Perhaps this is just my misunderstanding of a feature, but I've noticed a potential security hazard in the use of 2FA (2-factor authentication). I own 3 devices: an iPhone, iPad and a Macbook Pro.
Steps to reproduce security hazard:
1) Open Safari on Macbook Pro (or Mobile Safari on any iOS device)
2) Visit https://appleid.apple.com/ to manage your Apple ID
3) Log on with your username / password
4) 2FA activates (like it should), but it suprisingly allows me to accept the login and gives me the 6 digit code on the same device
Expected behavior:
4) 2FA activates on one of my other decices (iPhone or iPad)
The current situation implies if someone steals one of my devices and somehow obtained my password, he could simply bypass 2FA by validating the login attempt on the stolen device.
Is this how it's supposed to work? Isn't it dangerous? To me this seems like convenience over security.
Thoughts?
Steps to reproduce security hazard:
1) Open Safari on Macbook Pro (or Mobile Safari on any iOS device)
2) Visit https://appleid.apple.com/ to manage your Apple ID
3) Log on with your username / password
4) 2FA activates (like it should), but it suprisingly allows me to accept the login and gives me the 6 digit code on the same device
Expected behavior:
4) 2FA activates on one of my other decices (iPhone or iPad)
The current situation implies if someone steals one of my devices and somehow obtained my password, he could simply bypass 2FA by validating the login attempt on the stolen device.
Is this how it's supposed to work? Isn't it dangerous? To me this seems like convenience over security.
Thoughts?