What is the point of asking for 2-factor authentication to log into a device that is being used to display the second factor?

mailjeh wrote:

Hello John, I read your comments on the thread you referred to and can see what you're saying. I guess my point is that if you're already on and using a 'Trusted Device' why bother sending out more codes AND displaying them on that same trusted device. I'd understand if the codes were displayed on another separate trusted device but to display it on the device you're using is a lowering of security if anything.

Issue you are focused upon: stolen device

Issues Apple ID 2FA is addressing: compromised Apple ID credentials

Issues you are focused on: not covered by Apple ID 2FA.

Issues Apple ID 2FA is addressing: Apple ID password re-use and cramming, Apple ID phishing, and particularly these and other activities and these Apple ID credentials exploits that are happening remotely from yourself, and remotely from your devices. That do not involve your devices.

If you want Apple ID 2FA separate from and not associated with Messages, SMS, or phone calls, configure and use NFC or USB security keys, or (potentially more problematic) a recovery key. That addresses issues particularly with SMS, but does not address device theft.

Your iPhone or iPad can itself be used as a second factor in some cases, an approach which—like the Apple ID 2FA—reduces the exposure to passcode compromises.

With iPhone, Stolen Device Protection can act sorta-kinda like a second factor for the iPhone passcode itself, using common locations as the second factor. If you want 2FA for your iPhone or iPad itself in addition to the device passcode or password, I've not encountered a means to provide that (past Stolen Device Protection), and you will want to log feedback with Apple.

mailjeh wrote:

…I just think it's pretty daft to have the 2FA code appear on the same device that I'm entering the 2FA code into. If there was any any lack of trust for the MacMini I'm using to log in to iCloud why are Apple sending the 2FA code to it? It doesn't make any sense.

The current two-factor authentication design is a last-ditch defense against password cramming, against password reuse, obvious or guessed passwords, and against phishing and spear-phishing.

Not against an attack initiated from your own device. That your own logged-in and trusted device is prompted for the two-factor code is a convenience feature.

If you believe you are at higher risk for shenanigans, consider enabling Lockdown Mode, enabling Stolen Device Protection, consider configuring hardware security keys, or maybe a recovery key. Add a PIN for your cellular account, and—if using SIM and not eSIM—adding a SIM PIN / PUK, too.

Short answer: device security ≠ Apple ID security.

Please read Two-factor authentication for Apple ID - Apple Support. If you're missing the point, re-read the boldface type.

If you're still confused please review Two factor authentication - approved on same device? - Apple Community.

Regarding the continuous reappearance of "trust this browser" refer to Two-factor authentication to this discussion site. - Apple Community. Use of a VPN, proxy server, or anything else that changes that Mac's IP address would be the obvious answer.

mailjeh wrote:

Sorry Hoff, but you're totally missing my point. 2FA is like securing the treasure with two combination padlocks -one on the door of the room and one on the treasure chest. You need to know two different combinations. You know the number for the first padlock (your Mac's login) - you open the door and what d'you know - the second combination is written on the chest! That is Apple's 2FA in a nutshell. I sincerely hope that makes it clear.

That is not two factor authentication. Knowing both passwords is the same factor. You’ve just doubled-down on one factor, DDOOFA. Now, if one had a key (something you have) and the other has a combination (something you know) you would have two-factor security.

mailjeh wrote:

Well it sounds like you're getting it - indeed knowing two passwords isn't 2FA. So logging into a device with a password, and then having the second password displayed (by Apple) on the same device is clearly NOT proper 2FA but that is what they do.

No, it is exactly 2 FA. You know something, your password and you have something, your Apple device. The code confirms you have one of your trusted devices. If you lose one of your trusted devices, you need to mark it as untrusted.

mailjeh wrote:

Hello John, I read your comments on the thread you referred to and can see what you're saying. I guess my point is that if you're already on and using a 'Trusted Device' why bother sending out more codes AND displaying them on that same trusted device. I'd understand if the codes were displayed on another separate trusted device but to display it on the device you're using is a lowering of security if anything.

Again, 2FA is not designed to protect the security of your device. It's designed to protect you Apple ID. And, by using a password to unlock your device, you've already indicated that you are authorized.

If you have reason to be concerned that someone else has access to you device passwords, change them. And do not leave them unlocked and unsupervised.

mailjeh wrote:

I log into iCloud and get this on my screen:

https://discussions.apple.com/content/attachment/59eacb64-109d-4c1d-a68a-b11e05e46c66

It's asking me to copy some numbers from one box to another ...why?

