User profile for user: dsfarrar
dsfarrar Author
User level: Level 1
11 points

Two Factor Authentication

How does Apple’s 2FA protect against SIM-swap attacks? From the Apple’s support page description on 2FA, it sounds like all an attacker needs to do is briefly steal my phone number (or one of my “trusted phone numbers”, e.g. my spouse’s), and they can then reset my Apple ID account password to whatever they want. 2FA requires a “trusted” phone number, but phone numbers (or the carriers) cannot really be trusted, SIM-swap attacks are surprisingly easy and common for attackers to pull off.

iPhone X, iOS 14

Posted on May 2, 2021 3:59 AM

Reply

Similar questions

3 replies
User profile for user: rose_10
rose_10
User level: Community Specialist

May 3, 2021 7:50 AM in response to dsfarrar

Hello and welcome to Apple Support Communities dsfarrar,


Thank you for reaching out to us regarding Two Factor Authentication on you Apple ID. That is a very good question and we want to give you more information about Two Factor Authentication and how it protects your privacy. None of your private information is stored on the sim, it only allows access to your cell provider. There are 3 things required to sign into your account with Two Factor Authorization which are: password, trusted phone number & trusted device. Which means if hackers have your phone number, but not the device or password; the hackers still won't be able to gain access. Even with a trusted device and phone number, hackers would still need the password. You can read more about Two Factor Authentication in the link below.


Two-factor authentication for Apple ID


We hope this answers your questions. We take privacy very seriously here at Apple and you can find more information at the additional link below


Privacy


Thank you for contacting Apple Support Communities.

Reply
User profile for user: Sharon_419
Sharon_419
User level: Community Specialist

May 23, 2021 7:37 AM in response to dsfarrar

 dsfarrar,


With the "Find My App" and Two Factor Authentication, you should have all the needed tools to protect your Apple ID. It's not just the phone number, but the device as well. You can contact your carrier for their security precautions as well, and what information a potential hacker would need to gain access to your device. We have provided another article on how to protect your Apple ID.


Privacy ~ "Privacy is a fundamental human right. At Apple, it’s also one of our core values. Your devices are important to so many parts of your life. What you share from those experiences, and who you share it with, should be up to you. We design Apple products to protect your privacy and give you control over your information. It’s not always easy. But that’s the kind of innovation we believe in."


Keep your Apple ID secure on iPhone


Thank you for contacting Apple Support Communities.

Reply
User profile for user: dsfarrar
dsfarrar Author
User level: Level 1
11 points

May 22, 2021 3:19 PM in response to rose_10

My question is specifically about Two Factor Authentication and password resets. If an attacker can perform a SIM-swap attack, they only need to know 2 things to reset my password and take over my account: they need to know my Apple ID (which for most people is just an email address), and they need to know one of my "trusted" phone numbers (which for most people is just their own mobile number, or the phone number of one of their close social contacts, such as a spouse). They don't need one of my trusted devices, just control over a SIM card linked to one of the trusted phone numbers on my account. After they swap the trusted phone number to the SIM card under their own control, they initiate a password reset on my AppleID using a web browser and appleid.apple.com. 2FA may be enabled on my account, but because of the SIM-swap, the verification code to the trusted phone number goes to the attacker's device. They enter the code on their device and then change the password on my account to whatever they want. Then, they can log in using the new password they created, and any 2FA code again goes to the attacker's SIM card. At that point, the attacker has complete control over my account.


Again, phone numbers (or the mobile phone carriers) cannot really be trusted. SIM-swap attacks are surprisingly easy and common for attackers to pull off. So how does Two Factor Authentication protect me in this scenario?



Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Two Factor Authentication

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up