Two Factor Authentication

[BlueMacawBird]

I have been putting off using two factor authentication and it may be time to go ahead and use it. I would like to get some feedback about how it has been working for others, so any comments about your experiences are welcome.

In addition to my day-to-day machines (CMP 5,1/iMac 18,3/MBA; all running Mojave) I also have about twenty Macs in my collection. Many of them are late enough to be running El Cap and would be subject to the TFA protocols. As I understand TFA, a code is only needed the first time you access a machine. After which, following a restart or a cold start, no code is needed. Is that true? I can't imagine that the code is needed every time you boot a machine that is already on the trusted devices list.

Also, are there features of later versions of MacOS that require TFA?

Thanks,

John

 

[Apple_Robert]

Any time you set up a Mac or other Apple device or log out / back into iCloud, you will need to use the 2FA code. Under normal use, you won't need the code. I strongly suggest you had additional trusted numbers to your Apple ID account so that you don't get locked out, should you lose access to your main phone. A landline works for 2FA codes as well.

 

[artfossil]

Any time you set up a Mac or other Apple device or log out / back into iCloud, you will need to use the 2FA code. Under normal use, you won't need the code. I strongly suggest you had additional trusted numbers to your Apple ID account so that you don't get locked out, should you lose access to your main phone. A landline works for 2FA codes as well.

Thank you! That’s a good idea about adding another trusted number! I’ll do that when my daughter/roommate can verify her number.

 

[KaliYoni]

Apple's 2FA is tied to the use of Apple's online services, not its hardware.

For example, if you have a Mac that is not linked to an iCloud account (say, a machine that is provided by an employer and fully supported by a corporate IT staff) or an iPad that is never connected to the Internet, 2FA won't enter your life much. You'll be able to boot and log into your Mac with just a user name and password. You'll be able to get to your iPad's home screen by simply typing your password or through TouchID. No temporary codes necessary!

I use 2FA everywhere that offers it to me: Apple, retailers, financial service providers, healthcare providers, social media...you name it. Sure, it adds additional steps to my workflows but I feel the slight inconvenience is well worth the increase in security. 2FA shouldn't be one's only line of defense against attackers, obviously, but I do view it as part of the foundation of my personal privacy and security practices.

 

[KaliYoni]

A landline works for 2FA codes as well.

Landlines are good for 2FA because it is a lot more difficult for an attacker to get control of a landline phone number than a mobile or VOIP number. This is also one use where Google Voice's total lack of human-based customer service is actually a strength; when call center and retail store workers don't exist, it's impossible to socially engineer somebody into doing a SIM swap or making account changes.

 

[BlueMacawBird]

So, TFA is not challenged at machine start up, but when signing into iCloud services? Thus, if I do not need a machine to access iCloud services TFA is not a factor. My two desktops run continuously and once logged in I would only need an access code if I restarted them. My laptop is only used occasionally and is shut down when not in use, so if I wanted to access iCloud I would need the code each time I used the laptop.

While cell phones are the obvious trusted device for receiving the access codes, landlines would be a viable backup. Presumably the access code would be provided by a voice message on a landline. I think an iPad can also be a trusted device and if true that would also be a good backup.

Are there any features on later versions of MacOS that require TFA?

 

[KaliYoni]

My Mac desktop, which is on Mojave, and my iOS devices are all linked to an iCloud account. The iCloud login persists across shutdowns and startups pretty much all the time for me (YMMV), so I very rarely encounter an Apple demand for 2FA codes when booting a system.

I do, however, regularly receive Apple 2FA codes when using Apple's cloud services, such as downloading software on the Mac and iOS App Stores, accessing iCloud via a web browser, playing with Apple Music, and configuring "Find My".