2-step verification

[crashoverride77]

so 2step is finally working on iCloud.com apart from find my iphone. So when you go to look for a device you can still ERASE it. It even warns you that it will remove the device from your trusted list.
This is awesome because if your password gets stolen all your devices can be erased and removed from trusted devices and you can only log back in via your Security code.

 

[madsci954]

Another way to look at it, you only have one device. It gets stolen, how are you suppose track or lock it? In its current state, you change your password, and restore your backup. The backups are encypted (if you use a passcode or Touch ID) now and your cloud data is safe.

 

[Rigby]

Another way to look at it, you only have one device. It gets stolen, how are you suppose track or lock it? In its current state, you change your password, and restore your backup. The backups are encypted (if you use a passcode or Touch ID) now and your cloud data is safe.

Unfortunately nothing has changed with regard to the security of iCloud backups. It is still possible to download the backup with just the iCloud password and extract most of the data (the only exception being data that are tied to the device, like the keychain). The only thing that has changed is that users now receive a notification when their cloud backup has been accessed (previously hackers could download the backup without the owner ever knowing).

 

[anyjungleinguy]

Unfortunately nothing has changed with regard to the security of iCloud backups. It is still possible to download the backup with just the iCloud password and extract most of the data (the only exception being data that are tied to the device, like the keychain). The only thing that has changed is that users now receive a notification when their cloud backup has been accessed (previously hackers could download the backup without the owner ever knowing).

False.

 

[crashoverride77]

Another way to look at it, you only have one device. It gets stolen, how are you suppose track or lock it? In its current state, you change your password, and restore your backup. The backups are encypted (if you use a passcode or Touch ID) now and your cloud data is safe.

I agree with you its just weird since 2 step is ment to make your account more secure. So a stolen password is not a disaster especially now since it works on iCloud.com apart from the fact that all your devices can still be whiped.
Why not allow find my ihpone but to erase it you will need your 2step verification key?

 

[Rigby]

False.

This is just a bug in the Elcomsoft tool. Restoring an iCloud backup from an account with 2-factor authentication does still NOT require a secondary code. You can easily try this yourself by restoring a cloud backup to an iOS device.

 

[anyjungleinguy]

This is just a bug in the Elcomsoft tool. Restoring an iCloud backup from an account with 2-factor authentication does still NOT require a secondary code. You can easily try this yourself by restoring a cloud backup to an iOS device.

You can't sign into a iCloud on a new device without a two factor authentication code. If you can't sign into iCloud, you can't restore from an iCloud backup.

 

[Rigby]

You can't sign into a iCloud on a new device without a two factor authentication code. If you can't sign into iCloud, you can't restore from an iCloud backup.

I restored a new phone from an iCloud backup just yesterday. I did it from the initial setup process (the same that you get after erasing a phone). I was never asked for a secondary code.

 

[Solver]

Did your account have two factor authentication activated?

Mine is activated and I couldn't restore a backup on a new device without a second authentication.

 

[Rigby]

Did your account have two factor authentication activated?

Yes, of course.

Mine is activated and I couldn't restore a backup on a new device without a second authentication.

Well, that's not what I saw yesterday (but it's exactly how I think it *should* work). I don't have another new iOS device to test right now unfortunately.

 

[Primejimbo]

I restored a new phone from an iCloud backup just yesterday. I did it from the initial setup process (the same that you get after erasing a phone). I was never asked for a secondary code.

When I set up my new iPhone 6 and my wife did too, it asked us. We sent it a text to the phone we were setting up and it went from there. Even when I upgraded my iPhone 5s to iOS 8 it asked me to verify myself. Not sure what you're doing, but 3 times it asked me.

My daughter ran into it also updating to iOS 8 along with mom on her iPad. Both also have 2 step verification set up.

So 5 family members had this happen and people on here had it happen, something tells me you don't have it set up.

Did your account have two factor authentication activated?

Mine is activated and I couldn't restore a backup on a new device without a second authentication.

It happens to me too, I was very happy

 

[crashoverride77]

When I set up my new iPhone 6 and my wife did too, it asked us. We sent it a text to the phone we were setting up and it went from there. Even when I upgraded my iPhone 5s to iOS 8 it asked me to verify myself. Not sure what you're doing, but 3 times it asked me.

My daughter ran into it also updating to iOS 8 along with mom on her iPad. Both also have 2 step verification set up.

So 5 family members had this happen and people on here had it happen, something tells me you don't have it set up.


It happens to me too, I was very happy

Yeah they have definitely added two factor to the set up process, I had to verify both my iPad and IPhone during the setup process for iOS 8. I think it's great same goes for iCloud.com, I just wish you couldn't erase in find my iPhone without second verification first.

 

[Primejimbo]

Yeah they have definitely added two factor to the set up process, I had to verify both my iPad and IPhone during the setup process for iOS 8. I think it's great same goes for iCloud.com, I just wish you couldn't erase in find my iPhone without second verification first.

