You can make a difference in the Apple Support Community!
When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.
When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.
When I login to this site, my Apple ID is requested. The two facto authentication triggers, but I am asked for a code and being shown the code on the same macbook I am working on, I attach the screenshot of what I see. This does not seem to add any extra security. How can I repair it or switch it off?
MacBook Pro 13″, macOS 11.1
It proves that you have access to a trusted device for the account you're trying to log in to.
No. As was kindly explained to me in this thread, it is protected by my login password and the AppleID password.
On top of that 2FA appears to do nothing in this case except of proving that the user is able to read and write.
On a side remark, since, as was mentioned, Apple ID is needed to sign everywhere (including to reply to this thread), why would I have a non-trusted device which cannot receive these codes?
It proves that you have access to a trusted device for the account you're trying to log in to.
No. As was kindly explained to me in this thread, it is protected by my login password and the AppleID password.
On top of that 2FA appears to do nothing in this case except of proving that the user is able to read and write.
On a side remark, since, as was mentioned, Apple ID is needed to sign everywhere (including to reply to this thread), why would I have a non-trusted device which cannot receive these codes?
Thanks a lot. I am starting to see where is my confusion was, but it does not still make sense to me.
How do you interpret "when you sign in on a different device or browser"? If I sign in to device A I should receive code to device B and vice-versa, no? Otherwise, if I receive the code to the same device, what is the point of asking me for the code on this device in the first place?
Hi Eric,
Thanks for your answer. Could you please explain a bit more. This is my private computer, I trust it to receive codes. However I assume, for a real two factor authentication the thief would have to have two of my (trusted) devices to login. Whereas in this case I just copy the code from one window into another on the same device. I think it fails to identify which device is which.
The code will appear on all your trusted devices. It's designed to protect the Apple ID, not the device: you are expected to protect each device with a passcode (which you should take care not to forget since it can't be retrieved). If a thief has, say, your phone, the passcode would prevent him accessing the device. If he knows your ID and password and tries on another device he will get the demand for a code but not the code.
As explained in this support document -> Two-factor authentication for Apple ID - Apple Support all your trusted devices are devices you’ve confirmed are yours and under your control, hence they all simultaneously get the code whenever a 2FA code is required to login with your AppleID. Trusted devices receive their codes over the internet via encrypted iCloud notifications.
”Trusted devices
A trusted device is an iPhone, iPad, or iPod touch with iOS 9 or later, or Mac with OS X El Capitan or later that you've already signed in to using two-factor authentication. It’s a device we know is yours and that can be used to verify your identity by displaying a verification code from Apple when you sign in on a different device or browser. An Apple Watch with watchOS 6 or later can receive verification codes when you sign in with your Apple ID, but cannot act as a trusted device for password resets.”
It is up to you to secure your own trusted devices.
“What to remember when you use two-factor authentication
Two-factor authentication significantly improves the security of your Apple ID. After you turn it on, signing into your account will require both your password and access to your trusted devices or trusted phone number. To keep your account as secure as possible and help ensure you never lose access, there are a few simple guidelines you should follow:
Well, I don't see how it protects Apple ID because as long as somebody can access the device he/she is also able to receive the code to that same device. It does seem to increase security in this case.
Shekhovt wrote:
Ok, thanks all for taking you time to answer, really appreciate you hospitality. We cornered it, I can feel it. The question that remained unanswered:
What is the point of asking the user (e.g. me) to receive the code in one window and re-enter it into another window when on the same trusted device?
When logging in to an Apple web site, the system has no idea what machine that browser is installed on. So it simply requires a code whenever you login to a web site with your AppleID. If someone were trying to do so (and even if they knew your password) and not on a trusted device, they’d not be able to see the code, and so would be blocked from using your AppleID.
Shekhovt wrote:
Thanks a lot. I am starting to see where is my confusion was, but it does not still make sense to me.
How do you interpret "when you sign in on a different device or browser"? If I sign in to device A I should receive code to device B and vice-versa, no? Otherwise, if I receive the code to the same device, what is the point of asking me for the code on this device in the first place?
If device A and device B are both trusted devices, you will receive the code on both. 2FA is designed to protect your Apple ID, not any particular device. Devices are protected by passcodes. If someone has access to any of your devices either because they don't have a passcode or the passcode was compromised, that's a whole different problem.
Shekhovt wrote:
Well, I don't see how it protects Apple ID because as long as somebody can access the device he/she is also able to receive the code to that same device. It does seem to increase security in this case.
They would also need to know your Apple ID password. The "2" in two-factor authentication doesn't mean two devices. It means two factors which, in this case, are the Apple ID password and the six-digit code. If you don't have 2FA enabled, all someone needs is your Apple ID and password.
Don't leave your devices unlocked or, worse, un-password protected. Don't give the password to anyone. Don't let people you wouldn't trust with your wallet full of cash and your social security card have unsupervised access to your devices. These are basic safety steps regardless of 2FA status.
If someone has access to the device, and knows the screen lock passcode, then yes, they would see the code. Hence the need to secure your devices as well. If they have access to the device and screen lock passcode, the can also read all your email, see all your contacts, notes, passwords in iCloud Keychain, etc.
Ok, thanks all for taking you time to answer, really appreciate you hospitality. We cornered it, I can feel it. The question that remained unanswered:
What is the point of asking the user (e.g. me) to receive the code in one window and re-enter it into another window when on the same trusted device?
Because the system is designed to protect the Apple ID and anything you sign into with it (like iCloud or Podcsts Connect). Since you are signing in with a trusted device you are entitled to sign into the ID. The system is not designed to protect the device. That's what the passcode is for. If someone steals your device and knows the ID and password he can't make use of that if he doesn't know the passcode.
2FA protects the account.
The passcode protects the device.
Shekhovt wrote:
What is the point of asking the user (e.g. me) to receive the code in one window and re-enter it into another window when on the same trusted device?
It proves that you have access to a trusted device for the account you're trying to log in to. The part of the system that sends out the code to "all trusted devices" doesn't "know" (or care) what device you're trying to log into your account on (oversimplification). It may be a trusted device or it may not be.
Shekhovt wrote:
It proves that you have access to a trusted device for the account you're trying to log in to.
No. As was kindly explained to me in this thread, it is protected by my login password and the AppleID password.
On top of that 2FA appears to do nothing in this case except of proving that the user is able to read and write.
Yes, it is true. 2FA protects your Apple ID by requiring that you have the password to the account and the 6-digit code which you can only get if you have access to a trusted device.
In a side remark, since, as was mentioned, Apple ID is needed to sign everywhere (including to reply to this thread), why would I have a non-trusted device which cannot receive these codes?
"Trusted device" and "trusted browser" are not the same. I sometimes log into my account from my work computer which is a Windows machine. It is not a trusted device. I hadn't been near it for months (working remotely) until I went in yesterday. I had to get a 6-digit code to log in from that device. The code came to my phone and my MBP (which I had with me) and my watch. I selected to trust this browser. When I go in today, I won't need to enter the code as the browser will be trusted. The computer itself, however, is not and never will be trusted and will never receive codes. My office landline phone is a trusted number and I can receive codes on that.
If your computer is a trusted device, it can receive verification codes.
Two factor authentication pops up on the same device
