Confused by Apple's Two Factor Authentication?

[kat.hayes]

I just logged into iCloud through Chrome on my MacBook Pro. This was the first time I had done this so it asked me to enter a password in my browser and the password was displaying on my Mac. I don't remember exactly how the password displayed, though I thought the whole point of this would be to display the password on my phone so I would have to get the password from my phone and enter into the browser on my Mac to ensure it was really me and I owned both devices. If someone stole my MacBook Pro and had access to my password, how is this adding any extra layers of security?

And, does this mean I have two factor authentication enabled for all of my devices or do I have to enable it individually for each device?

Thanks.

 

[Rigby]

The verification code will be shown on all your trusted devices (which are by default iOS devices and MacOS computers that you have previously signed in using two-factor auth). You can "untrust" a device by going to appleid.apple.com, clicking on a device and selecting "remove".

 

[Alrescha]

I thought the whole point of this would be to display the password on my phone so I would have to get the password from my phone and enter into the browser on my Mac to ensure it was really me and I owned both devices.

The two-factor authentication is protecting your iCloud account, not your Mac. One factor is your password, the other is a trusted device. The fact that Chrome *happens* to be running on a trusted device is not important.

A.

 

[kat.hayes]

1. I do not remember seeing the verification code pop up on my other devices. How do you sign in using two-factor authentication on a device to make it trusted?

2. So every iOS/MAC OS device I have that is logged into iCloud will be using two factor authentication since I turned it on somewhere?

3. What I still dont understand is the pass code showed up on my MBP and I had to enter it into my MBP. How is this adding any extra security?

Thanks.

 

[Alrescha]

3. What I still dont understand is the pass code showed up on my MBP and I had to enter it into my MBP. How is this adding any extra security?

You were not authenticating your MacBook, you were authenticating Chrome. At the risk of being repetitive, you need two things for two-factor authentication - your password and a trusted device. The MacBook was one of those.

Chrome could just as easily been on a bad actor's laptop.

A.

 

[Rigby]

1. I do not remember seeing the verification code pop up on my other devices. How do you sign in using two-factor authentication on a device to make it trusted?

You should see it on any iOS/MacOS device that is logged into iCloud.

2. So every iOS/MAC OS device I have that is logged into iCloud will be using two factor authentication since I turned it on somewhere?

What exactly do you mean by "using two factor authentication"? Once you enable it, there is no other way to log in to your iCloud account.

3. What I still dont understand is the pass code showed up on my MBP and I had to enter it into my MBP. How is this adding any extra security?

It adds security in the sense that nobody can log in to your account even if they know your password, since they don't have a trusted device and thus will not be able to receive a verification code.

 

[kat.hayes]

I guess I wasn't clear in what I was trying to say. If somebody stole my "trusted" device, MacBook, and tried to log into iCloud using my stolen "trusted" device, what good is it that the passcode displays on the "trusted" stolen device that enables the thief to log right in? If it only displayed on one of the other "trusted" devices of the owner that would seem to make more sense....

 

[zone23]

I guess I wasn't clear in what I was trying to say. If somebody stole my "trusted" device, MacBook, and tried to log into iCloud using my stolen "trusted" device, what good is it that the passcode displays on the "trusted" stolen device that enables the thief to log right in? If it only displayed on one of the other "trusted" devices of the owner that would seem to make more sense....

Well hopefully your MacBook has a password that would keep someone out but yes if none of your devices have passwords then your screwed. PS without a PIN on you iPad/iPhone icloud will not sync keychain which stores your passwords.

 

[Rigby]

I guess I wasn't clear in what I was trying to say. If somebody stole my "trusted" device, MacBook, and tried to log into iCloud using my stolen "trusted" device, what good is it that the passcode displays on the "trusted" stolen device that enables the thief to log right in?

What exactly are you trying to protect against? Given that all trusted devices are logged into iCloud anyway, someone who has access to your unlocked device can already access most of your iCloud data without having to log in again. The best you can do for the case of device theft is to make sure that your device is access protected (strong passcode/password, and Filevault enabled on Macs).

 

[Brookzy]

I guess I wasn't clear in what I was trying to say. If somebody stole my "trusted" device, MacBook, and tried to log into iCloud using my stolen "trusted" device, what good is it that the passcode displays on the "trusted" stolen device that enables the thief to log right in? If it only displayed on one of the other "trusted" devices of the owner that would seem to make more sense....

This is a good point. The problem is that in your proposed setup, if you for example owned a MacBook and an iPhone, and you lost your iPhone, you'd be locked out of your MacBook as well.

 

[Manatlt]

I guess I wasn't clear in what I was trying to say. If somebody stole my "trusted" device, MacBook, and tried to log into iCloud using my stolen "trusted" device, what good is it that the passcode displays on the "trusted" stolen device that enables the thief to log right in? If it only displayed on one of the other "trusted" devices of the owner that would seem to make more sense....

As someone mentioned earlier, it is not authenticating the Macbook, it's authenticating Chrome. It is not an Apple application so Apple/macOS has no idea what you're doing in Chrome. So that's why it's treating Chrome as you using another computer.

Use Safari if you want to skip the verification process.

 

[Rigby]

Use Safari if you want to skip the verification process.

Using Safari does not skip the verification process when logging into icloud.com for the first time (you can of course tell it to store a cookie so the computer is "trusted" on subsequent logins, but that works with any other browser too).

 

[NJRonbo]

Guys,

I am very confused by this authetification. I am against it. Have already started it and I am getting nothing but problems --- particularly with email that does not want to sync properly across all devices even though the password is the same.

Anyhow, here's my question....

What exactly does Apple want us to switch over to two-step authentification?

Is it any app that uses iCloud sync?

I want to avoid the verification process iif at all possible. It's very tedious. I am hoping I am misunderstanding exactly what apps Apple will require to be protected.