Two-factor authentication was introduced by Apple to better protect our devices and data. But there are cases when two-factor becomes basically one-factor.
The principle of the whole function is actually extremely simple. If you try to sign in with your iCloud account on a new unverified device, you'll be prompted to verify it. All you have to do is use one of the already authorized devices such as iPhone, iPad or Mac. The proprietary system that Apple invented works, with some exceptions.
Sometimes it happens that instead of a dialog box with a six-digit PIN, you will have to use an alternative option in the form of an SMS. Everything seems fine as long as you have at least one other device handy. Two devices fulfill the essence of the "two-factor" authentication scheme. So you use something when you log in, which you know (password) with something you own (device).
The problems start when you only have one device. In other words, if you only own an iPhone, you won't get two-factor authentication other than SMS. It's hard to get the code without a second device, and Apple also limits compatibility to iPhones, iPads, and iPod touches with iOS 9 and later, or Macs with OS X El Capitan and later. If you only have a PC, Chromebook, or Android, tough luck.
So in theory you protect your device with two-factor authentication, but in practice it's the least secure variant. Today there are a large number of services or techniques that can capture various SMS codes and login data. Android users can at least use an app that uses biometric authentication instead of an SMS code. However, Apple relies on authorized devices.
Two-factor authentication with one-factor authentication
What's even worse than signing in on a single device is managing your Apple account on the web. As soon as you try to log in, you will immediately be prompted for a verification code.
But it is then sent to all trusted devices. In the case of Safari on the Mac, the verification code will also appear on it, which completely misses the point and logic of two-factor authentication. At the same time, such a small thing as the saved password to the Apple account in the iCloud keychain is enough, and you can lose all sensitive data in an instant.
So whenever someone tries to log into an Apple account through a web browser, whether it's an iPhone, Mac or even a PC, Apple automatically sends a verification code to all trusted devices. In this case, the whole sophisticated and secure two-factor authentication becomes a very dangerous "one-factor".
Source: Macworld
There is no single factor authentication going on, the author should study something about it. The same could be said about bank applications, when in a mobile application that normally serves to confirm requests on a desktop, requests from that mobile application can also be confirmed, or when the service uses TOTP codes that are generated on the same device from which is logging in.
You probably have a problem, but I've never needed to receive an SMS ;-).
If you receive a password on your device, you must first confirm it. At the same time, you can also simply disable it (from any device).
For me personally, if you have verification on the most jailbroken iOS, you are safe enough and it's hard to find anything more secure at the moment.
If someone has a Jailbreak, then your security is = 0 and you solve everything else completely unnecessarily.
PS: Otherwise, don't let others fool you that two-step / two-factor authentication is only for delaying the user. Nowadays, getting a password is not so easy and if the person who got it is on the other side of the globe, it will be quite difficult for him to read the verification code from your devices ;-).
You probably misunderstood or you don't understand. SMS verification is one of the possible options. It is used in cases where you have no other device from which you could confirm the verification. E.g. if you only have a Mac or only an iPad. Then you will receive an SMS on your phone.
I get it, but it doesn't make sense to me. I have an iPhone, so if I don't have my phone with me, no SMS will save me ;-). In my case, I never needed or tried SMS.
N2by you're really getting lost in it and you're also mixing up two-phase and two-factor authentication. Go to the Apple website and read about it.
What is this garbled text?
I totally understand the disillusionment with how it works now. Those who have never had a problem will not understand, but that does not mean that there are no problems. It usually happens to me that when I log in to iCloud on my own Mac, it asks me for verification, while a window with the necessary code pops up over the window for entering the code - we can probably agree that this is wrong and this was confirmed by Apple support . At the same time, the confirmation code appears on my iPhone in a window that is wider than the iPhone display, it overflows to the right outside the visible area, and the receipt of the code can be confirmed, but it cannot be read in its entirety, so I am at a dead end. In short, the two-factor authentication presented by Apple is not quite right and the fault is definitely on its side.
That's right, I log in to iCloud.com on a Mac and it asks for my password from two-factor authentication, which immediately pops up in a window on the same computer. So if someone got to my computer and wanted to log in to iCloud, they wouldn't have a problem even if they only have one device, which is stupid and completely defeats the purpose of two-factor security.
But two-factor isn't about a stolen device, it's about stolen credentials;) If you lose your device, of course, the first thing you do is to remove the lost device as authentication.
Resp., the lost device should not be misused, because you cannot get into it through authentication as an unauthorized person, and as an unauthorized person you cannot even use it to confirm the second factor.
I broke the phone on KO, I was abroad for work.
I found an internet cafe to call my colleague, although even from the bar I can only find his phone number on iCloud. BAM two-factor sent me the code to the mac that was at home. great, what solution should I have used? I'm sitting in an internet cafe, I don't have any contacts, I can't write an email, nothing...
I only have an iPhone and if I want to restore it, I have to take out the sim card to give it to another device because I just don't know how to get the verification code, the biggest stupidity I've ever seen