When 2FA isn’t 2FA: How Apple’s iCloud authentication system fails to protect your account

“With an iCloud account and an Apple device, two-factor authentication is quite different than it is on any other device or account. As is the Apple way, 2FA on your iPhone or Mac is baked into the device you own, setting up a system that is theoretically as secure as a security key,” Michael Simon writes for Macworld. “Except when it’s not.”

“While it appears as though Apple has all of the 2FA bases covered, its proprietary system of trusted devices isn’t without its flaws,” Simon writes. “For one, it works best when you have more than one iOS device. Not only does it add an extra layer of protection by bringing a second device into the mix, it’s true 2FA, pairing something you know (your password) with something you have (your device).”

Simon writes, “But if you only have a single Apple device, you’re kind of out of luck, and that’s where the trouble starts.”

Read more in the full article here.

MacDailyNews Take: We find it humorous when we input our password to log into our Apple ID account page and Apple prompts us to enter a 2FA code on the very device we’re using. It’s so convenient! Still, overall, it’s better than a straight UN/PW system.

9 Comments

  1. Apple’s 2FA is their version of the Windows Vista cancel or allow fiasco. Gee, maybe throwing another million notifications at me will change my mind, you think? Um, no.

  2. The “problem” this author requires the bad actor to know both your Mac’s login password and your iCloud account password. Don’t share those and you should have no worries with Apple’s authentication system.

  3. Don’t the majority of Apple users have more than one Apple device? I mean, it’s hard to “get” why Apple products are better, if you don’t experience how each additional device seems to make the other ones better and more useful. I work from home. Im constantly moving from iPhone to iPad to Mac (where I write long form projects). Save once, save everywhere via iCloud. And being able to access safari tabs open in any Apple device from all others saves me hours per month. When I’m away, Apple Watch let’s me keep my iPhone in my pocket virtually all the time. It’s a lovely ecosystem.

    1. By devices I think they mean iPad, Mac, iPhone. Having only one of those three and having any number of iPod, AirPod, HomePod, Apple Pencil, etc. will still prevent you from actually having the ‘Full” 2FA the article discusses. It is highly possible that the actual majority of Apple users only have one of the former 3 devices.

  4. Apple’s Two factor authentication is designed to prevent bad actors from accessing your iCloud account from a remote device.

    Accessing your own account from your own device(s) requires additional authentication, i.e. TouchID/FaceID/device password.

    It never ceases to amaze me that so-called Apple fans don’t understand this.

    Some Apple users are like extreme left-wing liberals, they take joy in eating their own. The worst anti-Apple double standard is perpetuated by toxic Apple users.

  5. This is so misleading!

    1st factor = something you know = the password
    2nd factor = something you have = the device

    What is so hard to understand? using a second device only helps if you assume your first device is infested with malware. But if you are infested with malware, that’s an entirely different problem and it’s called windows.

  6. The author seems to miss at least three points here. Currently, Keychain requires both an iOS passcode and 2FA. Without both no Keychain. That 2FA sends the code to the very device you are using only happens after, in the initial setup, you approve that device’s browser to be used in the future in case you don’t have another device nearby. Be sure to lock your front door, but leave a key under the mat. Oops! I forgot the third point…

    1. Apple says some services won’t work without 2FA, but I can’t find which ones anywhere. Implementation has been very poor and has caused me pain. Working better now. I can’t get my parents to even use a passcode or Touch ID. So of course, can’t use Keychain, which would be nice. They have multiple devices but extremely poor internet thus mostly using cellular. In that environment, 2FA continues to cause issues for me but not when I’m elsewhere. Therefore, I am still reluctant to insist they use even a passcode, Touch ID or especially 2FA. They don’t do banking or anything sensitive online. I can’t suggestions?

  7. This 2FA is the biggest pain a ass. I have my own iCloud account & my son has his own iCloud, which is tied to the App Store & iTunes. This is because we have 1000’s of apps & music. Anything happens where I have to set up anew device, or have to log back in, I have to sit & wait for him to send me the code. I’m so sorry for setting this up & pissed Apple won’t let me turn it off.

Add Your Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.