reading around, they supposedly can restore the option for you to disable it. I wouldn't advise you to disable this, but it's your right to make the choice, and your right to suffer the consequences if your security is compromised by that choice.

 

[toMACsh]

hello
i know 2 factor authentication cant be turned off...

in Catalina?
I have it off in Mojave.
Has it been improved?

 

[Lifeisabeach]

in Catalina?
I have it off in Mojave.
Has it been improved?

The way it works is you set up trusted Apple devices, to which a code is pushed to for authentication; and/or you can set up a handful of trusted phone numbers, to which you can have a code texted to (I believe an automated voice call is also possible for landlines); and you can also optionally create recovery keys, which you would store safely somewhere in the event you lose access to any device that can authorize your account.

 

[krs]

I'm surprised nobody mentioned SIM swap fraud compromising 2FA.

This has become a real issue in Canada because of the CRTC's (Telecom Regulator) requirement to transfer from one cell phone provider to another quickly and seamlessly.
When I checked with my cell phone provider just a week ago how to prevent that, the comment was that one really can't and a SIM swap could happen in ldess than 5 minutes if the provider being switched to is part of the same umbrella corporation.
Best advice I received from my cell phone provider is to not use 2 FA at all, or if it is mandatory to use a different (ie partners) cell phone number.

 

[toMACsh]

hello
i know 2 factor authentication cant be turned off, big disappointment

Why can't you turn it off, or just not set it up?

 

[Lifeisabeach]

Why can't you turn it off, or just not set it up?

Once it's on, you can't disable it. At least some people can't. I'm one of them. It's literally not an option.
Can you disable two-factor authentication on your Apple ID? | Macworld

 

[chscag]

You can disable it within two weeks of enabling it:

[FONT=&quot]Apple’s [/FONT]support page for 2FA[FONT=&quot] notes that within the first two weeks of enabling 2FA,
you can still revert. But after that, no can do/FONT]

 

[krs]

Once it's on, you can't disable it. At least some people can't. I'm one of them. It's literally not an option.
Can you disable two-factor authentication on your Apple ID? | Macworld

The sub-title in this article states:
Two-factor authentication (2FA) provides an effective way to deter people from hijacking an online account.

maybe that was true in 2018 when the article was written - today with SIM swap fraud it should probably read:
Two-factor authentication (2FA) provides an effective way for people to hijack an online account.

 

[krs]

You can disable it within two weeks of enabling it:

[FONT="]Apple’s [/FONT][URL="https://support.apple.com/en-us/HT204915"]support page for 2FA[/URL][FONT="] notes that within the first two weeks of enabling 2FA,
you can still revert. But after that, no can do/FONT]

Just noticed - congrats on 60,000 posts - that is a vey impressive number.

On the Apple 2FA - can one at least change the destination, ie different cell number, for the authentication?

I always hate it when a company thinks they know better than the user - even if the company is Apple.

 

[ferrarr]

Yes, you can change the associated phone number(s) as needed.

 

[mf409]

thanks for all the replies
all your points are well taken from a high security perspective

personally not being able to have the option to disable this is a big minus.
if i were to loose my phone while on a trip i would have to jump through hoops just to access contacts or notes. i know you can add trusted phone numbers but then again i would have to contact the third party entity and hope they were available to relay the code.

i think its absurd the owner of the account cant disable this, and i resent the fact that apple "sneaks" this setting in, i am willing to bet 50% of the people that opt in to this do so by accident and are unaware of the ultimate consequences. at least give the option of adding a "trusted email" this way one would not have to rely on someone else to access their account.

i will try to contact apple to see if they can revert this setting.
is there a main customer service number to use for this sort of an issue?

thanks

 

[chscag]

i will try to contact apple to see if they can revert this setting.
is there a main customer service number to use for this sort of an issue?

Apple Customer Service and Support = 1 (800) 692-7753‬

Tell the customer service support person that you accidentally invoked 2FA or that you didn't know it was turned on. And... that you would desire to go back to the security question method of identification for your Apple ID and other support questions.

