Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

You can't remove 2 factor authentication after setting it now?!

Tech198 said:
Your looking at this from the wrong direction. The same security questions are not the issue and never have been... Just as long as the answer to those questions, is complex, that's all that is required to be just as secure.
Click to expand...

No, that's completely wrong. A security question that never changes only needs to be compromised once. If you were right then there would be no need for time based auth tokens or login prompts with two factor.

https://www.howtogeek.com/185354/security-questions-are-insecure-how-to-protect-your-accounts/

https://bgr.com/2015/05/22/google-security-passwords-secure-easy-guess/

https://www.portalguard.com/blog/2015/05/27/security-questions-are-not-secure/
 
zorinlynx said:
It does. You can generate 2FA codes offline under Settings -> Apple ID -> Password & Security.
Click to expand...
Well, that’s cool. Good to know.
[doublepost=1553811973][/doublepost]
MisterSavage said:
No, that's completely wrong. A security question that never changes only needs to be compromised once. If you were right then there would be no need for time based auth tokens or login prompts with two factor.

https://www.howtogeek.com/185354/security-questions-are-insecure-how-to-protect-your-accounts/

https://bgr.com/2015/05/22/google-security-passwords-secure-easy-guess/

https://www.portalguard.com/blog/2015/05/27/security-questions-are-not-secure/
Click to expand...
Well....
What if they don’t use “memorable things” but a random string that is not too long but impossible to guess? For example:
What is your favorite high school teacher?
6BG87
When do you start your first bachelor degree?
87FRA

Sure, remembering those are hard. But, once remembered, as long as the question answer pair is not noted and leaked (which is a big prerequisite), no one can guess the answer, at the very least quickly.
 
Shirasaki said:
Well....
What if they don’t use “memorable things” but a random string that is not too long but impossible to guess? For example:
What is your favorite high school teacher?
6BG87
When do you start your first bachelor degree?
87FRA

Sure, remembering those are hard. But, once remembered, as long as the question answer pair is not noted and leaked (which is a big prerequisite), no one can guess the answer, at the very least quickly.
Click to expand...

Two strings (password and "security" answer) that are used over and over again will never be remotely as secure as a temporary time based token or a login authorization prompt.
 
MisterSavage said:
Two strings (password and "security" answer) that are used over and over again will never be remotely as secure as a temporary time based token or a login authorization prompt.
Click to expand...
Except, those time based token can be easily sniffed and tricked, just like passwords and security question answers. Also, the idea is to never use the same string over and over again and change it regularly. OS based token can be a bit harder to trick though, I think.

Ultimately, “convenient security” is not something that can be easily achieved.
 
Shirasaki said:
Except, those time based token can be easily sniffed and tricked, just like passwords and security question answers. Also, the idea is to never use the same string over and over again and change it regularly. OS based token can be a bit harder to trick though, I think.

Ultimately, “convenient security” is not something that can be easily achieved.
Click to expand...

Well Apple uses a login authorization prompt when you enter your password. Only after you accept the request will you be presented with the temporary code. Good luck "easily" sniffing that entire process.
 
MisterSavage said:
Well Apple uses a login authorization prompt when you enter your password. Only after you accept the request will you be presented with the temporary code. Good luck "easily" sniffing that entire process.
Click to expand...
Interesting. Still, since there is no way turning back, I would tell other people who are not opt in for Apple 2FA yet to choose a powerful security question answer instead of jumping into this thing.
And, for that prompt to work, user needs to have at least two devices that support displaying that prompt. For users with only iPhone, good luck on that.
 
MisterSavage said:
Two strings (password and "security" answer) that are used over and over again will never be remotely as secure as a temporary time based token or a login authorization prompt.
Click to expand...

This is true. but the complexity also proves something too... the NEED for easy guesses drops off very quickly, not based predetermined questions, but complex answers,

The complex the better. 8-16+ minimum mixed alpha/numeric/symbols case. If the user makes their own questions (if possible), its only "appears" to be better
 
Security questions just don't work...for example...

Question:
"What is your favorite band?"

Answer
"Not Nickleback"

Now I've just hacked everyone on the planet, and likely others.
 
cynics said:
Security questions just don't work...for example...

Question:
"What is your favorite band?"

Answer
"Not Nickleback"

Now I've just hacked everyone on the planet, and likely others.
Click to expand...
Seems like that's not a likely answer most would have, and everyone would have their own one essentially. That said, it's the type of information that various people around an individual might know or be able to guess.
 
C DM said:
Seems like that's not a likely answer most would have, and everyone would have their own one essentially. That said, it's the type of information that various people around an individual might know or be able to guess.
Click to expand...

I was just hating on Nickleback.

I do think security questions aren't very secure though.Sometimes depending on the question its they arent that easy to remember years later either.

"Where does your closest relative live?" was one I had years ago. That changed 4-5 times between where I lived and they lived. Favorite car? Like thats a constant.

If they aren't vague and constantly changing they are easy for people to guess like a mothers maiden name or where were you born....

I have enough devices that two factor isn't that big of a hassle for me.
 
  • Like
Reactions: Mr. Heckles
cynics said:
I was just hating on Nickleback.

