User profile for user: Jet787
Jet787 Author
User level: Level 2
206 points

Two-Step verification on the same device??!

After upgrading to macOS Sierra the following thing happened:


When I attempted to sign in Apple Community with my Macbook Pro, I got a two step verification request and was asked to enter the 6 digit code as "somebody was trying to use my Apple ID from a place close to me"... about 300 Km.

I accepted but the strange thing was that I got the 6 digit code on my Mac, where I was supposed to type it.


Very easy process but what is the sense of this if I get the same code I have to type in on the same device??!

I was believing to receive it on my iPhone or via SMS.


Is there something strange with this event?


This repeated every time I tried to log into Apple Community, until I checked "Remember this browser".


Tnxs.

MacBook Pro

Posted on Sep 22, 2016 2:57 AM

Reply
9 replies
User profile for user: Zwolff
Zwolff
User level: Level 1
14 points

Sep 22, 2016 8:21 AM in response to Jet787

This happened to me as well. My guess is that your mac is the only trusted device at the moment, so the only option for apple is to send the code there.


If you go to ibutt settings in system preferences, and click account details, you can see what devices are trusted under the device tab. For me, it says my iphone is not usable as a trusted device, and I haven't bothered to see if I can change that yet, but I imagine it is doable somehow.


Edit: I just came across a thread discussing the same thing, and found this answer, which solved the issue for me: Re: Why did Apple show the two-factor authentication code on the same device I was logging in with?

Reply
User profile for user: Barney-15E
Barney-15E
User level: Level 10
123,314 points

Sep 22, 2016 4:58 AM in response to Jet787

Two-factor authentication is not protecting your Mac. It is protecting your AppleID login.

Apple has a list of your known (trusted) devices in your AppleID account. It sends the code to those devices. If you lose one of those devices, you need to log into AppleID and remove the device.

As far as a "new device" is concerned, the browser you are using on your Mac is a "device." So, if you switch browsers, or the identification data used to determine if it is the same browser is lost, then when you try to log in, you have a "new device" even though it is the same old Mac you've been using.


There are three ways you can authenticate, what you know (passwords, PINs), what you have (your iPhone, a Token card or USB), and what you are (biometrics).

Two-factor Authentication uses two of those three things to ensure it is you who is unlocking your AppleID account, not unlocking your Mac.

Reply
User profile for user: Jet787
Jet787 Author
User level: Level 2
206 points

Sep 22, 2016 8:29 AM in response to Barney-15E

Tnxs but I am confused and I tell you why: if two-factor authentication is protecting my AppleID login, how can be considered protected if I am getting the 6 letter code on the same device where I am asked to type it?

It is as if I went to an ATM and I was asked to write my bank card pin and the suggestion like: "Please insert your bank card pin, which is 0000".

That is not safe at all.

Are you meaning that the browser is one thing and my mac is another thing, so as if I am browsing on my mac, in order to get security the two-step verification for my AppleID on the browser I will be getting a 6 code on my mac that, just by chance is the same device where the browser (to be validated) is running?? Is this correct?


Finally I have anther question: by checking the trusted devices I see that only my mac and iPhone are trusted, not my iPad, AppleTV and AppleWatch. How can I make them to be trusted as-well? Do I need to update all to iOS 10? Another strange thing is that on the iCloud trusted device screen it is stated that my AppleWatch is running watchOS 2.2.1 while actually it is running watchOS 3.0.

Reply
User profile for user: léonie
léonie
User level: Level 10
200,897 points

Sep 22, 2016 8:45 AM in response to Jet787

I still do not understand where the security feature is if I am getting the code in the same device where I am requested to write it...

You are accessing iCloud. And Apple is sending a verification request to a device that you own and registered as your trusted device, that is currently online and close to you. Only you should be sitting in front of your own Mac and have access to it. That is why you can access your AppleID account if you can enter the digits on a trusted device.


I am very glad that Apple is not insisting to send the verification request only to my iPhone but right to the computer where I am sitting. This way I do not have to try to find my iPhone and to charge it, whenever I need to verify my identity.

Reply
User profile for user: Barney-15E
Barney-15E
User level: Level 10
123,314 points

Sep 22, 2016 5:25 PM in response to Jet787

Jet787 wrote:


Tnxs but I am confused and I tell you why: if two-factor authentication is protecting my AppleID login, how can be considered protected if I am getting the 6 letter code on the same device where I am asked to type it?

Because it is one of your trusted devices. If you no longer trust that device, remove it from the list of devices.

If you let anyone use your Mac, and you give them your AppleID password (or use a simple one that you use on every other website on the internet), then you have no security.

Your AppleID is protected because someone would have to both steal your Apple device and your AppleID password. If they only steal your Mac, but don't have your password, they can't log in.

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Two-Step verification on the same device??!

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up