Two-Factor Authentication on Apple Devices - constant pressure to comply

MacInWin · Sep 14, 2020

Cr00zng, that is why you should have multiple trusted devices registered. I have my iPhone, iPad and MBP all trusted. If I have to do anything drastic with any of them (reset, reinstall, etc), the others are the avenue to the 2FA code. As you say, knowing how it works is key to use it properly.

pm-r · Sep 14, 2020

Rod said:
If so it will be delivered to my "trusted" devices which includes my MBP. So if I drag the notification aside I see the code that I need to enter. Contrary to opinion this does not defeat the point because I am on a "trusted" device. If I wasn't I would have to get the code from my iPhone or iPad.

Just wondering what would happen if somebody had stolen one of your "trusted" devices??? Would they not receive the necessary code and use it to complete access to your protected account???

- Patrick
=======

MacInWin · Sep 14, 2020

If someone stole a trusted device, they would need the password to get into the device to use it for the code. So, my iPhone uses facial recognition and a long password as backup. My iPad uses fingerprint and a long password backup. My MBP uses a complex password for access. So, to get to the 2FA code, you need my device AND the passwords. Just having the device is not sufficient.

pm-r · Sep 14, 2020

MacInWin said:
So, to get to the 2FA code, you need my device AND the passwords. Just having the device is not sufficient.

I guess I sort of figured that would be the case.

- Patrick
=======

Cr00zng · Sep 14, 2020

@MacInWin

Yes, knowing how Apple manages the trusted devices and the 2FA does help. For seasoned Apple device users, this is a non-issue; "newbies" on the other hand will get tripped up. I still don't know what Apple does, if you have a single iDevice and the (i)OS reinstalled; where does Apple send the PIN#?

MBP password isn't as "bullet proof" as it seems, regardless of its strength. Aside from the "rubber hose" based cracking...

MacOS is a UNIX based OS, Next and/or FreeBSD if I recall correctly. Like most of the UNIX based system, MacOS can be started in single user mode, "Command + R" I believe. The password can be changed without knowing the old password via the terminal.

One could also start a MBP in target disk mode to get the data off.

FileVault would prevent last two of these methods, but one could lock him/herself out as well, if the password is forgotten and the recovery key is lost. There's that...

MacInWin · Sep 14, 2020

Cr00zng said:
MacOS is a UNIX based OS, Next and/or FreeBSD if I recall correctly. Like most of the UNIX based system, MacOS can be started in single user mode, "Command + R" I believe. The password can be changed without knowing the old password via the terminal.

If you do that, does the flag get set that triggers the detection of a login from a "new" device? I have gotten that prompt several times when I have triggered the VPN and then tried to access iCloud. I may test that some day, just to see what happens.

chscag · Sep 14, 2020

Cr00zng said:
MacOS can be started in single user mode, "Command + R" I believe.

Nope. Command + S

MacInWin · Sep 14, 2020

Cr00zng said:
MacOS is a UNIX based OS, Next and/or FreeBSD if I recall correctly. Like most of the UNIX based system, MacOS can be started in single user mode, "Command + R" I believe. The password can be changed without knowing the old password via the terminal.

Yep, if a bad guy has your Mac, there are ways past the login. Maybe that's another reason to turn on File Vault. One more layer of Swiss cheese to get lined up to get past the security. iDevices, not so easy as there is no Single User mode and no command line interface. Also, you can set an alphanumeric passcode on iOS in addition to the two offers of 4 and 6 digit numbers, so if you are concerned, make that password really secure (just don't forget it).

There is no perfect security. The idea is to make it hard enough that it gives you time to react to the theft of your device and change what was stored on the device before the thief can get to it.

Rod · Sep 14, 2020

Cr00zng said:
@MacInWin

Yes, knowing how Apple manages the trusted devices and the 2FA does help. For seasoned Apple device users, this is a non-issue; "newbies" on the other hand will get tripped up. I still don't know what Apple does, if you have a single iDevice and the (i)OS reinstalled; where does Apple send the PIN#?

MBP password isn't as "bullet proof" as it seems, regardless of its strength. Aside from the "rubber hose" based cracking...

MacOS is a UNIX based OS, Next and/or FreeBSD if I recall correctly. Like most of the UNIX based system, MacOS can be started in single user mode, "Command + R" I believe. The password can be changed without knowing the old password via the terminal.

One could also start a MBP in target disk mode to get the data off.

FileVault would prevent last two of these methods, but one could lock him/herself out as well, if the password is forgotten and the recovery key is lost. There's that...

Thats why they strongly suggest you keep your recovery key somewhere safe, not on your device. But you need to tell some people everything, like don't keep the spare key to your wall safe inside the safe.

Cr00zng · Sep 15, 2020

@chscag
Thanks for the correction....

Physical access to any system is game over, pretty much regardless of the security configuration:

MacInWin said:
One more layer of Swiss cheese to get lined up to get past the security.

Well stated...

Rod said:
Thats why they strongly suggest you keep your recovery key somewhere safe, not on your device. But you need to tell some people everything, like don't keep the spare key to your wall safe inside the safe.

