Questions about 2 factor authentication.

[steve333]

Questions about 2 factor authentication.
Is it really needed if my computer is home and I don't use iCloud?
If it is activated on the computer will my iPhone automatically get 2 factor as well? I don't want to be somewhere needing to use the iPhone as a GPS (which is all I use it for) and not be able to access the 2 factor.
What exactly is the 2 factor authentication? Does it send a code to a phone or email?
Thanks

 

[Bigwaff]

Will help…
https://www.reddit.com/r/explainlikeimfive/comments/3o9r7u

 

[ipaqrat]

A little background, addressing the last question first: What exactly is the 2 factor authentication? Does it send a code to a phone or email?

• There are basically three factors:
  • Something you know:Password, PIN, security questions.
    • Passwords can be hacked and guessed.
  • Something you possess: Smartcard, Virtual Token (such as Authentication app on a device), Physical Token (such as USB or NFC "Key").
    • Physical Tokens can be lost/stolen, but should have a PIN to activate, and have a backup token.
    • Auth Apps include Microsoft Authenticator, Google Authenticator, BitWarden, etc.
  • Something you are: Biometrics such as fingerprint, face, retina, gait, etc.
    • "Things you are" can be stolen, but such thievery hurts, makes a mess, and typically reprioritizes IT Security in one's personal hierarchy of wellbeing. (See Silence of the Lambs and Face Off and Demolition Man.
    • Microsoft Authenticator on an iPhone adds the device's biometrics to its "Something you Have" factor.
• Factors count as Multiple only when the system ENFORCES their use together, not merely as options.
• Auth apps that rely on challenge/response from a remote server/service are vulnerable to Man-in-the-Middle, Phishing and Social Engineering exploits. This includes Apple Accounts secured only with Password/PIN (See this article from March). This also includes systems such as on-line auth tools such as Microsoft Authenticator, which return one-time-passcodes (OTP) from a central server; however unlikely, these can be pwned in the network and you'd never know until it was all over.
• Authentication systems can combine several instances of MFA factors, such as (SmartCard plus PIN) combined with (Physical Token plus PIN). This is still only two-factors, though more layers are good. However, if the Auth App on your phone engages biometrics, THAT counts as a third factor.
• It's debatable that "Recognition Tests", such as Captchas, were ever a viable factor. They're less dependable these days, with AI plowing steadily through kindergarten (Sorry, Siri is repeating preschool. Again.).

Is it really needed if my computer is home and I don't use iCloud?

It is advisable, yes. MFA is the new minimum for responsible conduct. Hacks and exploits can be very slow and subtle. Apple's security is known to be pretty good, but the internet at large is like the wild wild west.

If it is activated on the computer will my iPhone automatically get 2 factor as well?

Question has to be split for DEVICE and SERVICE

• Yes. iCloud is a centralized service (Apple Account, too). Once you invoke MFA for a centralized service, you need to comply, regardless of which device you use.
• No. Each Device must be explicitly enrolled in MFA. Devices can be configured to process MFA offline, but this is typically deployed by an enterprise with a service desk for when it screws the pooch. And it will.

I don't want to be somewhere needing to use the iPhone as a GPS (which is all I use it for) and not be able to access the 2 factor.

Again, the distinction between device and service. iPhones (Hardware & OS) do not allow for MFA at device-unlock. It implements a passcode or biometric, not both. Setting an Apple Watch to unlock the phone isn't a second factor, because it isn't enforced, it's optional. However...

Based on the stated use case (GPS-Only), I don't see an authentication problem. Using an iPhone only for GPS/Navs, it could be unenrolled entirely from any Apple Account, all data cleared, all other apps deleted. Then you could leave that handset totally unsecured, not even a password, just like any Garmin or TomTom handheld. I do this with a couple old phone 6s' that I leave in various cars, with maps updated over wifi as needed.

 

[ifxf]

In my opinion, Apple’s solution is more fragile than other solutions. You lose your trusted device or Apple decides your trusted device is no longer trusted you are locked out. You can mitigate this by using hardware security keys but it is a hassle. Other vendors provide one time codes or allow fallback to sms or email codes.

 

[steve333]

Thanks for the info. It seems to be more of a hassle than anything else.

 

[Bigwaff]

It seems to be more of a hassle than anything else.

More of a hassle than dealing with the fallout of your sensitive online accounts being compromised because your passwords are weak? I think not.

 

[steve333]

More of a hassle than dealing with the fallout of your sensitive online accounts being compromised because your passwords are weak? I think not.

Maybe you're right.
Can ut be turned off if I decide to?

 

[kitKAC]

Maybe you're right.
Can ut be turned off if I decide to?

There's no option to remove it.

 

[kitKAC]

In my opinion, Apple’s solution is more fragile than other solutions. You lose your trusted device or Apple decides your trusted device is no longer trusted you are locked out. You can mitigate this by using hardware security keys but it is a hassle. Other vendors provide one time codes or allow fallback to sms or email codes.

Your trusted phone number is the SMS fallback.

 

[ipaqrat]

Maybe you're right.
Can ut be turned off if I decide to?

Yes, it's possible to unwind MFA enrollments, but it's not a simple "Off Switch"; it's more like getting the remains of a splinter out of your thunb. You'll need to keep all your authenticators handy, having kept them current, and be prepared with fallback measures. MFA is not exactly intended to be unwound. Doing so is considered suspicious by service providers, because that's the very first thing hackers attempt to defeat, typically by social engineering a service provider's tier 1 call center.

