2FA Authentication Does Not Work on Phone which is set to LOST when Possible.
Unfortunately, I had been a witness of stolen phone & Phishing situation when Two-Phase Authentication were still active and other devices were not stolen. Solution could be easy to require second phase authentication on some resources in the find my phone.
The problem is when your Phone is Stolen, you will leave a message and a number to have a contact. The hackers will send a phishing Message with a deep link similar to "http://map-icloud.me/XCc1SD"
It does not matter if you have enabled 2FA Two-Phased Authentication. Simply you clicked to link, provided your username:password credentials and your phone will be lost forever.
The Cause of this " Find my " Page has an access to “Remove Device” resource on the iCloud. There should be authorization with "Second phase” identity controller to satisfy 2FA.
"Find My Iphone” page on the web can be accessible with userID and Password only. This can be OK with some situations such as setting a phone as lost.
But it is not acceptable when you are removing the device relationship with the iCloud account with out satisfying the second phase.
In fact according to the most cases, Hackers and Thieves use this as a well-known back-door vulnerability. Because there is no authorization with the second phase while removing the phone from a related apple iCloud ID.
Apple can easily stop this issue. If the customer has another active apple device or a sending SMS to Sim Card or Checking CVC2 Code or a predefined-keyword with A second key which belongs to user independently which is a requirement of 2FA.
iPhone 12 Pro Max