There's so many things to keep around for just in case. Some people may do it, but most of them just believe that, "It just works" and that's good enough for the majority...

Rod · Sep 15, 2020

I take it that Apple is sending "reminders" about 2FA based on Cr00zng's title for this thread. Apple can be pretty persistent about this sort of thing and I'm not sure if we have addressed this in any way. I know a while back an OP complained about the "You are running out of iCloud storage and will not continue to receive iCloud emails etc" very annoying and I wonder if anything can be done in this case to eliminate the notifications if you decide to opt out.

chscag · Sep 15, 2020

Rod said:
I take it that Apple is sending "reminders" about 2FA based on Cr00zng's title for this thread.

The only time Apple mentions 2FA is when you activate a new device: iPhone, iPad, Mac, Watch, etc. And if you are new to an Apple ID, (new account) you have no choice but to use 2FA. And, of course if you wish to apply for an Apple Credit Card, you must use 2FA or Apple will not approve the application.

And by the way, you folks in Australia should soon be offered to apply for an Apple credit card. Same for the folks in Canada, UK, and other countries in Europe.

pm-r · Sep 16, 2020

chscag said:
And by the way, you folks in Australia should soon be offered to apply for an Apple credit card. Same for the folks in Canada, UK, and other countries in Europe.

I hope Apple won't be too disappointed that I won't be applying when and if they send me such an offer, but I don't think not doing so will upset their profit margins.

- Patrick
=======

chscag · Sep 16, 2020

pm-r said:
I hope Apple won't be too disappointed that I won't be applying when and if they send me such an offer, but I don't think not doing so will upset their profit margins.

LOL, I was offered the card on several occasions and politely refused. For one, I don't like 2FA in its present form, and second, I don't need another credit card.

Rod · Sep 16, 2020

So what does, "Constant pressure to comply" refer to?

pm-r · Sep 16, 2020

chscag said:
LOL, I was offered the card on several occasions and politely refused. For one, I don't like 2FA in its present form, and second, I don't need another credit card.

You could add me for my dislike of 2FA as well, but an even stronger reason for me to not use the Apple card Is its apparent lack of support for TapandGo which makes it really hard for my serious rheumatoid arthritis ridden hands to handle. And besides, I don't want to go near the hassles we had with MasterCard years ago, apparently the owners of the Apple card here. And I just do not have any positive reason to use it and my wallet is already full with cards I do need and use. Period. !!!

- Patrick
=======

Rod · Sep 16, 2020

Patrick, I am sorry to hear about your rheumatoid arthritis it must be a PITA. Some days I get up and wonder why I bothered, between my failing vision, persistent sinusitis, and diverticulosis it can all be a bit wearing at times but it could always be a bit worse. Thanks to COVID 19 I have really started using my Apple Watch and Debit Card in earnest. I use PayPal for online purchases, a credit card for Auto Debit payment to all my utilities and TapandGo with my watch linked to a savings account for just about everything else. Once a month I balance everything up. When we arrived in Australia at the end of March I took $200.00 out of an ATM and I believe I still have about $70.00 left. I can't remember the last time I took my wallet out of my pocket to pay for anything so I certainly don't need another card.

pm-r · Sep 16, 2020

Rod said:
I can't remember the last time I took my wallet out of my pocket to pay for anything so I certainly don't need another card.

I cannot think of any business around this area that will even accept cash these days except possibly our local roadside food stand to get some of their fresh vegetables and delicious corn. And oh is it ever delicious, especially when just fresh picked!!! ??

PS: I like your new avatar. I just realized that it actually represents the Apple logo in a stylized method.

- Patrick

=======

chscag · Sep 16, 2020

pm-r said:
I cannot think of any business around this area that will even accept cash these days except possibly our local roadside food stand to get some of their fresh vegetables and delicious corn. And oh is it ever delicious, especially when just fresh picked!!!

Mostly true around here also. The only exceptions are when we hire a local handyman to do odd jobs, we pay in cash. The other day I had to pay $$ to get some of our trees trimmed and one cut down completely. Part of a heavy branch fell on my neighbor's roof. Luckily it did not do any damage. I paid the tree trimmer guys with a check. No cash there.

Rod · Sep 17, 2020

Hey Patrick, glad you like the avatar, it's actually a gif but of course you can't have a moving avatar. It's like a white dot moving leaving a blue line behind which gradually fades to almost invisible before the dot catches up and refreshes it. I copied it from an Apple News portal.

In Bali there is a lot of corn grown, mid season you see little stalls on the side of the road selling fresh, steamed and BBQ'd fresh corn. The BBQ'd corn is roasted over charcoal made from coconut husks and smothered in garlic butter. It is SO good, I miss it a lot.?

Two-Factor Authentication on Apple Devices - constant pressure to comply

MacInWin

pm-r

MacInWin

pm-r

Cr00zng

MacInWin

chscag

Well-known member

MacInWin

Rod

Cr00zng

Rod

chscag

Well-known member

pm-r

chscag

Well-known member

Rod

pm-r

Rod

pm-r

chscag

Well-known member

Rod

Shop Amazon