Unrequested 2FA Apple ID text.

I did not say SMS is not used. But it is not the default.

And when I change my AppleID password, I simply login to my AppleID account using an iCloud encrypted notification code, and then change the password.

You’re talking about resetting a forgotten passcode or using account recovery. And yes, those two specific situations use texts. Those are not default AppleID 2FA situations. Those are special circumstance codes specifically used as part of the forgotten password reset process or the account recovery process.

If you erase your cookies in your web browser on your iPhone, iPad or Mac and then try to login with your AppleID here again, the code will appear as a popup iCloud notification and will not be sent as a text.

Apple 2FA codes are not sent as texts. By default they are sent as encrypted iCloud notifications to all your trusted devices. They would only ever be sent via SMS text if you specifically requested a code over your backup cellular telephone number.

So if you’re getting texts with apparent codes in them, it’s likely a scam. Were there any links in the text to respond or verify or anything like that?

That I cannot answer. Perhaps they are not using the forgotten password reset process, but using the account recovery process? If your AppleID payment source was compromised, they could be trying to use the card number to trigger account recovery. But I am not sure even that would explain the the code as I thought the system sends an email first for you to confirm that you are the card holder and you are trying to recover your account. The recovery code would follow after that confirmation.

But I have never actually gone through account recovery so am not sure about that process. It is for people to use when they forgot both the AppleID primary email and the password so have no option but to provide personal ID info for the system to recover access to their account.

No, the older 4 digit 2 step verification codes were sent as SMS texts. The newer 6 digit 2 factor authentication codes are sent by encrypted iCloud notifications. They are only sent by SMS if for some reason you cannot receive an iCloud notification and need a code sent as SMS or automated voice message using your backup registered telephone number.

I used 2 step verification for years, and have been using 2 factor authentication since it was introduced with iOS 10 so I know how both system’s codes work. And 2FA codes arrive to your trusted devices as a pop up iCloud notification.

Two-step verification for Apple ID - Apple Support

Two-factor authentication for Apple ID - Apple Support

Get a verification code and sign in with two-factor authentication - Apple Support

And my source is me. As I said, I used both systems for years. I switched after years with 2 step verification to 2 factor authentication several years ago now when iOS 10 came out. My codes always come as iCloud notifications (as shown in the picture in that link above) on both my iPhones, all 3 of my iPads and my 2 Macs all at the same time.

Apple deliberately moved to the longer 6 digit code format, and the use of encrypted iCloud notifications as that is an end to end encrypted communication system entirely under their control. It is far more secure than SMS texts.

iCloud notifications are the default system for 2FA codes, unless you don’t have access to a trusted device to receive that. Then you can use an SMS or voice telephone number to receive a code.

Anyone still using the older 2 step verification system will get their 4 digit code via SMS text, as that was the default (and sole means) means used with that older system.