2 factor authentication...and Potential Lost iPhone

[MacInWin]

I still don't understand the rationale for that.

Legal liability. They have to do it or someone will sue them for not having it, and if they offer an off switch they could be sued for not making it harder. Courts are more and more saying to companies, "You have to protect the stupid, even if they hate you for it."

 

[krs]

Legal liability.

Jake - I don't buy that.

If it was really a legal issue, all other companies, at least in the US, would do the same thing.
And in addition, Apple would not offer the option to turn 2FA off within the first two weeks of enabling it.
Besides, 2FA is not mandatory I don't think - I have an Apple account and no 2FA.

In fact, I think Apple forcing people to keep 2FA and not being able to disable that is more of a legal issue for them.
If I ended up having my accounts compromised because of 2FA, I, through my lawyers, would argue that after I enabled 2FA say a few years ago, I then found out about the SIM card swap fraud and wanted to disable Apple 2FA but Apple made that impossible for me, so thats makes them liable.

 

[MacInWin]

Other companies are moving to 2FA. And it is mandatory for all new AppleID. They did grandfather some old accounts, but as you have discovered, once turned on, you have just 2 weeks to reverse it.

I see now that Amazon is using 2FA if you sign in from a new system or browser and as I said, my bank, broker, cell phone provider, credit union, credit card accounts are all going to 2FA as quickly as they can.

I don't think your legal argument would hold up for a second in court. After all, if you don't use 2FA and the SIM swap fraud occurs, the thieves just change the password with no 2FA and do the same thing as they are with the 2FA data. Any confirmation of the new password goes to the stolen SIM and to their phone, not yours. Apple's liability in that case is zero--it's the cell operator failure.

 

[krs]

Other companies are moving to 2FA.

I have no problem if a company wants to do that - forcing me to use 2FA is the issue I have.

I see now that Amazon is using 2FA if you sign in from a new system or browser and as I said, my bank, broker, cell phone provider, credit union, credit card accounts are all going to 2FA as quickly as they can.

Must be "US-Thing"

I just logged into my amazon.ca account using the Cliqz browser which I have never ever used for Amazon.
No problem - logged me right in with email address and password.
I also have accounts with four different banks, one credit union and a set of different credit cards, none so far use 2FA.
I occasionally get asked a security question, usually if I log in from a different IP address because I moved my computer, but nothing ever gets sent to my cell phone.
As far as all these places are concerned, I don't own a cell phone so sending some authorization code to a cell phone is not even an option in my case.
I just change passwords regularly - make passwords for different financial types institutions all different and pick security questions where the answer is rather obscure and only I would know the correct reply.
Different security questions for each financial institution as well.
Bottom line for me - I don't need 2FA and I don't want 2FA

Maybe we can just leace it at that.

But I would still like to know if the OP ever got anywhere with Apple to have the 2FA revoked.

 

[krs]

Ah...

This just popped up in my email - message from Amazon:

Sign-In detected
krs, did you Sign-In from a new device?
When
Apr 29, 2020 4:06 PM
Device
Mozilla Firefox for Mac OS X (Desktop)
Near
Ontario, Canada
If this was you, you can disregard this message.

 

[mf409]

yes krs
i will contact them and see if i can have it removed, but before i do that i would like to see how the 2fa works if i list my wife's cell phone as a trusted number.


as stated i have tried this and she receives no notification at all when i try to sign in to i cloud via a non trusted device.
what might i be overlooking?
i know the number was accepted because when i added it she received a code which i then used to register it in my phone, however when i try to test it by logging into a non trusted device she receives nothing ??

thanks

 

[MacInWin]

The 2FA doesn't kick in until you try to do something affecting your account in some way. Just logging in to a diffeent Mac doesn't trigger it. Try going to iCloud.com and logging in. I get 2FA every time I do that.

 

[abcdgoldberg]

I have 2FA turned on, and in the profile where I put the telephone number to use for the 2FA I have both my number and my wife's number listed. For her iCloud account she has both hers and mine listed as well. So, whenever the 2FA for either of us is invoked, both of us get the code. And given that my iPad and  Watch are also listed devices, along with my MBP, when I get a code I get it in 6 places--my iPhone, her iPhone, my iPad, my  Watch, my MBP, and her MBP. Ditto for any code she gets. So if a SIM swap is attempted on my iPhone, or hers, the other will get the code, realize what is going on and be able to block it by denying the attempt. And even if the bad guy is faster than we are at denying the attempt, we can get to the account from the other trusted devices and change everything to block it from that phone.

So, if you have more than one  device, use them all as part of the 2FA security process. Do that and the SIM swap fraud risk goes down.

Thanks for this discussion .Can someone supply a simple way to add trusted phone numbers to the 2 factor authentication? Thanks in advance, Charlie

 

[MacInWin]

Here you go: Change Password & Security preferences for your Apple ID on Mac - Apple Support

 

[wredhawk]

Protection for all

Iphones for a while were the favorite phones to steal. A thief could get more money for a stollen I[hone, or would get more "prestige" by having an Iphone. The 2Fa changed that, Because of the Apple 2FA and the inability to disable it (meaning to thievrs the phone is worthless to them) it brought the theft of Iphones down to almost nothing. Therefore, to contrdict someone elde, Apple does know more than it's users (usually). And because of the 2fa there is less of a chance of your phone being stolen and having to worry about the 2FA.

thanks for all the replies
all your points are well taken from a high security perspective

personally not being able to have the option to disable this is a big minus.
if i were to loose my phone while on a trip i would have to jump through hoops just to access contacts or notes. i know you can add trusted phone numbers but then again i would have to contact the third party entity and hope they were available to relay the code.

i think its absurd the owner of the account cant disable this, and i resent the fact that apple "sneaks" this setting in, i am willing to bet 50% of the people that opt in to this do so by accident and are unaware of the ultimate consequences. at least give the option of adding a "trusted email" this way one would not have to rely on someone else to access their account.

i will try to contact apple to see if they can revert this setting.
is there a main customer service number to use for this sort of an issue?

thanks

 

[Lifeisabeach]

Iphones for a while were the favorite phones to steal. A thief could get more money for a stollen I[hone, or would get more "prestige" by having an Iphone. The 2Fa changed that, Because of the Apple 2FA and the inability to disable it (meaning to thievrs the phone is worthless to them) it brought the theft of Iphones down to almost nothing. Therefore, to contrdict someone elde, Apple does know more than it's users (usually). And because of the 2fa there is less of a chance of your phone being stolen and having to worry about the 2FA.

