I have only one(1) device, (my iPhone13) - no other cellular devices, landlines, or other phone numbers!
Does this mean that l can’t use 2FA because I won’t be able to provide another device or phone number?
[Re-Titled by Moderator]
TrikiMiki wrote:
Biometrics like Face ID and Touch ID are great alternatives because unlike 2FA they don’t rely nor depend on a “trusted” additional third party device or phone number to complete the authentication process. To the extent possible, I hope that one day they’ll completely replace and do away with 2FA.
Biometrics is one of the factors that is part of the 2FA protocol, although not used by Apple for account security and the reasons are described below. The meaning of 2FA is that you need any 2 of these 3 factors:
https://en.wikipedia.org/wiki/Multi-factor_authentication
Apple uses 2FA to protect your account from being accessed by an unknown device. Biometric data is stored only on your device in the Secure Enclave, so there would be absolutely no way for you to use your FaceID/TouchID on this unknown device to access your account because it would not have your biometric data stored on it. So, the 2 factors that Apple uses are:
You will see for the Something the user has, that is the one that uses the second phone number, but you can also see that a Security Key counts as something a user has, and Apple does allow a Security Key to be used for that second factor instead of the verification code sent to a Trusted Phone number.
About Security Keys for Apple Account - Apple Support
The main disadvantage to Biometrics as a factor in 2FA is that Biometrics is basically just data that you certainly would not want to be compromised. That is not possible on an Apple device since that data is stored in the Secure Enclave only on your device and never transmitted over the internet or shared where it could be compromised. If biometrics data were compromised, there is no reset option or ability to change it like you could do with a Password or Phone Number.
Sorry for the long explanation, but in this case felt like it was warranted to explain why biometrics is not going to replace 2FA and is only one of the factors for good reason. It is used with 2FA in some scenarios such as access to secure buildings where a person would have a Key Card for one factor, then biometric verification such as an iris reader as the second factor.
TrikiMiki wrote:
Biometrics like Face ID and Touch ID are great alternatives because unlike 2FA they don’t rely nor depend on a “trusted” additional third party device or phone number to complete the authentication process. To the extent possible, I hope that one day they’ll completely replace and do away with 2FA.
Biometrics is one of the factors that is part of the 2FA protocol, although not used by Apple for account security and the reasons are described below. The meaning of 2FA is that you need any 2 of these 3 factors:
https://en.wikipedia.org/wiki/Multi-factor_authentication
Apple uses 2FA to protect your account from being accessed by an unknown device. Biometric data is stored only on your device in the Secure Enclave, so there would be absolutely no way for you to use your FaceID/TouchID on this unknown device to access your account because it would not have your biometric data stored on it. So, the 2 factors that Apple uses are:
You will see for the Something the user has, that is the one that uses the second phone number, but you can also see that a Security Key counts as something a user has, and Apple does allow a Security Key to be used for that second factor instead of the verification code sent to a Trusted Phone number.
About Security Keys for Apple Account - Apple Support
The main disadvantage to Biometrics as a factor in 2FA is that Biometrics is basically just data that you certainly would not want to be compromised. That is not possible on an Apple device since that data is stored in the Secure Enclave only on your device and never transmitted over the internet or shared where it could be compromised. If biometrics data were compromised, there is no reset option or ability to change it like you could do with a Password or Phone Number.
Sorry for the long explanation, but in this case felt like it was warranted to explain why biometrics is not going to replace 2FA and is only one of the factors for good reason. It is used with 2FA in some scenarios such as access to secure buildings where a person would have a Key Card for one factor, then biometric verification such as an iris reader as the second factor.
FYI I did read your post and DO understand your situation. (That you don’t have any other phone lines).
That’s exactly why the Trusted Numbers are designed the way they are.
You can choise any one of your several pre-selected numbers to which you personally — or a personal agent with whom you can readily communicate — can access.
This could be an office number, a public phone, your sibling, or even a relative or business associate in another country by either SMS (to a mobile) or voice (to either a mobile or landline)
But if you choose to NOT use the 2FA protections Apple affords, caveat emptor.
If you truly find that you are regularly in a “comms desert” with truly no other phone lines belonging to anyone nearby …
… AND your new / replacement / untrusted device still has connectivity in that environment …
… AND you are vulnerable to loosing access your phone AND all other comms while in that environment.
… your situation is indeed quite unique.
Theoretically you can, but it’s risky and you usually want more ways to verify your identity with other trusted numbers and devices. For instance if you lose your only device and means of verification, you would be locked out of your account, forcing you to enroll in Account Recovery which can be a weeks long path and doesn’t necessarily guarantee you’ll get back into your account.
Of course you can use 2FA w/ a single device.
Having only one Apple device is NO REASON to NOT use 2FA to protect your Apple Account.
Apple provides the mechanism to send — via either voice or SMS — the Authentication Code to virtually any phone number worldwide. (e.g. friend, family member, work phone, Google Voice, etc.)
These are known as “Trusted Numbers” and you can have multiple trusted numbers setup to suit your particular situation and “recovery plan.”
So … recommend one setup the multiple trusted numbers for their Apple Account … practice using them … and utilize the strong protections afforded by Apple’s very solid security architecture.
Two-factor authentication for Apple Account - Apple Support
Get a verification code and sign in with two-factor authentication - Apple Support
Are you possibly under the (mis)impression that 2FA is required to actually use your phone ?
(e.g. when performing a re-boot or even to place or receive calls)
It’s NOT.
Apple’s 2FA protects your Apple Account; and is required to be used only when accessing your account from an untrusted device.
TouchID and FaceID provide access protection to your trusted device(s).