 

[MacInWin]

I have 2FA turned on, and in the profile where I put the telephone number to use for the 2FA I have both my number and my wife's number listed. For her iCloud account she has both hers and mine listed as well. So, whenever the 2FA for either of us is invoked, both of us get the code. And given that my iPad and  Watch are also listed devices, along with my MBP, when I get a code I get it in 6 places--my iPhone, her iPhone, my iPad, my  Watch, my MBP, and her MBP. Ditto for any code she gets. So if a SIM swap is attempted on my iPhone, or hers, the other will get the code, realize what is going on and be able to block it by denying the attempt. And even if the bad guy is faster than we are at denying the attempt, we can get to the account from the other trusted devices and change everything to block it from that phone.

So, if you have more than one  device, use them all as part of the 2FA security process. Do that and the SIM swap fraud risk goes down.

 

[Lifeisabeach]

The sub-title in this article states:
Two-factor authentication (2FA) provides an effective way to deter people from hijacking an online account.

maybe that was true in 2018 when the article was written - today with SIM swap fraud it should probably read:
Two-factor authentication (2FA) provides an effective way for people to hijack an online account.

If you use the SMS fallback option. You don't have to use the SMS option if you have an Apple computer/device to which a code can be pushed. You should re-read my earlier comments about all that. In the meanwhile, your alternate sub-title needs a re-write.

 

[krs]

If you use the SMS fallback option. You don't have to use the SMS option if you have an Apple computer/device to which a code can be pushed. You should re-read my earlier comments about all that. In the meanwhile, your alternate sub-title needs a re-write.

There are ways to minimize this problem as Jake also pointed out, but 2FA without these additional steps you and Jake mentioned was touted as the ultimate security of one's account which in retrospect it didn't turn out to be.
When I read the Apple Marketing blurbs on that, they keep mentioning how secure this concept is because the code is sent to devices "under your control" not realizing how easy it is, at least in Canada, to loose control.
I have read too many horror stories how people have lost thousands of dollars that way that I'm not at all keen on that approach.
What prompted me to even post in this thread was the fact that Apple doesn't let one turn off 2FA after it has been turned on - this is actually unbelievable. I'm glad I found out about this now!

 

[MacInWin]

Nothing is ever "ultimate security." And I don't think I've ever seen anyone claim 2FA is "ultimate security." Just better than not having 2FA. The SIM code fraud is a problem of the phone companies not having even mediocre security in place to prevent it. It's kind of unfair to blame Apple for the failings of a telecomm company who cannot be bothered to use even rudimentary security before transferring a phone number to some strange SIM card just because someone called them. At least Apple sends the codes to all of the registered devices so if I lose my iPhone (or someone tries to SIM card fraud me) I can use my wife's iPhone or my MBP or my iPad to lock it down.

As for not letting you turn 2FA off after two weeks, it's their policy. If you don't like it, don't use iCloud. An iPhone will work without iCloud, although the handiness will be reduced. But you will have SMS, the default apps, communications, etc., so the phone functionality will be there. It would be like having just an iPhone and no other Apple product, and you won't be able to add any apps to it other than the default. For some people, that's all it needs to have. If you want more, you have to play by Apple's rules to use Apple's services. And that means 2FA that cannot be turned off after two weeks.

 

[IWT]

Just noticed - congrats on 60,000 posts - that is a vey impressive number.

.

+1 on that. An enormous contribution, Charlie. Thank you.

Ian

 

[Lifeisabeach]

There are ways to minimize this problem as Jake also pointed out, but 2FA without these additional steps you and Jake mentioned was touted as the ultimate security of one's account which in retrospect it didn't turn out to be.
When I read the Apple Marketing blurbs on that, they keep mentioning how secure this concept is because the code is sent to devices "under your control" not realizing how easy it is, at least in Canada, to loose control.
I have read too many horror stories how people have lost thousands of dollars that way that I'm not at all keen on that approach.
What prompted me to even post in this thread was the fact that Apple doesn't let one turn off 2FA after it has been turned on - this is actually unbelievable. I'm glad I found out about this now!

You have to unlock your device to get the code. If you have "lost control" of your device, the person who has control of it shouldn't be able to get that code. Unless you have no security on your device, in which case you need to really re-think your security practices.

But when it comes right down to it, every security option is a balance of convenience and, well, how hardened the security is. I do agree it's a little crazy that Apple doesn't have an option to disable 2FA if one chooses to do so. I for one choose NOT to do so, but I support the right of anyone to do so if they choose to, whether it's a practical one for their own needs or a downright foolish one.