Apple's two stage verification gets my location wrong every time?

[C DM]

Thanks for the tip, but when I tried to sign-in with my Apple ID I got the error message "account does not exist". So I can't do this.

You might need to set up your account with developer access (for free) at https://developer.apple.com/programs/register/ first.
[doublepost=1491692498][/doublepost]

Why is it better? You can still flag feedback as a bug and give all the necessary info, logs and screenshots so it can be managed as a bug internally by Apple.

At the very least you generally get an ability to track your bug reports through Apple's bug reporter compared to just sending something in via feedback. Beyond that bug reports through the bug reporter seem to get into the hands of some technical/engineering team more directly vs. feedback that is submitted that often doesn't get any follow up or anything else.

Realistically speaking, if someone has an issue they want to see resolved, aside from directly contacting Apple by phone or chat perhaps, it's probably best to submit it through any means possible to try to increase the odds that someone would actually look at it (although that doesn't really mean that anything would be done about it, or that even if something might be done, how soon it would be done).

 

[simonsi]

Apple could easily maintain a database of where any given IP address "lives", but for some reason instead seems to use an unreliable third-party database.

The privacy police would have a field day with that approach. IP addresses have owners, Apple has to rely on what the owners tell it, good or bad. But the location is the least important element of two-factor - most users would know if they had just entered a login that would trigger a second-factor check...the correlation in time would be obvious.

 

[Aetles]

I recently switched from two-step verification to two-factor authentication and encountered this issue as well. I know my home IP address is correctly pinpointed geographically (like creepily precise) in every other form location based service and hasn't changed in a long time, so why is Apple off by 40 miles?

For non-power users this must seem like they're being hacked all the time.

Also; why can't Apple just tell me the IP address? Then I immediately would know if it's me or not. Both appleid.apple.com and icloud.com will only give me the currently logged in devices, but not their IP-address. I can't find any log either of previous logins.

 

[simonsi]

so why is Apple off by 40 miles?

Because they clearly use a different 3rd party DB and it isn't as precise - but you describe more precise as "creepily" so its hard to get that right???

TBH the security comes from the timing of the login (was it one you have like <just> initiated...) rather than the where the login occurred from.

 

[GreyOS]

Because they clearly use a different 3rd party DB and it isn't as precise - but you describe more precise as "creepily" so its hard to get that right???

TBH the security comes from the timing of the login (was it one you have like <just> initiated...) rather than the where the login occurred from.

Agree on last point, so they ought to remove the map from the pop up and show that in a secondary ‘more details...’ thing as a suggestion. If they really can’t improve accuracy that is.

 

[LoveToMacRumors]

So whenever I log in with my Apple ID on any device I get a prompt on my iPad asking to confirm that log in attempt. But it always says that I'm trying to log in from London. This is an issue because I live over a 100 miles away from London (in the UK). So the security seems lax here. How do I know if a log in attempt was created by myself or someone else when my location is always shown as London, hundreds of miles from where I currently live?

Same with me, it's your ISP

 

[Aetles]

Because they clearly use a different 3rd party DB and it isn't as precise - but you describe more precise as "creepily" so its hard to get that right???

My point was that I don't believe there is any 3rd party DB that bad. Any kind of location-by-IP will get my home town correctly. The "creepily" part is bothering on occasion, but since the information is out there already, freely and publicly available, I would very much like Apple to use this information when telling my account is being accessed.

Otherwise, what is the point with showing me a map if the location is so randomly off that it looks like I'm being hacked. That will only confuse people.

TBH the security comes from the timing of the login (was it one you have like <just> initiated...) rather than the where the login occurred from.

Yes, but you see, it isn't always that immediate, not for me at least. If it would happened instantly, then I would assume it is my own action but when the request is delay a couple of minutes or more, then it seems suspicious. What if I've fallen for a phising scam and it's the attacker that is trying to use the login information?

All of this would be so easily solved if Apple just showed me the IP address of the login attempt. Preferably with an exact time stamp of the attempt. I don't ge the logic behind hiding that, is it because they think common users don't understand IP addresses?

 

[simonsi]

I would very much like Apple to use this information when telling my account is being accessed.

Why? You get the warning notification that a login has been made within a few moments, just how many logins do you carry out where you could possibly require the location information to discriminate between your multiple legitimate ones??? If you didn't login but the location showed your house would you trust it was "you"?

Again the actual benefit comes from the timing, if I get a notification right now I'd know it wasn't genuine irrespective of any location information because I haven't initiated a login for a couple of days. The location information, accurate or not (and tbh to a regional level is probably sufficient), is "interesting" to "irrelevant" information (or you should teat it as such), when deciding whether an access attempt is genuinely you or not.

 

[Aetles]

Why? You get the warning notification that a login has been made within a few moments, just how many logins do you carry out where you could possibly require the location information to discriminate between your multiple legitimate ones??? If you didn't login but the location showed your house would you trust it was "you"?

As I said I recently switched from two-step verification to two-factor authentication, and that meant that I hade to login again from all my devices, and I have some old iPhones and Mac running as well, and when the location and the timing was off in Apples message then I hit deny and hade to redo it later. So unusually many logins right now, but enough to be bother by the confusion.

If they just showed me my home town instead of a different town halfway across the country, the I would assume it was from my IP and it was my doing.

Now I've got an alert from a completely different location that clearly isn't me, so now I have stop and think: is this really my login with a mistaken location? Or is it a hacker, a man-in-the-middle-attack, a phising scheme? Why is Apple showing me this other different location? Why can't they pinpoint me like everyone else?

I don't understand your arguments, why are you defending a clearly confusing behaviour from Apple? Why is it so hard to understand that pushing a map in my face with some other location is less optimal then actually showing my location? Remember that any other location service gets my location correct, and therefor I'm extra suspicious if a big company like Apple couldn't, so the first thought is "this must be someone else".

Again the actual benefit comes from the timing, if I get a notification right now I'd know it wasn't genuine irrespective of any location information because I haven't initiated a login for a couple of days. The location information, accurate or not (and tbh to a regional level is probably sufficient), is "interesting" to "irrelevant" information (or you should teat it as such), when deciding whether an access attempt is genuinely you or not.

Again, it does not always happen instantly. For example, I entered my iCloud credentials on an old iPhone and went on doing other stuff and then, perhaps 5 minutes later, I get the message with the wrong location and no IP address and no timestamp. That is not good UX.

Also, it's not only about me, I'm thinking of how other users, non-power users, is experiencing this. They will probably be scared unnecessarily.

(And again, Apple have all the information I need, if the just did like Facebook and Google and others do – giving me the IP-address as well – it wouldn't be the same issue, then I could quickly dismiss the incorrect location data.)

 

[simonsi]

I don't understand your arguments, why are you defending a clearly confusing behaviour from Apple?

Long story short, you want your location pinpointed otherwise you aren't happy. I'm simply saying that necessary and you shouldn't primarily be guided by the location. As to why they don't pinpoint - I suspect that may be a technical limitation (which they may or may not want to fix/improve), or it could be deliberate as showing precise locations they (note "they") may consider a privacy issue...I don't know, I'm not Apple. This isn't a discussion one of us needs to win, its just a difference of opinion.

 

[Aetles]

Following up with some recent writing about this issue:

Glenn Fleishman, Macworld: Why Apple shows a strange location for a two-factor login confirmation
Kirk McElhearn: Apple Two Factor Authentication and Sign-In Location
Nick Heer: There’s an Easy Apple Maps Joke Here, I Just Know It

 

[kevinthebright]

I'm in Seattle and it always says I'm signing in from Peoria, IL.