If you do set up 2FA and have problems because of it, consider getting a friend to help Set up an account recovery contact - Apple Support While not a complete substitute for having a second device or number, it could help you get out of a bind should you have problems with your account.
TrikiMiki wrote:
In its support article about Security Keys for Apple Account the company admits in a separate isolated paragraph, that a user could be locked out of his account given the right circumstances, which we all are aware of. So if Apple is worried about the use of 2FA and SecKeys, how am I supposed to feel? There are just too many variables, ifs and buts involved! I believe that Apple should develop another optional account security system based on a strong password + a physical attribute which only the user has (touch/face/iris). I for once won’t have any problem with Apple retaining a data inventory of my physical attributes for security purposes - I am no criminal so have nothing to hide.
Using a Password and biometrics is 2FA, but the problem is that your biometrics is only verified on your device, so if you lost your device, you would then be locked out of your account permanently. Biometric data must have a higher level of security for protection because it can never be changed like a Password, Trusted Phone Number, or Security Key. That is why the data is stored only on your device in the Secure Enclave for verification, and never stored on Apple Servers or sent across the internet.
You certainly would not want your biometric data stored in any other location for verification, because if that data was compromised, your identity would then be forever compromised, since it cannot be changed. If Apple stored your biometrics, your data would have to be sent to them for verification and there would be the chance that it could be intercepted by a bad actor. It is not about you being a criminal, it is about a criminal pretending to be you with that data and you having no way to change it like you can with the other factors of identity.
You will always have the possibility of being locked out of your account permanently in any case. It is not a matter of trusting the methods, it is simply the requirements you need to access an account securely and without them, you will have no access. With a Security Key or a Trusted Phone Number in the current implementation of 2FA, you are able to access your account on another device if yours was lost, stolen, or damaged. That would not be possible if the Password and your biometric data was required.
As Limnos pointed out there is also the option of setting up a Recovery Contact if you fear being locked out of your account. You do have many options to secure your account and also gain access to it. Biometrics is just not one of the factors for the many reasons described above.
let’s just say that if a user has a couple of additional devices and one more phone number then 2FA should be a safe option to use, but if he has only one additional device or one more phone number then his access could become risky business. I have none so for me 2FA seems to be out of the question.
Your second point might be true in theory, but I can tell you that recently when I accessed my account on a different unfamiliar to Apple device, I was promptly asked my sec questions. This also happens occasionally on my iPhone given the right circumstances.
TrikiMiki wrote:
I am suggesting the use of physical attributes (biometrics) as an optional second factor in 2FA, because unlike another device or phone number or security key you can never misplace lose break or have them stolen.
Oh yes that data can be stolen, which is why Apple does not want your biometric data being transferred over the internet to be stored on a server. What makes this more sensitive than any other data is, once it is stolen there is nothing you can do about it, because you cannot change your biometrics, and any current or future account that uses biometrics can be compromised.
If you think that is farfetched, you should be aware that biometrics data stored on computer servers has already been hacked, exposing the fingerprint data of 5.6 million Government employees. Thankfully with Apple's implementation , that is not possible.
https://www.wired.com/2015/09/opm-now-admits-5-6m-feds-fingerprints-stolen-hackers/
Anyway, you have the feedback link to send your suggestion to Apple. You have also been given many alternatives, such as using the Recovery Key. This 28 character key is only known by you and never stored on Apple's servers, so no need to worry about it being compromised. If you want to protect your account with the highest level of security and only a single device, that is the best way to do it.
Vẫn có thể.số điện thoại thì không được vì số điện thoại dùng để xác minh 2 bước.ngoài ra còn nhiều cách khác nữa.
Cũng cấp thiết bị thể hiện qua mã số MAC.MAC là 1 dãy số gắn liền với thiết bị cũng *** giấy khai sinh của thiết bị và không thể thay đổi.
Even if I had another device or phone number I would still hesitate to use 2FA because these can be fleeting non dependable factors, (say your verifying device becomes lost stolen or broken/inoperable, or your verifying phone number becomes invalid - somehow nil and void).
It might be less secure but I still feel more comfortable with my account password and a set of unique personal and private Q&As which Apple can utilize to further verify my identity.
In summary I would like to say that the reliance on more than 1 device to maximize safety and security could become problematic given the fact that nowadays people are dropping the use of 2 or more devices in their daily private lives. Current quality cellphones can do just about anything and everything (short of preparing coffee or dinner), and there is no real need to maintain additional devices like desktops laptops tablets or landlines. Apple should keep an eye on this trend and make sure to maintain top notch safety and security for all its customers, plus maybe start thinking about developing quality 1 device only systems.
You don’t seem to have read the entire discussion here. Unfortunately I don’t have other devices and/or phone numbers which I can or care to use in conjunction with 2FA. It is also important to remember that 2FA is not just about trusting other devices or phone numbers, it is also about trusting that they will be there whenever you need them, which is a different issue altogether. Anyhow, thanks for trying to be helpful.
Unfortunately for you then, more and more banks, online retailers, credit card companies, in fact everyone is moving towards 2FA authentication or passkeys (passkeys use biometrics like fingerprints or facial id) Passwords are so insecure because people typically create easy to guess passwords that result in them being compromised.
This is the way the online world is moving and there’s not much we can do about it. Lots of retailers no longer accept hand written paper checks either.
TrikiMiki wrote:
My final and conclusive thought:
2FA is all about variables which we might lose control over - it can be workable and practical for some, but problematic and not at all practical for others.
And required for some services on your phone. There are no compromises when it comes to account security especially with financial information. The method of using Security Questions, before two factor authentication was made available, has long ago been determined to be a security risk due to Social Engineering and the vast amounts of information readily available on the internet.
Can I use Two-factor authentication with only one iPhone?