2FA doesn't protect your iPhone, it protects your iCloud account. It was the introduction of Activation Lock, a component of Find My iPhone, that basically reduced thefts down to almost nothing.

Apple has just about killed the iPhone crime wave | Computerworld

 

[krs]

2FA doesn't protect your iPhone, it protects your iCloud account.

I'm glad you posted that so I didn't have to.
2FA is also not unique to iPhone or even Apple.

 

[Sawday]

The reason the 2FA code appears there is because you are already signed in to your iCloud account, and your Mac is a trusted device. If someone has your device, hopefully they don't also know your passcode/password.

But I'm not already signed into my icloud account. That is the point!

 

[Sawday]

Yes, the code goes to all "trusted devices" at the same time.

Edit: You would need to add the device as a trusted device, in your Apple/iCloud account.

View and manage your Apple ID trusted devices on Mac - Apple Support

Wouldn't it be rather more secure if it went to devices OTHER than the one you are currently trying to access. My bank can manage that why can't Apple?

 

[MacInWin]

I know I've made this point before in a similar thread but when I need to enter my Apple ID on my mac (usually because, once again, my iCloud mail has 'forgotten' it), the 2 FA code comes up on the mac itself, completely overturning any supposed security. It's just stupid.

If you don't want it there, just remove the Mac from the trusted devices. Then it won't show up on the Mac.

 

[Sawday]

If you don't want it there, just remove the Mac from the trusted devices. Then it won't show up on the Mac.

That rather defeats the object of having the iMac as a trusted device. I just think showing the code on the very machine where it is requested is beyond logic. ie stupid. As I said my bank manages not to do this. Perhaps I suggest they get into the icloud software business.

 

[Lifeisabeach]

That rather defeats the object of having the iMac as a trusted device. I just think showing the code on the very machine where it is requested is beyond logic. ie stupid. As I said my bank manages not to do this. Perhaps I suggest they get into the icloud software business.

I have to deal with this same thing for work. For some time now, we've had to use an authenticator app any time we log in remotely to check email or access other resources. Recently they rolled out an app to access all of this on our phones rather than just through a browser. But that app still triggers an authentication request, which goes to the authenticator on this same phone! It's insane. If an unauthorized person actually had my phone and logged into the app, then they'd obviously be able to self-authorize it also.

 

[ferrarr]

That rather defeats the object of having the iMac as a trusted device. I just think showing the code on the very machine where it is requested is beyond logic. ie stupid. As I said my bank manages not to do this. Perhaps I suggest they get into the icloud software business.

Are you sure what devices are trusted by your bank?, Or does the only code go to an email account, home phone or something else?

 

[krs]

Can I get back to basics for a minute....

My understanding of 2FA is that it this is activated if one tries to log into ones account from a new device that was never used for that purpose before.
From Apple:

Two-factor authentication is an extra layer of security for your Apple ID designed to ensure that you're the only person who can access your account, even if someone knows your password.
With two-factor authentication, your account can only be accessed on devices you trust, like your iPhone, iPad, Apple Watch, or Mac. When you want to sign in to a new device for the first time, you'll need to provide two pieces of information—your password and the six-digit verification code that's automatically displayed on your trusted devices. By entering the code, you're verifying that you trust the new device. For example, if you have an iPhone and are signing into your account for the first time on a newly purchased Mac, you'll be prompted to enter your password and the verification code that's automatically displayed on your iPhone.

So if somebody has your iPhone and your password - 2FA does absolutely nothing.
And if someone has your password but tries to log in from a "non-trusted" device, 2FA triggers and generates a code on all trusted devices that needs to be entered to access the account.

If the above is true, what I can't get my head around is how that is an improvement over the multiple security question verification that was asked previously?
None of the banks I deal with use 2FA, the one bank that is I think the most secure one, Will:
a. For a regular login, ie from my computer where they check the IP address, will need my password (obviously) and then they display 12 images (one of which I had chosen when I first set up the account) and have to select the correct image to access the account.
Very simple and straight forward, I find an image a lot easier to remember than a password plus it's also something one doesn't tend to write down.
And if I move my Mac to a different location, ie different IP address, then one or two security questions pop up in addition to the password & image selection requirement.

I'm trying to understand how 2FA improves on that approach - all I find now is that with SIM swap, 2FA actually makes things less secure.

 

[chscag]

Very simple and straight forward, I find an image a lot easier to remember than a password plus it's also something one doesn't tend to write down.
And if I move my Mac to a different location, ie different IP address, then one or two security questions pop up in addition to the password & image selection requirement.

I'm trying to understand how 2FA improves on that approach - all I find now is that with SIM swap, 2FA actually makes things less secure.

I have to agree about using security questions. Of course this assumes the questions you set up are very personal and are ones that only you know and can answer. I'm not aware of any bank here in the US that uses an image for verification but I suppose that would work.

I can't comment on the SIM swap since I really have never heard of anyone being a victim of that - at least around here.