Two Factor flaw?

[Liam Steven]

I've set up two factor authentication and I thought I would test it by signing into manage my apple ID. I chose to receive a text message but I relay SMS to my iPad, so what's to stop somebody stealing my iPad, chosing the text option and the code appearing on my iPad's lock screen where they could use the code to gain access to my Apple ID/ iCloud?

Do the SMS messages only relay when in close proximity to my iPhone?

Am I missing something?

 

[lineto]

If you opt in to have your text messages relayed and your iPad is stolen, you can disable it in the messages settings on your phone. Also, I'm almost certain text relay is only useable when on the same wifi network.

 

[bripab007]

Actually, text messaging forwarding does not require them to be on the same network.

 

[lineto]

Actually, text messaging forwarding does not require them to be on the same network.

Good to know! In any case, regarding the OPs question, disabling the text forwarding option will still help them in the event of their ipad/other devices being stolen.

 

[I7guy]

Good to know! In any case, regarding the OPs question, disabling the text forwarding option will still help them in the event of their ipad/other devices being stolen.

Hopefully the device is secure when not in use. Even if an authentication code is received by the ipad, you have to know the user id and password. Without that the authentication code is useless.

 

[gsmornot]

I've set up two factor authentication and I thought I would test it by signing into manage my apple ID. I chose to receive a text message but I relay SMS to my iPad, so what's to stop somebody stealing my iPad, chosing the text option and the code appearing on my iPad's lock screen where they could use the code to gain access to my Apple ID/ iCloud?

Do the SMS messages only relay when in close proximity to my iPhone?

Am I missing something?

The code does not appear on the lockscreen. The notice will but you have to unlock to get the code. So, you would need your password, access to your physical iPad and the iPad unlock code. Not sure who you deal with but that is a lot for someone to go through just to get access to your iCloud account. You should be ok. Certainly better off than just going with a password alone.

 

[GreyOS]

The code does not appear on the lockscreen. The notice will but you have to unlock to get the code. So, you would need your password, access to your physical iPad and the iPad unlock code. Not sure who you deal with but that is a lot for someone to go through just to get access to your iCloud account. You should be ok. Certainly better off than just going with a password alone.

That's when it's sent as a special alert to the phone but you can have it sent as an SMS

 

[gsmornot]

That's when it's sent as a special alert to the phone but you can have it sent as an SMS

Tell me more. I was thinking it would only be sent one way for trusted devices. The text option would only apply to trusted numbers that are not already a trusted device which a personal iPad should be or at the least the iPhone that is forwarding the text over to the iPad would be.

 

[GreyOS]

Tell me more. I was thinking it would only be sent one way for trusted devices. The text option would only apply to trusted numbers that are not already a trusted device which a personal iPad should be or at the least the iPhone that is forwarding the text over to the iPad would be.

Just read OP's post for the problem, I don't know any more details sorry. You can see SMS previews on lock screens

 

[I7guy]

Just read OP's post for the problem, I don't know any more details sorry. You can see SMS previews on lock screens

But you still need to get into the device. Correct?

 

[phobos512]

If you go to Settings >> Notifications >> Messages on the device in question, scroll all the way to the bottom and disable the option for "Show Previews" the message content will not be shown on the lock screen.

 

[phobos512]

But you still need to get into the device. Correct?

No, you just need to wake it if message preview is enabled. But if you disable it as I suggested above, then you'd just see that a message from someone came in - not the content thereof.

 

[I7guy]

No, you just need to wake it if message preview is enabled. But if you disable it as I suggested above, then you'd just see that a message from someone came in - not the content thereof.

The premise is the iPad is stolen; even if the authentication code is shown it has to be entered in the originating screen and for that you require the id and password.

 

[phobos512]

The premise is the iPad is stolen; even if the authentication code is shown it has to be entered in the originating screen and for that you require the id and password.

Concern is this - If OP goes to Apple's website and logs into his/her/etc.'s account, Apple (the way OP has it setup) will send a text to his phone, which will be relayed to his iPad. Then, if the iPad is stolen, anyone can use the iPhone or the iPad to request access to the iCloud account, assuming they already have OP's iCloud password.

Frankly, the whole thing seems pretty far fetched.

(1) Need to know OP's account e-mail
(2) Need to know OP's account password
(3) Need to have physical access to OP's phone or tablet

Pretty much at this point OP has no one to blame but themselves. For all of this to have happened OP would have had to basically employ no common sense protections. Two factor is something you have and something you know - if you give out the "something you know" and you lose the "something you have" then they aren't appropriate for use. Basically, OP needs to protect their information and devices better.

 

[gsmornot]

Concern is this - If OP goes to Apple's website and logs into his/her/etc.'s account, Apple (the way OP has it setup) will send a text to his phone, which will be relayed to his iPad. Then, if the iPad is stolen, anyone can use the iPhone or the iPad to request access to the iCloud account, assuming they already have OP's iCloud password.

To get the SMS, the message from Apple would need to be sent to an untrusted device on a trusted number. If this iPad is logged into the users iCloud account, its a trusted device. (same for the iPhone). To get a regular SMS on an iPad screen as part of two-factor you would need to send the recovery request to the trusted numbers iPhone which would need to be connected with the trusted numbers iPad. So, to have this iPad that belongs to someone else and the password, yea that would be difficult.

