It's because you've already entered your iCloud password when you signed into iCloud on your device. Now you only need to prove you have access to the device via the passcode. If you were not signed into iCloud on your device, it would ask you for the iCloud password, instead of the passcode.
i concur. also it's possible it could be due to iCloud Keychain, but that's just a guess
[doublepost=1506180535][/doublepost]
I'm going to Settings -> "account name" -> Password & Security (no password asked) -> Change password.
Here I get the message :
Enter Passcode. This iphone can be used to change your password because you are signed into iCloud and have a passcode enabled.
With my passcode I can change my apple password now !! It happens in two devices.
Same issue here as the OP
IRC this issues has come about because when you set up your phone from new and you enable the passcode as default from a new out the box set up it acts as way of backup if you forgot you apple id password as I have had this told to me from apple live chat as in the past my mum has forgotten her apple id password and nearly made her shiny new 6 plus a brick
so its been about for some time and not a ios 11 bug
ITS scary to think that if your out and lose your phone and they get your password by a fluke could happen and needs sorting...
in all reality, i understand that it's possible to be out and about and leave your phone laying somewhere and the concern being someone could get into it and change your Apple ID password that way, but if you have it set to auto lock after 2 minutes and are aware of not leaving it unlocked and unattended, i don't see the big concern. if someone has physical access to your device, you have quite a few problems. a 6 digit passcode is pretty sufficient as far as balancing security and convenience, but if it's not for you, there's always the ability to set a longer one and an actual password as a passcode. also if say someone had physical access to your device and let's say it wasn't unlocked then having on erase data after 10 attempts would foil them in trying to brute force it (even without that it would start locking them out eventually). if it was unlocked, they would still have to brute force your passcode in order to change your Apple ID password and i'm sure it locks you out from attempting it again after so many tries. the level at which it's a major concern seems to me to be something that would be a targeted attack which at that point, there is little the majority people could do to prevent it...
[doublepost=1506180975][/doublepost]
Has anyone tried turning on recovery keys? Seems like that would take care of this.
it's weird you have the option to turn that one while also have 2FA on
https://www.macworld.com/article/29...-authentication-for-el-capitan-and-ios-9.html