Usability impacts from MFA and Encryption are frustrating, and not exactly cheap to engage (personal signing certs, fido keys, and enterprise-level stuff if that's where you're at). The tools and systems don't feel dependable. Add dodgy networking to the mix, and it's no wonder so many people are reluctant to engage.

But we just gotta suck it up. The risk might be statistically small, but the impacts can be catastrophic. It's the adult equivalent to homework, vegetables and taking out the trash. And changing oil in a truck with skid plates. And trimming trees up a ladder with a chainsaw. Taking a horse's temperature... All the things we all had to do as kids, right?

We used to have to farm, ranch, trap, haul, build and then shoot to protect our stuff... And then, if we had a spare nickel, buy printed books and newspapers - which took weeks/months to propagate from cities. Nothing has ever been free, in terms of effort or money.

Nowadays, encryption and MFA are a couple of basic things we have to do to get by. Otherwise, our stuff gonna get took by thugs, miscreants, the businesses we are effectively forced to deal with. And we shouldn't expect sympathy from cops or courts unless we did all we could to protect ourselves, while the dirt-bags get away clean.

Ain't how it's spose'd to be, but it is how it is.

 

[ipaqrat]

Yes, it's possible to unwind MFA enrollments, but it's not a simple "Off Switch"; it's more like getting the remains of a splinter out of your thunb. You'll need to keep all your authenticators handy, having kept them current, and be prepared with fallback measures. MFA is not exactly intended to be unwound. Doing so is considered suspicious by service providers, because that's the very first thing hackers attempt to defeat, typically by social engineering a service provider's tier 1 call center.

Usability impacts from MFA and Encryption are frustrating, and not exactly cheap to engage (personal signing certs, fido keys, and enterprise-level stuff if that's where you're at). The tools and systems don't feel dependable. Add dodgy networking to the mix, and it's no wonder so many people are reluctant to engage.

But we just gotta suck it up. The risk might be statistically small, but the impacts can be catastrophic. It's the adult equivalent to homework, vegetables and taking out the trash. And changing oil in a truck with skid plates. And trimming trees up a ladder with a chainsaw. Taking a horse's temperature... All the things we all had to do as kids, right?

We used to have to farm, ranch, trap, haul, build and then shoot to protect our stuff... And then, if we had a spare nickel, buy printed books and newspapers - which took weeks/months to propagate from cities. Nothing has ever been free, in terms of effort or money.

Nowadays, encryption and MFA are a couple of basic things we have to do to get by. Otherwise, our stuff gonna get took by thugs, miscreants, despite or because of the businesses we are effectively forced to deal with. And we shouldn't expect sympathy from cops or courts unless we did all we could to protect ourselves. And, yeah, the dirt-bags might get away clean.

Ain't how it's spose'd to be, but it is how it is.

 

[steve333]

I just downloaded Sequoia on my 2018 Mac Mini and I don't notice anything, good or bad.
In fact it looks the same as the previous OS, I don't see anything new
Odd thing is that it didn't even prod me to sign in to Apple like it does with updates. It just downloaded and that was that. Didn't even prod me to use 2 factor authentication. I had to check About this mac to make sure it even downloaded and updated to the new OS. It did.

 

[steve333]

So if someone doesn't have an Apple device other than a Computer they can't use 2 factor authentication.
I was preferring to use my flip phone since my iPhone is so old and may not replace it if it finally stops working since I only use it as a GPS.
Apple sure doesn't make things easy

 

[ipaqrat]

So if someone doesn't have an Apple device other than a Computer they can't use 2 factor authentication.
I was preferring to use my flip phone since my iPhone is so old and may not replace it if it finally stops working since I only use it as a GPS.
Apple sure doesn't make things easy

Earlier in the thread, I advised that MFA can be unenrolled, but I just got clarity that once 2FA is enabled for an Apple Account specifically, it cannot be disabled. I was thinking of TWO-STEP verification, which is very different, and no longer supported. Hope my generalizations didn't cause trouble for you.

For other ordinary services, MFA can typically be unenrolled, usually within the service's web UI, though you might have to submit extra credentials to accomplish it, or maybe even talk to IT support.

Anyway, once I enabled MFA for my Apple Account, I added a pair of yubikeys for daily use. Then I added a trusted phone number for a SIM card that currently resides in old 'Droid I use as the "House Phone". I haven't had to fall back to that for unlocking my Apple gear.

There's probably reliable advice somewhere in here, but you should prolly have a verbal with an actual Apple Rep to double+triple check your cross-platform use case.

I do like the new Moto Razr 2024+. Might get one of my own, to use outside the lab, see what the hubbub is about, see if it's up to the rigors of farm life.

 

[steve333]

Earlier in the thread, I advised that MFA can be unenrolled, but I just got clarity that once 2FA is enabled for an Apple Account specifically, it cannot be disabled. I was thinking of TWO-STEP verification, which is very different, and no longer supported. Hope my generalizations didn't cause trouble for you.

For other ordinary services, MFA can typically be unenrolled, usually within the service's web UI, though you might have to submit extra credentials to accomplish it, or maybe even talk to IT support.

Anyway, once I enabled MFA for my Apple Account, I added a pair of yubikeys for daily use. Then I added a trusted phone number for a SIM card that currently resides in old 'Droid I use as the "House Phone". I haven't had to fall back to that for unlocking my Apple gear.

There's probably reliable advice somewhere in here, but you should prolly have a verbal with an actual Apple Rep to double+triple check your cross-platform use case.

I do like the new Moto Razr 2024+. Might get one of my own, to use outside the lab, see what the hubbub is about, see if it's up to the rigors of farm life.

That's OK, I didn't do it yet. I decided to check Apple's website and when it said only an iPhone can be used I decided against it.