Why is a verification code being sent to the very iPad I am on?

So, I have two-factor authentication set up and when I sign in, it says I need to be verified. But, it then sends the verification code to the very iPad I’m already working on rather than to a different device!


What's up with that?


How can I fix it?


Plus, why does it request it every time I log into these forums? Why can't I just log in?



Posted on Jun 10, 2019 6:51 AM

Reply
33 replies

Jul 12, 2019 12:47 PM in response to AstroMacMan

AstroMacMan wrote:

Idris, you've said it's logical. Why is that? My understanding of 2fA is that the authentication code is sent to a separate device than the one the user is on. For example, for bank accounts, if you log on via a computer, and have 2fA set up, the bank sends you a text message or calls you to confirm your identity. That is, they contact you via a different device or method. Other institutions and organizations work similarly. You cannot get in using just one device.

That may be your assumption but that's not how it works. The "two" in 2FA doesn't mean two devices. It means two different factors (passcode and code) are required to unlock an account. As has been pointed out, repeatedly, even if the miscreant has your iPad (either unlocked or they have the passcode) and they can't log into your account without the account password. They won't even get the 2FA code (as far as I know) until they've entered the password.


If I log into bank accounts from my phone (not using apps), I get the code on my phone through SMS. The institution sending me the code doesn't know (or care) which devices I'm long in from and which ones they are sending the code to. All they know is that they are sending the code to an authorized number. Apple's method is actually more secure because they do not use SMS at all. SMS is vulnerable to some types of attacks.


Do you have an iPhone? If so, remove your iPad as a trusted device. The code will no longer be sent to the iPad but only to the iPhone (and whatever other trusted devices you may have).

Jun 10, 2019 7:01 AM in response to AstroMacMan

2FA codes always get sent to all of your trusted devices listed under your AppleID. That’s just the way the system works. You should be able to select to trust this browser for these forums and other Apple web sites so you don’t need the code every time.


You will always need a code whenever accessing your AppleID account management portal - https://appleid.apple.com/


Jun 13, 2019 6:40 AM in response to AstroMacMan

Even with the code sent to your device, they cannot get into anything related to your AppleID without your AppleID password. And if you use password fill, as long as you use a screen lock, they couldn’t open the device to use password autofill.


And if someone gets a hold of your device, you can go into your AppleID management page and untrust it.


For people with only one device, the code has to come to the requesting device else they can only access their AppleID with their backup telephone number. But unless that requesting device is unlocked for use, and the user knows the AppleID password, the code is useless.

Jul 12, 2019 12:31 PM in response to AstroMacMan

For people with only a single trusted device, how should it work then?


And yes, we already have confirmed it is designed to work that way, as explained in Two-factor authentication for Apple ID - Apple Support.


Any device or devices you have set up as trusted devices with your AppleID are treated identically, and verification codes will be pushed out to all your trusted devices any time a code is requested. I have 8 trusted devices and they all get every code, as they should.

Jul 12, 2019 12:51 PM in response to AstroMacMan

With banking apps, most rely on SMS texts for verification, so by default that means the code must come to a cellular telephone. If you're using the Bank's App on that same phone, then yes, you get in using just the one device. That's how my Bank of America app works, and in fact, since I'm using messages in iCloud, that SMS verification code does indeed come to all my Apple devices at the same time. So I am always logging in and receive my two step login code on the exact same device whenever I access my back account, retirement account, investment account, etc.


Apple uses iCloud notifications to push the code out to all your trusted devices, linked by the common AppleID used on them all. They had to do that so that devices other than iPhones would work with 2FA (although you can also enroll a SMS capable cellular telephone number as a backup for codes or a landline for voice codes). My backup number for 2FA codes is a Google voice number, so not a device at all, just a SMS capable VOIP service.

Jun 10, 2019 9:35 AM in response to AstroMacMan

Bear in mind that the ‘trust this browser’ seems to be kinda buggy....meaning you may be faced with trusting the same browser multiple times. This often happens on my ipad, which hasn’t been updated but will need to be retrusted every so often. Also if you browser updates you may need to re-trust it with each update.


2FA is not a bad thing to have, but sometimes it gets a little touchy.

Jul 12, 2019 12:22 PM in response to AstroMacMan

AstroMacMan wrote:


But let's say someone broke into my house and stole my iPad. That's where i would have thought 2fA would have protected me. It would prevent the thief from getting into my account. However, that doesn’t stop them because the authentication code is sent to the iPad they stole! Does that make any sense to you?!

Yes, it does. But, if it doesn't make sense to you and you have other Apple devices, you can remove the iPad as a trusted device.

Jul 12, 2019 12:27 PM in response to AstroMacMan

AstroMacMan wrote:

Glad it works for you! It doesn't for me. By the way, don't impugn me with causing identity theft problems, especially when you've cherry picked a comment.

Read further and you'll see that I do use a passcode when I take my iPad out of the house. But, at home, typing in a passcode is a waste of time. That's where convenience trumps paranoia. I also don’t keep confidential information on my iPad.

But let's say someone broke into my house and stole my iPad. That's where i would have thought 2fA would have protected me. It would prevent the thief from getting into my account. However, that doesn’t stop them because the authentication code is sent to the iPad they stole! Does that make any sense to you?!

Also, do you have a tip on how to instantly get back to what you were doing, without having to go through the lock screen and see what time it is?!


Unless the thief knows your AppleID password as well, just having the six digit code doesn't grant them access to your AppleID. They need both pieces of information to actually gain access to your AppleID. That's the point of 2FA. So your in-house scenario does not result in a compromised AppleID unless you've also given your password to the thief as well as access to an unlocked trusted device.

Jul 12, 2019 12:29 PM in response to AstroMacMan

AstroMacMan wrote:

Do you think it's logical that a 2fA code gets sent to the very device that one hopes would need a *separate* device to authenticate with? I would think it's a major issue and a lapse in security!

Yes, it's logical. You simply don't like the choices Apple has made. That's okay.

Can you confirm that it's supposed to work that way? Or, do you know if the behavior would change if I turned off 2fA and then turned it back on?

Yes, it is working the way it is supposed to. You cannot turn off 2FA. You can, however, if you have other Apple devices, remove the iPad as a trusted device.

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Why is a verification code being sent to the very iPad I am on?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.