Two Factor Authentication Confusion

[mikeb71]

Hi all,

I’m perhaps being daft, but can someone please clarify how this is supposed to work? As an example, if I try logging into iCloud on my Mac i’m prompted to enter a code from a trusted device (all well and good), however, the warning about an attempt by someone to log into my account appears on both my iPhone AND the Mac I’m logging into iCloud with. If I click ‘Allow’ on either device i’m the provided with the code to enter into the Mac browser. If this is how it is designed to work, how is this in any way secure? If I was the thief and was trying to log into my iCloud account on my ‘stolen’ MacBook I would have both the ability to allow access and have the code needed to authenticate it.
Perhaps i’m just misunderstanding how this is designed to work, but i’d assumed the idea was that one device is essentially being protected by another which you would have control of, but that doesn’t appear to be how it’s working for me?

 

[Tech198]

This should help: https://support.apple.com/en-au/HT204915

 

[Brookzy]

The idea is that if a device is stolen you put it in lost mode via iCloud.com which will remove it from your trusted devices.

 

[NoBoMac]

^^^^This.

Add in, for the Mac scenario to work, the crook not only needs to steal the device, but also have it not go to sleep, screen lock, etc. Highly unlikely this could happen. And one can help minimize the chance for this. So, setup a short screen lock. Setup a hotcorner to lock the display when you walk away. Set Keychain to lock after X minutes of inactivity. Filevault the drive. EFI password to boot. And as soon as you know that the device is stolen, see above.

Can probably also not make the Mac a trusted device, so that if it is stolen, it will not get the notice.

Now, that said, two-factor is more geared toward catching someone somewhere else trying to get into your stuff vs absolute lockdown, imo.

 

[Rigby]

If this is how it is designed to work, how is this in any way secure? If I was the thief and was trying to log into my iCloud account on my ‘stolen’ MacBook I would have both the ability to allow access and have the code needed to authenticate it.
Perhaps i’m just misunderstanding how this is designed to work, but i’d assumed the idea was that one device is essentially being protected by another which you would have control of, but that doesn’t appear to be how it’s working for me?

Two-factor authentication isn't about protecting stolen devices, but to prevent bad actors from accessing your account and personal information stored in the cloud. For example, if someone managed to obtain your password (e.g. via a clever phishing mail, or malware on your computer, or because you used the same password also on other web sites and one of them was hacked) they'd still not be able to access your Apple account without also having one of your trusted devices to receive the dynamic security codes.

 

[mikeb71]

Thanks all for the replies. I was obviously misunderstanding what this is designed to do, although saying that the guide on the link that Tech198 posted states "When you sign in on the web, you can choose to trust your browser, so you won’t be asked for a verification code the next time you sign in from that computer", whereas for me it does even though I select it as trusted, but anyway at least I now know how this is supposed to work.

Thanks all .

 

[Apple blogger]

Hi, I get your concern.

I think 2 factor verification was doing the same thing, but the new authentication is just more automatic. If you have more than 1 trusted devises signed into iCloud, I think the code pops on every device, including the one you are trying to log into.

But for thieves to get access to your account should have both, your password and your trusted device.

As regarding the “do not ask me on this computer”, if you clear your history, or change the browser, or private/incognito mode, it doesn’t remember the device.

It doesn’t remember my iOS devices no matter how many times I log into my Apple id