User profile for user: Alexome
Alexome Author
User level: Level 1
41 points

2-factor authentication is joking with me (serious bug?)

It seems to me that there is a serious bug in 2-factor authentication. I'll walk you through what happens. Let me know if you think this is a bug or if you think I might have wrong expectations about how this should work.


I am in Safari on a Mac mini. While signing in with my Apple ID at https://discussions.apple.com/, I get the following prompts:


Prompt 1:


Prompt 2:



Prompt 3:


At the time of prompt 1, the window with the map you see in prompt one is also displayed on my iPad:



Please note! The verification code you see in prompt 2 is shown on the Mac mini, not on the iPad! The window on the iPad simply disappears after I click "Allow" in prompt 1 on the Mac mini.


This is completely wrong, isn't it? The verification code should have been displayed on the iPad. The iPad is not actually used for authentication.

iPad, iOS 12

Posted on Nov 3, 2019 3:11 AM

Reply

Similar questions

7 replies
User profile for user: LACAllen
LACAllen
User level: Level 8
43,590 points

Nov 3, 2019 9:25 AM in response to Alexome

The window with the map in prompt 1 should not even appear on the Mac mini in my opinion.

How else would one allow the request? Again, the system has no way of knowing which trusted device you are using when you make the request. The request is sent to all trusted devices. The Mac Mini is a trusted device.


Mac mini is not a "new device", so another question is why 2-factor authentication is even triggered at this time.

If you signed in to iCloud on it using the same 2FA enabled Apple ID, you would have needed a code and by using the code, you made it a trusted device.


You should really read up on 2FA. You don't seem to understand how it works.


See >>> https://support.apple.com/en-ca/HT204915

Reply
User profile for user: LACAllen
LACAllen
User level: Level 8
43,590 points

Nov 3, 2019 8:37 AM in response to Alexome

Please note! The verification code you see in prompt 2 is shown on the Mac mini, not on the iPad! The window on the iPad simply disappears after I click "Allow" in prompt 1 on the Mac mini.

This is completely wrong, isn't it? The verification code should have been displayed on the iPad. The iPad is not actually used for authentication.

This is the behaviour I see in the same scenario.


After telling the system on the Mac Mini that you are allowing the request for a code, why would you expect that code to be sent "unrequested" to the iPad as well? No action on the iPad should result in no code sent.

Reply
User profile for user: Alexome
Alexome Author
User level: Level 1
41 points

Nov 3, 2019 9:28 AM in response to Eric Root

So, after entering the Apple ID and password, Apple checks for trusted devices associated with the Apple ID, and if the computer used (in this case the Mac mini) is among them, 2-factor authentication is now only a choice, but no longer a requirement. I could use the iPad to request a code, but I don't have to. Do I understand this correctly?

Reply
User profile for user: Alexome
Alexome Author
User level: Level 1
41 points

Nov 3, 2019 9:18 AM in response to LACAllen

The window with the map in prompt 1 should not even appear on the Mac mini in my opinion. Control over signing in should be passed to the person with a trusted device associated with the Apple ID - in this case, the iPad. Only if the person with the iPad clicks on "Allow" should a code be shown on the Mac mini.


Btw, the Mac mini is not a "new device", so another question is why 2-factor authentication is even triggered at this time.

Reply
User profile for user: LACAllen
LACAllen
User level: Level 8
43,590 points

Nov 3, 2019 9:33 AM in response to Alexome

2-factor authentication is now only a choice, but no longer a requirement. I could use the iPad to request a code, but I don't have to. Do I understand this correctly?

I don't understand how you arrived at this conclusion.


Regardless of which device you are signing in to using your 2FA enabled Apple ID, the sign in request with the ALLOW option is sent to all trusted devices that are online. Logically, you would click ALLOW on the device you want to sign in on and the code will only be sent there.


All other trusted devices will see only the request. Not the code.

Reply
User profile for user: Alexome
Alexome Author
User level: Level 1
41 points

Nov 3, 2019 9:57 AM in response to LACAllen

2-factor authentication is now only a choice


The process may still be called 2-factor authentication, but what I mean is that another device is not needed to request a code. The whole idea of 2FA is that ANOTHER device is used, which in this case is not required.


I could use the iPad to request a code, ...


yes I could and this would be the only option, if the Mac mini were not trusted.


Logically, you would click ALLOW on the device you want to sign in on and the code will only be sent there.


Wrong. This is not logically, it is optionally. I could also use the iPad.


I have been signed in to this Mac mini for several days. It is not a new device. Because it is known as a trusted device, I can request the code on it. Why Apple prompted 2FA at this time is still open.


Thanks for assisting. Case closed.


Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

2-factor authentication is joking with me (serious bug?)

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up