Resolved New to two factor authentication

[ardchoille50]

I just received an email message from Apple stating that my two-step authentication would change over to two factor authentication when I install iOS 11. I understand why this change is being made, but I have a concern. I enabled the old two-step authentication back when it was a new feature and generated a recovery key. I memorized this recovery key because I only had an iPhone at the time and entering the recovery key was the easiest way for me to authenticate a new device. Now, however, there seems to be no recovery key with the new two-factor authentication.

Suppose I only have one trusted device, an iPhone, and the only trusted phone number is connnected with that device. How am I to authenticate that single device with the new two factor authentication? If I ever need to erase my iPhone, how do I sign into this iPhone if I own no other Apple devices? I'm deaf and using a once telephone would mean that I would need to trust another person with the security of my iCloud account and that isn't going to happen. Can I somehow generate a new recovery key with the new two factor authentication like I did with the two step auth?

 

[QzzB]

There is no recovery key on the two factor. It does use any verified mobile number and sends a text message if you need to recover. So if you had one iPhone that was stolen - you can recover wire you get a new SIM and a new phone to receive text messages.

Hopefully that makes sense?

 

[ardchoille50]

There is no recovery key on the two factor. It does use any verified mobile number and sends a text message if you need to recover. So if you had one iPhone that was stolen - you can recover wire you get a new SIM and a new phone to receive text messages.

Hopefully that makes sense?

If I buy a new SIM and iPhone to receive text messages, then I would have to first authenticate that new iPhone. How do I do that when, in your example, my only trusted device was stolen? This is where the recovery key would come in handy. However, as you've stated, there is no recovery key with the new two factor authentication.

How would I authenticate my iPhone, my only trusted device, after erasing it and resetting to factory settings?

 

[QzzB]

The assumption is you wouldnt just buy a new SIM card but get your old one replaced by reporting as stolen from your network provider. The same number would be attached to a new SIM and then would receive the recovery text messages.

Im assuming that you wouldnt give up your number if you lost your phone or had it stolen?

 

[ardchoille50]

The assumption is you wouldnt just buy a new SIM card but get your old one replaced by reporting as stolen from your network provider. The same number would be attached to a new SIM and then would receive the recovery text messages.

Im assuming that you wouldnt give up your number if you lost your phone or had it stolen?

Ah, I see what you're saying.. and that would indeed be the thing to do. What would I do in the case of erasing my only trusted device due to an incurable problem? How would I then authenticate it after reinstalling iOS?

 

[QzzB]

Find my iPhone is available by logging onto iCloud.com with your password. You don't need to use a trusted device or provide the 2nd factor.

If you login to iCloud.com from a browser (or in-private on a Mac if you have logged in before) and just login with username and password. on the code screen click on the Find my iPhone towards the bottom of the screen. Can Wipe, lock and locate devices from there

 

[ardchoille50]

Find my iPhone is available by logging onto iCloud.com with your password. You don't need to use a trusted device or provide the 2nd factor.

If you login to iCloud.com from a browser (or in-private on a Mac if you have logged in before) and just login with username and password. on the code screen click on the Find my iPhone towards the bottom of the screen. Can Wipe, lock and locate devices from there

That won't work as I do not own a computer. And, logging into my iCloud account from a computer at the local library would require me to first authenticate that browser (via a text message on a trusted device, which is no longer available because it was wiped) in order to access my Apple ID.

I'm not trying to be a PITA here, I'm just trying to figure out a way that all of this doesn't boil down to a single point of failure, which is what two factor auth appears to be at the moment. Owning only a single Apple device seems to make two factor authentication a very troublesome ordeal.

 

[QzzB]

No. Any browser with internet access can locate your device. As I mentioned when you go to iCloud.com and login, if you cannot authenticate you can still report and wipe a device.

I was mentioning Safari incase you wanted to try it.

Screenshot of what it looks like if you cannot do the 2nd factor authentication. (Now attached)



As you can see, can remove Apple Pay, Block Apple Watch or Find my iPhone without entering the code. From any browser, as long as it can reach iCloud.com

 

[ardchoille50]

No. Any browser with internet access can locate your device. As I mentioned when you go to iCloud.com and login, if you cannot authenticate you can still report and wipe a device.

I was mentioning Safari incase you wanted to try it.