But if the worse that can happen is they wipe my phone and I just have to restore it, I can live with it. It's a lot better than someone stealing your data.

 

[Rigby]

But if the worse that can happen is they wipe my phone and I just have to restore it, I can live with it. It's a lot better than someone stealing your data.

Depends on the situation. I'm quite dependent on my phone when traveling these days, and it's not so easy to restore then. Also remember that they can just as well wipe your computer if you have "Find my Mac" activated (which is what happened to Matt Honan when his account was hacked).

I agree that 2-factor should be enabled for "Find my iPhone". At least we now get a notification when someone logs into iCloud from an unknown device and starts tracking our location ...

 

[crashoverride77]

Depends on the situation. I'm quite dependent on my phone when traveling these days, and it's not so easy to restore then. Also remember that they can just as well wipe your computer if you have "Find my Mac" activated (which is what happened to Matt Honan when his account was hacked).

I agree that 2-factor should be enabled for "Find my iPhone". At least we now get a notification when someone logs into iCloud from an unknown device and starts tracking our location ...

This is the problem I see, the hassle of doing the resets. It's great that the data is safe and find my iPhone should work without 2step, just not the ERASING and LOCKING.
If someone gets the password of an Apple ID and they realise that 2step is on they will almost certainly erase the devices, even if it's just for fun because they cannot do anything else. Exactly like you said happened to Matt, and if you have no backup you could loose a lot of private data.

 

[Primejimbo]

This is the problem I see, the hassle of doing the resets. It's great that the data is safe and find my iPhone should work without 2step, just not the ERASING and LOCKING.
If someone gets the password of an Apple ID and they realise that 2step is on they will almost certainly erase the devices, even if it's just for fun because they cannot do anything else. Exactly like you said happened to Matt, and if you have no backup you could loose a lot of private data.

At least it's a step in the right direction. As long as you don't use the same password for multiple things, you should be fine, but I do see your point. Seeing I have Touch ID now, I am going to make my iTunes password a little longer now. It's not bad now, but I think it could be better.

 

[crashoverride77]

At least it's a step in the right direction. As long as you don't use the same password for multiple things, you should be fine, but I do see your point. Seeing I have Touch ID now, I am going to make my iTunes password a little longer now. It's not bad now, but I think it could be better.

Yes it is. Not having 2 step before on icloud.com and during ios set ups was a major flaw, and hindered me to moving all my emails to an icloud alias.

 

[Solomani]

Need clarification regarding 2-Step Authentication:

The iCloud website states you need "another device", and that devices needs to be able to verify using SMS. But that device also needs to authenticate using a valid phone number.

Sooo…. this means that iPads, iPods, PC/Mac cannot be used to verify a 2-Step Authentication. In other words, someone correct me if I am wrong, an iPhone (or another smartphone) is absolutely necessary to own in order to even initiate 2-Step Authentication?

For example, an iMac or a PC can send messages via SMS easily. But they don't have phone numbers. Same can be said with an iPad Air or an iPod touch.

 

[Rigby]

The iCloud website states you need "another device", and that devices needs to be able to verify using SMS. But that device also needs to authenticate using a valid phone number.

Sooo…. this means that iPads, iPods, PC/Mac cannot be used to verify a 2-Step Authentication.

Apple can deliver the authentication codes to any iOS device via Apple Push Notification as long as it has Internet access. The trusted phone numbers for SMS are an additional delivery channel (and the number doesn't have to belong to an iPhone, but can be any type of phone that can receive SMS). So yes, you can add your iPad as a trusted device. Using a PC/Mac is currently not possible though. As far as I remember, you are required to add at least one trusted phone number.

 

[MoodyM]

I got asked on my iPhone 6 Plus today to verify. The only 2 options I had were "iPhone 6 Plus" or "phone number ending xxx".

So basically I'm verifying that device from the device that I'm already on...

 

[crashoverride77]

Need clarification regarding 2-Step Authentication:

The iCloud website states you need "another device", and that devices needs to be able to verify using SMS. But that device also needs to authenticate using a valid phone number.

Sooo…. this means that iPads, iPods, PC/Mac cannot be used to verify a 2-Step Authentication. In other words, someone correct me if I am wrong, an iPhone (or another smartphone) is absolutely necessary to own in order to even initiate 2-Step Authentication?

For example, an iMac or a PC can send messages via SMS easily. But they don't have phone numbers. Same can be said with an iPad Air or an iPod touch.

Yes you MUST HAVE at least one valid phone number (on a device SMS Capable) to use 2step but I don't think it has to be an iphone. In addition to the phone number you can use other ios devices like iPads/iPods if you got find my iPhone turned on (think you must install the app as well).
That's what I do, use my iPad air and my telephone number. You cannot use Macs yet as a trusted device. We don't know yet how Apple will handle 2step via SMS with continuity working on ios8 and OS X Yosemite, probably the reason they delayed SMS continuity until October to figure this out.
Hope that helps but feel free to ask more questions