I dutifully do it and get the following:

https://discussions.apple.com/content/attachment/0e689355-0d65-471d-90ba-bc61413483f1

Why wouldn't I trust the browser I just used?

It could be a browser on a public use computer. You could trust it if you want, but I wouldn't.

And why do I have to trust this browser EVERY time I log in. And maybe in five minutes time when I try to open a shared iCloud file I'll be asked the same stuipid question.

Are you using any internet security which is possibly blocking cookies or something more intrusive?

Because malicious individuals have been breaking into user accounts via the Internet (which means they can be anywhere) and stealing personal information, pictures, and buying things with the stored credit cards after changing the shipping address.

Before Apple implemented 2FA, there were news stories of famous people having their information stolen by unscrupulous people and selling it to tabloids, and other unethical news outlets.

Those malicious people are not breaking into your house to do this.

And for the much smaller chance someone steals your Mac, they have to get past your Mac login password and then get past your Apple ID password, before they can take advantage of 2FA showing up on your Mac.

So have you been reading about famous people having their Apple ID account broken into and their pictures sold to tabloids, recently? I haven’t, because 2FA is actually working for the job it was intended solve.

You are NOT logging into your Mac. You are logging into the Apple ID Internet based account. Something that ANYONE IN THE WORLD can do from anywhere.

A 6-digit code is being delivered JUST to your Mac (or iPhone, Apple Watch, iPad), and NOT to any of the billions of other users that could be logging into your Internet based Apple ID account.

And unless you have a Web Cam looking over your shoulder displaying your Mac's screen for the world to see, any one else attempting to login to your Internet based Apple ID account will not see the 6-digit code presented just to you.

And both MrHoffman and myself have given you pointers to using a secondary token device that is not your Mac, nor your iPhone, Apple Watch, iPad if you are that concerned about having someone looking over your shoulder when you attempt to login to your Internet based Apple ID account.

You are welcome to send your feedback to Apple at

Feedback - macOS - Apple

And inform them of all the errors they are making when presenting the 6-digit code on your Mac.

Personally, I think it works well at keeping the rest of the world out of my Apple ID account, and I trust my Wife (a computer professional) not to attempt breaking into my Apple ID account.

BobHarris wrote:

Barney-15E wrote:

It could be a browser on a public use computer. You could trust it if you want, but I wouldn't.

The public use computer would not get the 2FA Prompt. That would appear on the iPhone, Apple Watch, iPad, or the Mac back home.

Yes, but that question was about the Trust prompt, not particularly 2FA code.

mailjeh,

I would like you do to do an "Experiment".

• Ask a trusted Friend or Family member if you can use their computer, and via their web browser goto

https://discussions.apple.com

You do not have to trust me that the above URL is correct, as you have been visiting Discussions for days now, so you can manually enter the URL, and that way you know I am not trying to lead you astray.

• When you get to the Apple Discussions forum, click "Login".
• Enter your Apple Discussions forum Apple ID email address.
• You should be prompted for your Apple ID password.

• Then you should be promoted for your 6-digit code.

WHAT YOU WILL NOT SEE, is Apple sending that 6-digit code to your Friend or Family member's computer screen.

Your Trusted Mac, your iPhone, your Apple Watch, and/or your iPad however, WILL be sent the 6-digit code.

BEFORE entering the 6-digit code, you can just close the browser window, as I hope you will agree this demonstrates that the 2nd factor ONLY goes to something you have, and not to just anyone's computer, which keeps Your Apple ID account safe from the billions of other users on the Internet.

You are NOT asked if you Trust your Friend or Family member's computer until after you have successfully entered the 6-digit code. And in this instance, you SHOULD NOT indicate your Friend or Family member's computer is Trusted.

This same procedure could be used on a public Internet access device, such as computers in the public library. And again, you would never indicate that a public Internet access device is Trusted.

Barney-15E wrote:

It could be a browser on a public use computer. You could trust it if you want, but I wouldn't.

The public use computer would not get the 2FA Prompt. That would appear on the iPhone, Apple Watch, iPad, or the Mac back home.

Of course the user could tell Apple the public Mac is a “Trusted” Mac, and then all bets are off.

You seem to miss the point that Apple's 2FA is to protect you from the internet, which cannot see the chest and the numbers written on it. That will only happen on YOUR Mac (or iPhone, Apple Watch, iPad). The Internet attackers do not have your Mac, so they do not see the number written on the chest.

That is the entire point of Apple's 2FA.

And MrHoffman's suggestion to buy your own yubikey or similar 2FA token device and use it, gives you the ability to put the token device in your pocket, or in a wall safe in your home if you are that worried about physical access to your Mac and Apple ID account.