Screenshot of what it looks like if you cannot do the 2nd factor authentication. (Now attached)

View attachment 702601

As you can see, can remove Apple Pay, Block Apple Watch or Find my iPhone without entering the code. From any browser, as long as it can reach iCloud.com

I understand. However, I need to learn how to reinstall iOS and authenticate a device after erasing it. How would I do this if my only Apple device is the iPhone that I just wiped? It is not lost/stolen, I just need to reinstall the OS and log into my Apple ID with two factor authentication enabled. With the old two step auth, at least I had a recovery key in the event that no other trusted device was available. But this recovery key is not an option with the two factor authentication.

From the email I just received from Apple, I will be forced to move from the old two step auth to the new two factor auth when I install iOS 11 and I need to know what to do in the event of an emergency.

 

[QzzB]

I understand. However, I need to learn how to reinstall iOS and authenticate a device after erasing it. How would I do this if my only Apple device is the iPhone that I just wiped? It is not lost/stolen, I just need to reinstall the OS and log into my Apple ID with two factor authentication enabled. With the old two step auth, at least I had a recovery key in the event that no other trusted device was available. But this recovery key is not an option with the two factor authentication.

I have never done this, and have multiple devices. I think that Apple would of come up with something for this. Maybe the phone can read the authentication text in that case? Might be worth asking Apple?

By the sounds of it your using the Beta on your only device? Thats not that recommended as it can cause some problems, have bugs and restrict use of your device. Usually Betas are used on a spare device or in the case of the security, would only use it if you have access to another device for recovery. Bear in mind the Beta is full of bugs, there could be a bug that causes the iCloud account to lockout, or something similar. And in that case I can't see how you would be able to fix, As apple don't support any support Betas.

The old recovery key was meant to be a emergency way into your account than something you use regularly. You have a bit of a unsupported setup as limited access to devices unfortunately. The change in the security is only ever a good thing to securely protect your account and personal information, and there would of been a reason why Apple changed this form a security perspective.

 

[ardchoille50]

I have never done this, and have multiple devices. I think that Apple would of come up with something for this. Maybe the phone can read the authentication text in that case? Might be worth asking Apple?

By the sounds of it your using the Beta on your only device? Thats not that recommended as it can cause some problems, have bugs and restrict use of your device. Usually Betas are used on a spare device or in the case of the security, would only use it if you have access to another device for recovery. Bear in mind the Beta is full of bugs, there could be a bug that causes the iCloud account to lockout, or something similar. And in that case I can't see how you would be able to fix, As apple don't support any support Betas.

The old recovery key was meant to be a emergency way into your account than something you use regularly. You have a bit of a unsupported setup as limited access to devices unfortunately. The change in the security is only ever a good thing to securely protect your account and personal information, and there would of been a reason why Apple changed this form a security perspective.

No, I still have iOS 10.3.2 on an iPhone 6s (I don't trust beta software). The questions I'm asking in this thread are merely for the purpose of educating myself and having something to fall back on in the event of an emergency. Having a recovery key was a good thing, but is no longer an option - two step auth will automatically change over to two factor auth when iOS 11 is installed.

The point I was trying to make is that two factor authentication is extremely burdonsome if a person owns only a single Apple device (only one trusted device) and needs to reinstall the operating system on that device. It's a single point of failure - putting all of one's eggs in one basket - due to the lack of some type of recovery key.

 

[QzzB]

This is true. To be honest I don't know what happens in that scenario. Im assuming that the setup or activation wizard in iOS can read the incoming text verification and will authenticate itself, only way I can see it working. I would of thought Apple thought of this when creating it. Might be worth trying it if you have a spare account?? Be interesting to know

 

[ardchoille50]

This is true. To be honest I don't know what happens in that scenario. Im assuming that the setup or activation wizard in iOS can read the incoming text verification and will authenticate itself, only way I can see it working. I would of thought Apple thought of this when creating it. Might be worth trying it if you have a spare account?? Be interesting to know

Yeah, I've been with Apple since 2012 and they've never let me down. Surely they have thought about this scenario and there is a way around the problem.. I just need to find it.

@QzzB Thank you for your time and assistance

 

[Weaselboy]

The point I was trying to make is that two factor authentication is extremely burdonsome if a person owns only a single Apple device (only one trusted device) and needs to reinstall the operating system on that device. It's a single point of failure - putting all of one's eggs in one basket - due to the lack of some type of recovery key.

