You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

💡 Did you know?

⏺ If you can't accept iCloud Terms and Conditions... Learn more >

⏺ If you don't see your iCloud notes in the Notes app... Learn more >

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

2FA Authentication Does Not Work on Phone which is set to LOST when Possible.

Unfortunately, I had been a witness of stolen phone & Phishing situation when Two-Phase Authentication were still active and other devices were not stolen. Solution could be easy to require second phase authentication on some resources in the find my phone.


The problem is when your Phone is Stolen, you will leave a message and a number to have a contact. The hackers will send a phishing Message with a deep link similar to "http://map-icloud.me/XCc1SD"


It does not matter if you have enabled 2FA Two-Phased Authentication. Simply you clicked to link, provided your username:password credentials and your phone will be lost forever.



The Cause of this " Find my " Page has an access to “Remove Device” resource on the iCloud. There should be authorization with "Second phase” identity controller to satisfy 2FA.


"Find My Iphone” page on the web can be accessible with userID and Password only. This can be OK with some situations such as setting a phone as lost.


But it is not acceptable when you are removing the device relationship with the iCloud account with out satisfying the second phase.


In fact according to the most cases, Hackers and Thieves use this as a well-known back-door vulnerability. Because there is no authorization with the second phase while removing the phone from a related apple iCloud ID.

Apple can easily stop this issue. If the customer has another active apple device or a sending SMS to Sim Card or Checking CVC2 Code or a predefined-keyword with A second key which belongs to user independently which is a requirement of 2FA.


iPhone 12 Pro Max

Posted on May 13, 2022 10:48 AM

Reply
Question marked as Top-ranking reply

Posted on May 13, 2022 11:40 AM

This is primarily a user-to-user support forum; other Apple users like you. You may want to also post to Apple via Feedback - iCloud - Apple


Similar questions

2 replies

2FA Authentication Does Not Work on Phone which is set to LOST when Possible.

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.