Remember, once this is setup, iCloud looks at your other iCloud devices and sends the second factor info there which does not arrive as a standard SMS. You have to unlock the device to see the message.

 

[Liam Steven]

Concern is this - If OP goes to Apple's website and logs into his/her/etc.'s account, Apple (the way OP has it setup) will send a text to his phone, which will be relayed to his iPad. Then, if the iPad is stolen, anyone can use the iPhone or the iPad to request access to the iCloud account, assuming they already have OP's iCloud password.

Frankly, the whole thing seems pretty far fetched.

(1) Need to know OP's account e-mail
(2) Need to know OP's account password
(3) Need to have physical access to OP's phone or tablet

Pretty much at this point OP has no one to blame but themselves. For all of this to have happened OP would have had to basically employ no common sense protections. Two factor is something you have and something you know - if you give out the "something you know" and you lose the "something you have" then they aren't appropriate for use. Basically, OP needs to protect their information and devices better.

Wrong, and please don't assume that I am an incompetent moron!

I was simply asking a legitimate question out of curiosity of the service.

 

[Liam Steven]

To get the SMS, the message from Apple would need to be sent to an untrusted device on a trusted number. If this iPad is logged into the users iCloud account, its a trusted device. (same for the iPhone). To get a regular SMS on an iPad screen as part of two-factor you would need to send the recovery request to the trusted numbers iPhone which would need to be connected with the trusted numbers iPad. So, to have this iPad that belongs to someone else and the password, yea that would be difficult.

Remember, once this is setup, iCloud looks at your other iCloud devices and sends the second factor info there which does not arrive as a standard SMS. You have to unlock the device to see the message.

You've missed the point completely.

An option that IS available is to send an SMS to a verified mobile number. An iPhone with SMS relay enabled will relay the message to the iPad, where the code will be displayed on the lock screen.

Hopefully the device is secure when not in use. Even if an authentication code is received by the ipad, you have to know the user id and password. Without that the authentication code is useless.

Very true but I was just curious.

 

[phobos512]

Wrong, and please don't assume that I am an incompetent moron!

I was simply asking a legitimate question out of curiosity of the service.

I didn't say you're an idiot and I didn't say it wasn't a legitimate question. What I said was, if you manage to expose your account, your password and lose a device that is capable of receiving the password, then that's not an exploit. You might as well just log in for the person at that point. An exploit is something like you have to go to a certain menu, tap a few times in different places, enter the Konami code on a connected bluetooth keypad and then it exposes the user's keychain. What you've described is very much not that.

 

[gsmornot]

You've missed the point completely.

An option that IS available is to send an SMS to a verified mobile number. An iPhone with SMS relay enabled will relay the message to the iPad, where the code will be displayed on the lock screen.

If you say so.

 

[whsbuss]

An option that IS available is to send an SMS to a verified mobile number. An iPhone with SMS relay enabled will relay the message to the iPad, where the code will be displayed on the lock screen.

Maybe I'm reading too much onto this, but with SMS relay enabled on the iPhone, doesn't that mean the iPad has to be within the same wifi network? So if you lost your iPad how would it SMS relay?

 

[C DM]

Maybe I'm reading too much onto this, but with SMS relay enabled on the iPhone, doesn't that mean the iPad has to be within the same wifi network? So if you lost your iPad how would it SMS relay?

Doesn't seem like that's the case based on an earlier reply:

Actually, text messaging forwarding does not require them to be on the same network.

 

[gsmornot]

Maybe I'm reading too much onto this, but with SMS relay enabled on the iPhone, doesn't that mean the iPad has to be within the same wifi network? So if you lost your iPad how would it SMS relay?

No. Your iPad can be anywhere so long as it has access to the internet and access to iCloud services. The point here is to even get to the SMS message on this iPad a few things have to happen that likely will not at least not to the point of the OP. I could explain further if you guys are interested but if not, this sentence is enough.

Let's go back to the original question:
"I've set up two factor authentication and I thought I would test it by signing into manage my apple ID." To get to this point, you have to have the password for the account. Ok, someone could steal this and this is where two factors are wanted.

"I chose to receive a text message but I relay SMS to my iPad, so what's to stop somebody stealing my iPad, chosing the text option and the code appearing on my iPad's lock screen where they could use the code to gain access to my Apple ID/ iCloud?" To get to this level, you need the physical iPad and the correct password for the account. If your iPad is stolen and locked, there is no guess as to the account this device belongs to. If you know the password and have now also taken the iPad you could have an SMS sent if this iPad is related to either a trusted number or is a trusted device. Once this level is reached I would hope that seeing the related message on the also related iPhone would be a trigger that someone has taken the iPad and knows the account password. To get to this point is not going to be easy but in very limited cases.

This is on a level or say an ATM card. Not talking pay as credit, just the ATM portion. If you have in your hand an ATM card but do not know the PIN you're done. If you know someones PIN but they have the card, you're done. If you have both you have access but at that point no level of security is going to apply. You need to protect both parts as best as you can as if one part gets out, the other provides protection until you can remedy the situation by adjustment. In this example, you cancel the card. In the iPad's case, if stolen, you shutdown the iPad with Find My iPhone.