Flaws of two factor authentication and suggestions to iOS Password & Security team

Summary

If you enable two factor authentication (2FA) in your iPhone, please make sure the trusted phone number is not the number in the same iPhone, if not, a theif who has peeked your passcode is able to reset your iCloud password in a minute and disable "Find my iPhone".

As an ordinary iPhone user that used iOS since iOS3 in an iPod Touch, I believe the iOS Password & Security team should at least suggests the user that it's better to use a different phone number other than the one in the phone.

I know very little about UX, but below is the mockup for the updated tooltip (updated text in color orange) for Trusted Phone Number that I think can educate iPhone users that it's not a good idea to use the same phone numeber of the phone itself as a trusted phone number.

Suggestion for ordinary iPhone user

1. use another phone numeber as your trusted phone numeber, such as your parents, your friends, but never the phone number of the phone itself, for reasons, see my story below
2. when you use your iPhone in a less secure place, such as in a metro, do not input your passcode to avoid it be seen from malefactors, you should protect your passcode as your credit card pincode
3. if you must use your iPhone in a less secure place, you can try using guided access functionality and make sure to set a different passcode to unlock it

TL;DR

There has been numerous posts about flaws of iOS 2FA in the community, such as Apple ID Two Factor Authentication is Flawed, and sadly, I just learned it in a hard way as my iPhone has just been ripped off in the metro from my hand in an unlocked mode, I immediately borrowed someone else's smart phone in the metro in order to activate lost mode and sadly found out my iCloud account password has been already changed.

After I filed a complaint in the local police station, I checked my email that used as my iCloud account, and to my suprise, it seems my iCloud account password has been changed about 5 minutes after my iPhone was stolen.

When I clamed myself down, I tried to reset my password, after I entered all the info I have I still need to wait 3 days to be able to reset it. It made me laugh, a thief that has ripped off my iPhone was able to reset my password in 5 minutes, however, as an owner, after I provided all my info, I still need to wait 3 days before I can reset my password, I was really upset.

I borrowed an iPhone from my friend, and tried to understand how the thief could reset my password so quickly, and to my supries again, if you know the passcode of the iPhone, and if the iPhone also enabled 2FA with the trusted phone number set as the same phone, then you are able to reset it by 1) enter the passcode, 2) enter the Apple Id code sent to the phone.

Interestingly, to compare with an iPhone without 2FA enabled, after you enter the passcode, you need 1) answer 2 security questions 2) enter the Apple Id code sent to your email address. And personally, I think my iCloud account is more secure in an iPhone without 2FA in my case where my passcode is seen and my iPhone is ripped off by a thief.

Thanks for anyone who has read this far, apology for my poor english, it's my first time to write a post in the community, hope my story can increase your security awareness and correctly use the 2FA functionality of iOS.