Potential security hazard 2FA?

[Fredd-E]

Perhaps this is just my misunderstanding of a feature, but I've noticed a potential security hazard in the use of 2FA (2-factor authentication). I own 3 devices: an iPhone, iPad and a Macbook Pro.

Steps to reproduce security hazard:
1) Open Safari on Macbook Pro (or Mobile Safari on any iOS device)
2) Visit https://appleid.apple.com/ to manage your Apple ID
3) Log on with your username / password
4) 2FA activates (like it should), but it suprisingly allows me to accept the login and gives me the 6 digit code on the same device

Expected behavior:
4) 2FA activates on one of my other decices (iPhone or iPad)

The current situation implies if someone steals one of my devices and somehow obtained my password, he could simply bypass 2FA by validating the login attempt on the stolen device.

Is this how it's supposed to work? Isn't it dangerous? To me this seems like convenience over security.

Thoughts?

 

[twinlight]

This is how it works. Your device is trusted and won't require a respons from another device.

If someone uses their phone and your credentials it will popup asking for verification on one of your devices.

Edit: I thought that if devices where to far part it would also ask for confirmation but this may not be the case. I guess you would mark your device as stolen if you lost it but it would still give them some time so exploit it.

 

[Fredd-E]

If someone else tries my credentials on his device it will only activate 2FA on my devices. That's the whole idea.

But what I don't expect is that using my credentials on device A (which I own) will activate 2FA on that same device A. I think it would be way safer if 2FA activates on device B (which I also own).

This way you will prevent a thief entering your credentials on stolen device A and logging in because the 2FA will only activate on one of your _other_ trusted devices (device B).

In short what I expect when I own device A and B:

• Login attempt device A -> 2FA on device B
• Login attempt device B - > 2FA on device A

 

[twinlight]

What do you do when sitting on the bus without your iPad and find the need to login on your phone?

 

[Fredd-E]

What do you do when sitting on the bus without your iPad and find the need to login on your phone?

Request SMS. This still works as backup even when you use 2FA. But this also implies if a thief gets hold of your iPhone and 2FA only activates on one of your other devices, the thief can still opt to receive a text message on your stolen phone.

Bottom line: a thief who knows your password can always login to your iCloud account if he has your device in his possession. Makes it all feel less safe come to think of it

 

[twinlight]

I think it's made so you can't enroll new units on your account. Physical access is always considered unsecured.

 

[steve62388]

It's designed to stop account breaches originating from some far flung corner of the globe. Needing a second device on hand would be a pain in the backside, And what would happen if a thief stole two devices? (Your bag is stolen or your room or house is raided). Compromises have to be made and it's fine the way it is. If you're bothered about it set your device on a short autolock time, don't use TouchID and have a decent password.

 

[cswifx]

Applying the expected outcome would cause people who only own 1 Apple device to be unable to use 2FA.
Besides, if you use FileVault and have a strong password on your Mac, getting it stolen wouldn't be a problem. You can even remotely wipe your Mac if it's stolen.

 

[Fredd-E]

Applying the expected outcome would cause people who only own 1 Apple device to be unable to use 2FA.
Besides, if you use FileVault and have a strong password on your Mac, getting it stolen wouldn't be a problem. You can even remotely wipe your Mac if it's stolen.

That's a good argument indeed.

Basically it all comes down to this: 2FA is only really useful to keep other people from using YOUR credentials on THEIR devices, or when you try to manage your Apple ID on a friend's laptop for instance. 2FA will give a popup on your iPhone to approve the manage ID attempt on your friend's laptop.

But, 2FA is very much less secure once someone has physical access to your devices.

In any regard it's better to have 2FA enabled than not. And having a strong password for starters.

 

[Alrescha]

But, 2FA is very much less secure once someone has physical access to your devices.

Of course it is. Your device is one of the factors in the two-factor process. The fact that you can also log in on the device as in your original post is irrelevant - the bad guy could have used any old laptop. If someone has both factors you are in trouble no matter what.

What you seem to want is three-factor authentication.

A.

 

[konqerror]

But, 2FA is very much less secure once someone has physical access to your devices.

Not just physical access, but they can defeat 2FA if they have remote login access. It's a problem with computer-based 2FA now, which is an argument for hardware dongles and fobs.

Some other features which ruin the assumptions behind 2FA:
-SMS forwarding like through iMessage or Google Voice
-Code generation that's being used on the same device (phone)
-Softphones and FaceTime carrier account access

 

[cswifx]

Of course it is. Your device is one of the factors in the two-factor process. The fact that you can also log in on the device as in your original post is irrelevant - the bad guy could have used any old laptop. If someone has both factors you are in trouble no matter what.

What you seem to want is three-factor authentication.

A.

Maybe even a forth factor - a physical token delivered to you?

With all due honesty though, I doubt there can be anything that's completely secure. The user is always the last line of defence when it comes to their own accounts.