I do think security questions aren't very secure though.Sometimes depending on the question its they arent that easy to remember years later either.

"Where does your closest relative live?" was one I had years ago. That changed 4-5 times between where I lived and they lived. Favorite car? Like thats a constant.

If they aren't vague and constantly changing they are easy for people to guess like a mothers maiden name or where were you born....

I have enough devices that two factor isn't that big of a hassle for me.
Click to expand...
What about the information that is independent from your personal experience? Like a random string? A variation of the Car name plate? Or something as random as “GF8Q2”? Do you think this type of answer will make security question a bit more secure?
 
Shirasaki said:
What about the information that is independent from your personal experience? Like a random string? A variation of the Car name plate? Or something as random as “GF8Q2”? Do you think this type of answer will make security question a bit more secure?
Click to expand...

Given the opportunity to pick you own question you it could be as secure as the English language allowed. Even more secure if you were using words you created like a pet name you had for a high school girlfriend/boyfriend which is essentially random. Or like in your example of a random string, although when the question needs to become vague it leads to forget. If you were too direct "your license plate (on your first car, current car etc) in reverse" is information that isn't exclusive to you.

I've been able to pick my own security questions however they were from a predefined list. Typically I haven't been able to pick so they were very generic and while its not a problem a close relative of mine could answer them all fairly easily.

At this point two factor is just too easy for ME. I do understand other people are of varying opinions though.
 
cynics said:
At this point two factor is just too easy for ME. I do understand other people are of varying opinions though.
Click to expand...
Yeah. With multiple devices and easy access to trusted devices, 2FA is pretty doable. But also, 2FA is not for everyone. What Apple has done wrong is assuming everyone needs 2FA no matter what, ignoring the personal situation and needs. Typical move from Apple though, I can’t blame this too much.
 
Shirasaki said:
Yeah. With multiple devices and easy access to trusted devices, 2FA is pretty doable. But also, 2FA is not for everyone. What Apple has done wrong is assuming everyone needs 2FA no matter what, ignoring the personal situation and needs. Typical move from Apple though, I can’t blame this too much.
Click to expand...

Ugh, you said "What Apple had done wrong is assuming everyone needs 2FA". Apple doesn't care if you need 2FA or not, THEY need it.

Every time an iTunes account got hacked and things were stolen via someones credit card it would end up costing Apple time and money. The more peoples lives integrated with their Apple devices the higher the damage could be. Two step authentication was too easy to circumvent so it was just bad PR.

To not have a very low limit in certain countries (£30 in the UK I believe) with contactless payment (ApplePay) two factor authentication is a requirement. Also some (most?) banks and card issuers require it on a device with a mobile wallet to help limit spoofing.

Nah I'm not sure about this but wasn't two step authentication a requirement and what two factor authentication replaced? If that is correct there really isn't any debate, 2SA was easy for the nefarious type to get around and literally impossible for honest people to log in (if they lost two of these three things, iTunes password, trusted device with SMS, and/or recovery passcode). Weekly we would see thread on here with someone that was locked out of there AppleID.

2SA would text you a code so it was only good for iPhones since the trusted device needs to receive SMS. Apple couldn't control the encryption of that code to the end user because it used SMS. Also it would pop up on the lock screen for many so its not very secure. To make matters worse you needed cell reception and if you were trying to log into because your phone was stolen....lol have fun...

2FA on the other hand uses iCloud to send the code to your MacOS and iOS devices that have cellular or wifi. If someone gets your AppleID and Password you can still block login request plus you get a map of where the device that is trying to log on is. You can generate your own authentication code from a trusted device without the internet. Plus you can still get a phone call (or a friend/family member) or text if still need it.

Obviously this is my opinion and its only based on my experience. I am curious though, what would you describe as a personal situation that makes 2SA better than 2FA.
 
First of all, thanks a lot for your lengthy and detailed reply. I appreciate it.

cynics said:
To not have a very low limit in certain countries (£30 in the UK I believe) with contactless payment (ApplePay) two factor authentication is a requirement. Also some (most?) banks and card issuers require it on a device with a mobile wallet to help limit spoofing.
Click to expand...
I have heard about low Apple Pay limit in the UK, but this is not the case in Australia. For purchase exceeds a certain amount (usually over $50 AUD), you need bank card password. No need to use 2FA. Also, no banks (at least four major banks) require the user to enable 2FA before using the mobile wallet.
Therefore, 2FA is not a "must" for my daily life.
cynics said:
I am curious though, what would you describe as a personal situation that makes 2SA better than 2FA.
Click to expand...
I am not arguing 2SA is better than 2FA. I am arguing in some cases having 2FA worse than having no 2FA, for example, many users with only one iPhone. They would need to use landline or SMS to fall back to as "second factor" instead of system integrated push notifications. And, for OP's case, he cannot bring his phone to his workplace, or even his personal device and his workplace Mac gets a reset every night. Here, 2FA will become quite a hassle because if he cannot find a way to get 2FA code, he will not be able to log in. On the other hand, if he only needs his password, no hassle.
cynics said:
Apple doesn't care if you need 2FA or not, THEY need it.
Click to expand...
Yes, you are right, THEY need it, not USER need it.
 
  • Like
Reactions: cynics
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back