Two Factor Authentication: really obvious questions that are never answered

Good questions:

The fact that 2FA verification codes are sent to ALL trusted devices isn’t really an issue IMO as:

1) the code can’t be viewed unless an authenticated user is using the device, AND

2) If it ever “pops-up” when YOU didn’t initiate it, you KNOW that someone else has obtained your AppleID password and is attempting to access your AppleID.

Re: Trusted Numbers:

Yes, your iPhone can also be a “Trusted Number” to optionally receive codes via SMS (only when you click “Didn’t Receive Code” option)

… but IMO this is a BAD idea as if your phone is ever stolen, the phone’s physical SIM - removed and installed in the theive’s device - WILL ALSO receive the code. (at least until you notify your carrier)

Also … and often overlooked …

… that your trusted devices - if signed-in - can ALWAYS generate verification codes - even with ZERO connectivity.

Hello MarkHurst,

Thanks for posting in the Apple Support Communities.

We do understand your hesitation about using Two-factor authentication for your Apple ID, however, this is the most secure method for accessing your account.

In regard to receiving the verification code on a trusted device, the Apple TV is not considered an option for being a trusted device. You can use your iPhone, iPad, iPod touch, Apple Watch or Mac. There is no option for excluding a particular device from being considered trusted when it's used with your Apple ID and linked to your account.

It is recommended that you provide a trusted phone number and even a second trusted phone number, if possible, when setting up your Apple ID. This will allow you to receive a verification code to an alternate option when you don't have access to your trusted device.

If you'd like more information this is discussed in Two-factor authentication for Apple ID - Apple Support

Best regards.

Hey MarkHurst,

Your trusted phone number doesn't have to be a device logged in with your Apple ID. It can be any number you trust and verify to be used for verification purposes.

This is outlined in the resource provided above.

Take care!

MarkHurst wrote:

I have resisted turning on 2FA for a number of years…

As an alternative to the current two-factor authentication scheme, hardware tokens are recently available:

About Security Keys for Apple ID - Apple Support

The second factor for authentication is the possession of any of these two-to-six hardware tokens.

As for the devices that you refer to as “toys”, Apple usually doesn’t send verification codes to those, as they are away from you or inactive. If you are actively using one of the ”toys” though, it can get a code. Apple tries to be smart about where it sends codes, rather than sending codes to everything.

Re: “… I want to make sure I can get an SMS …”

Replying separately as previous post had enough info already.

Your “trusted number strategy” should account for your “worst case” scenario. e.g. a regional natural disaster which separates you from ALL of your trusted devices AND possibly from your office and neighbors; accompanied by extended power AND comms outages.

Your trusted numbers … which only receive the codes one-at-a-time AND only when you explicitly send them …

… might best be a set of friends and relatives with wide geographic separation who you can reliably reach via voice telephone.

Note too that “Trusted Numbers” can also be received by Apple “robo-voice” calls to a non-SMS landline number.

Chattanoogan wrote:

…Any knowledge or thoughts on this one ?

The following three Apple ID multi-factor and account security options are mutually exclusive:

1. Recovery Keys
2. Hardware Tokens
3. The “traditional” Apple ID account recovery scheme: recovery contacts, trusted devices and trusted telephone numbers, and the rest of Apple Support and account recovery processing.

You get to pick which multi-factor scheme you want to use, but must have control over whatever scheme is currently selected to switch to a different multi-factor scheme. If you lose your recovery key (or one gets generated “for” you by a thief with a trusted device and its passcode), or if you lose all your hardware tokens, you’re permanently locked out.; you can’t fall back to Apple account recovery.

AFAIK, the only scheme that can override all the above is a legacy contact; what amounts to a legal process.

How to add a Legacy Contact for your Apple ID - Apple Support

Enabling Apple Advanced Data Protection and encrypting iCloud data blocks the other potential bypass path here; unauthorized or “backdoor” access to sensitive data stored in iCloud.

MarkHurst wrote:

Again, this is infuriatingly vague. The letter of your response seems to admit that the special case of the phone receving the SMS being the same phone that is locked out of the account, but I am drawing attention to the fact that it is a special case and asking if that makes a difference, because intuitively it seems quite likely that it would.

I don’t see anything confusing there. Trusted telephone numbers are a telephone network construct, and trusted devices are an Apple authentication and Apple networking construct; a device currently logged into an Apple ID.

The trusted telephone number is tied to a landline or to a SIM or eSIM, while the trusted device is tied to an Apple ID login.

Yes, a trusted telephone number can be “cohabiting” with a trusted device; the two can coexist.

And for completeness, if concerned about SIM swapping to transfer a trusted telephone number, set a PIN/PUK on the SIM, or use an eSIM.

This is outlined in the resource provided above.

I don't want an 'outline', I want specifics. If the resource provided above had given me what I needed I would not be here asking.

As you want documentation that better addresses your concerns or confusion, and that comprising an official answer, best contact Apple Support

MarkHurst wrote:

It seems technically possible that Apple could make this a special case, and my layman's understanding of 2FA suggests that they might want to do so.

I don’t see any unanswered questions here, though do see a case where any of the three variations of two-factor have yet to be enabled, and where you would prefer different handling for what is the most widely deployed two-factor authentication variant and/or wants different or changed or clarified documentation for it.

None of which is going to get resolved here.

Log your feedback with Apple: Product Feedback - Apple

I think what is being asked is if the trusted number can be received on the same device on which the verification code needs to be entered? If it can then frankly it would be a real flaw in the security system, but on the other hand, unless Apple started associating devices with phone numbers then I don't see any way to prevent this, so maybe it is possible.

Chattanoogan wrote:

… might best be a set of friends and relatives with wide geographic separation…

I’d use a recovery contact for that, and not a trusted number: Set up an account recovery contact - Apple Support

Re: “… I’d use a recovery contact for that … “

Indeed another VERY viable option which I’ve not personally explored and tested.

I do seem to recall that it is - or at least was at the time - limited to other AppleID users.

Because of my “targets” … I personally needed the “least common denominator” solution afforded by the PSTN’s telephony-based voice and SMS.

Re: “… I’d use a recovery contact for that … “

It was also less than 100% clear to me if Recovery Contacts would remain viable if Recovery Keys had been generated … ???

The available literature seemed to lean toward “No” but again, I’ve not personally tested this to confirm … yet. 😉

Any knowledge or thoughts on this one ?