Why was two-factor authentication not triggered?

[bmac89]

Hello,

Does the Genius Bar bypass two-factor authentication and if so how and why?

Earlier this year I took my iPad to the Apple store Genius Bar. It was completely dead and they were unable to do diagnostic testing. They asked me to login to my iCloud account to confirm ownership and to switch off “find my phone” and the device was taken away for manual inspection and replacement under warranty.

What puzzled me and continues to puzzle me was that I never received any notification nor required any verification code when I logged in or when I switched off “find my phone”. Two-factor authentication was switched on with multiple trusted devices and sms verification enabled and I have always had to enter a verification code when changing iCloud settings or when I login on a new device etc.

Does the Genius Bar bypass two-factor authentication and if so how and why?
I.e. Are the Genius Bar devices automatically trusted devices or maybe connected to a trusted network which bypasses 2 factor or is this unexpected behaviour?

I regret not asking the staff member at the time but this has always puzzled me.
Does anyone have any insight on this, maybe you have experienced this also or maybe it is expected behaviour? I’m just curious to understand as it seems very unusual.

Thanks

 

[Funsize93]

As you and I both know, Apple takes security and privacy very seriously. There is no way that the Genius team can bypass security as this goes against Apples own privacy and security policy.

You can remove a device from Find my iPhone by going to iCloud.com and sign in with your Apple ID and password. With 2FA youll need to enter in your verification code which gets sent to a trusted device or a trusted number. If you cant produce a verification code you cannot complete sign-in to see your private iCloud information. Standard practice. However Apple has taken into consideration that your circumstances can happen when someone needs a repair but their only trusted device is the one which needs fixing. So, on the iCloud.com website you can access just ONLY the find my iphone app with just the Apple ID and password, no verification code needed. From there you can remove your device from iCloud.

Sounds like the genius bar did just that.

 

[bmac89]

As you and I both know, Apple takes security and privacy very seriously. There is no way that the Genius team can bypass security as this goes against Apples own privacy and security policy.

You can remove a device from Find my iPhone by going to iCloud.com and sign in with your Apple ID and password. With 2FA youll need to enter in your verification code which gets sent to a trusted device or a trusted number. If you cant produce a verification code you cannot complete sign-in to see your private iCloud information. Standard practice. However Apple has taken into consideration that your circumstances can happen when someone needs a repair but their only trusted device is the one which needs fixing. So, on the iCloud.com website you can access just ONLY the find my iphone app with just the Apple ID and password, no verification code needed. From there you can remove your device from iCloud.

Sounds like the genius bar did just that.

Thanks for the explanation. That makes sense and I’m glad my puzzle is solved.

I just tested it out on my Mac and I can indeed access find my phone without a verification code if I go directly to iCloud.com/find

However it did still have the pop up and verification code showing on my trusted device despite not neededing it. Strangely when I was at the Apple store this didn’t even happen but atleast there is an explanation for not needing 2FA.

Thanks for your help.