What you need to do is in that 2FA setup screen add some other trusted numbers as backup. You can add a friend's SMS or even your home phone (it will robo call you). I added my home phone and my daughter's SMS as backups. So in an emergency like you described I would still have a way to get the code.

 

[ardchoille50]

What you need to do is in that 2FA setup screen add some other trusted numbers as backup. You can add a friend's SMS or even your home phone (it will robo call you). I added my home phone and my daughter's SMS as backups. So in an emergency like you described I would still have a way to get the code.

Well, I'm deaf and cannot use a phone. I would have to trust someone else to accept the call and I'm unwilling to trust anyone else with the security of my Apple ID. I know its only a security code, but it is still tied to my Apple ID in some way and that makes me nervous.

 

[Weaselboy]

Well, I'm deaf and cannot use a phone. I would have to trust someone else to accept the call and I'm unwilling to trust anyone else with the security of my Apple ID. I know its only a security code, but it is still tied to my Apple ID in some way and that makes me nervous.

You are only really entrusting them with half the keys to the kingdom though. They would have to have your user name and password, and be on the trusted numbers lists to be able to do anything with it.

So in my case, with having my daughter's SMS on there, she can't get in unless she has my password already.

Edit: You have a TDD at home? I'm wondering if Apple's robo call with the code would work with that? Might be worth calling and asking them.

 

[ardchoille50]

You are only really entrusting them with half the keys to the kingdom though. They would have to have your user name and password, and be on the trusted numbers lists to be able to do anything with it.

So in my case, with having my daughter's SMS on there, she can't get in unless she has my password already.

Hmm, that is a very good point. And, the code that is sent is a one-time code anyway and so it would be useless once the device is set up and authenticated - even a re-sent code is different from the first one that was sent. I remember using "one time pads" when I was studying encryption, they're rather secure. Well, this takes all of the worry out of my scenario. Thank you sir!

 

[Rigby]

If I buy a new SIM and iPhone to receive text messages, then I would have to first authenticate that new iPhone. How do I do that when, in your example, my only trusted device was stolen?

You do not need to log in to iCloud in order to activate a new phone to the point where it can receive text messages (just choose "skip" when it asks you to log in during the setup process), so there should be no issue as long as the SIM is for a phone number you registered as trusted number.

How would I authenticate my iPhone, my only trusted device, after erasing it and resetting to factory settings?

If you erase an existing phone, that will automatically deactivate activation lock, so again you will not need to log in to be able to receive texts.

If all else fails, you could still go through the account recovery process. However, I think it would be a better idea to add the phone number of a family member or friend as a backup solution as suggested above. Another option would be to keep an old iPhone around as a second trusted device, or perhaps get an iPod Touch for that purpose.

 

[ardchoille50]

If you erase an existing phone, that will automatically deactivate activation lock, so again you will not need to log in to be able to receive texts.

Since when? I've always had to go in and turn it off prior to erasing an iOS device. Is that a new feature of iOS 11?

 

[Rigby]

Since when? I've always had to go in and turn it off prior to erasing an iOS device. Is that a new feature of iOS 11?

I think it always did:

https://support.apple.com/kb/ph2702?locale=en_US
"Before giving away or selling your iOS device, be sure to erase your content and settings (in Settings > General > Reset > Erase All Content and Settings). When you erase your content, Find My iPhone and Activation Lock are also turned off."

I seem to remember that it even prompts you during the process. But in any case, you can of course simply deactivate it before the erase if you want to be sure.

Anyway, my point was that you should be able to get to the point where you can receive text messages on a new or erased phone without having to enter an iCloud verification code.

 

[ardchoille50]

I think it always did:

https://support.apple.com/kb/ph2702?locale=en_US
"Before giving away or selling your iOS device, be sure to erase your content and settings (in Settings > General > Reset > Erase All Content and Settings). When you erase your content, Find My iPhone and Activation Lock are also turned off."

I seem to remember that it even prompts you during the process. But in any case, you can of course simply deactivate it before the erase if you want to be sure.

Anyway, my point was that you should be able to get to the point where you can receive text messages on a new or erased phone without having to enter an iCloud verification code.

No, it wasn't always like that. I did, however, notice that a recent update to iOS now asks for the iCloud password during the erase procedure - this may be what turns off activation lock when you erase an iOS device. I think this was a new feature in iOS 10 but I'm not sure.

Thank you for that information.