User profile for user: Jfalconebmop
Jfalconebmop Author
User level: Level 1
30 points

Receive verification codes with no access to trusted phone number.

So I've recently witnessed something that confused me. This person no longer had access to their trusted phone number but needed to log in to appleid.apple.com. They had an IPad. They signed in for the first time in ICloud. They know their Apple ID password. When they signed in, it did not ask for a verification code but rather the passcode to the phone that had the trusted phone number. They put that in. Find my iphone got turned on, the iPad became a trusted device. The person signed onto to appleid.apple.com and received the verification code on the iPad they just signed into. They successfully got into the appleid.apple.com account page without access to the trusted phone number. My only possible theory to explain this is that they had previously signed into the iPad before, signed out and then signed back in without ever removing the iPad from the list of trusted devices. Is this possible? Or is it that you truly can sign in to a device for the first time in settings and make it a trusted device in order to receive verification codes simply by knowing the Apple ID, password and passcode of the trusted device of the trusted phone number. Can anyone who uses two factor she's some light on this? Because many people fall prey to losing access to their trusted phone number and resort to account recovery to change the trusted phone number despite knowing their apple is password.

Posted on May 30, 2017 11:29 PM

Reply
3 replies
User profile for user: j.villalba
j.villalba
User level: Level 2
150 points

May 31, 2017 2:58 AM in response to Jfalconebmop

The bold+italic text quoted below doesn't explicitly validate your question:

"Can you truly sign in to a device for the first time in settings and make it a trusted device in order to receive verification codes simply by knowing the Apple ID, password and passcode of the trusted device of the trusted phone number"

However! The second quote does actually validate what you described as a method of making a Mac a "Trusted Device" by signing into iCloud. Given that, I'd guess that what you observed is probably expected behavior.

I haven't found any articles/documentation suggesting this, but I feel like there might be other variables which affect Two-Factor Authentication log-in behavior that aren't made available to the public.

Either way, after I came across your post and found this answer, I changed my iPhone passcode from 4-digits to 6-digits ⚠


Source: Two-factor authentication for Apple ID

Trusted devices

A trusted device is an iPhone, iPad, iPod touch with iOS 9 and later, or Mac with OS X El Capitan and later that you've already signed in to using two-factor authentication. It’s a device we know is yours and that can be used to verify your identity by displaying a verification code from Apple when you sign in on a different device or browser.


Trusted phone numbers

A trusted phone number is a number that can be used to receive verification codes by text or phone call. You must verify at least one trusted phone number to enroll in two-factor authentication.

You should also consider verifying other phone numbers you can access, such as a home phone, or a number used by a family member or close friend. You can use these numbers if you temporarily can't access your own devices.


Source: macOS Sierra: Use two-factor authentication for security

Add a trusted device

To make a Mac (OS X El Capitan or later) or an iOS device (iOS 9 or later) a trusted device, you must sign in to iCloud using your Apple ID account on the Mac or device.


On a Mac:

Choose Apple menu > System Preferences, click iCloud, enter your Apple ID and password, then click Sign In.

Enter the passcode you use to unlock your other trusted Mac or device, then click Continue.

Select the iCloud app options you want, then click Next.


On an iOS device:

Go to Settings > [your name] (at the top of the screen).

Verify your identity with a six-digit verification code.

If you previously signed in, sign in again. You won’t be asked for a verification code again on that device unless you sign out of iCloud completely, erase your device, or need to change your password for security reasons.

Reply
User profile for user: j.villalba
j.villalba
User level: Level 2
150 points

May 31, 2017 2:56 AM in response to Jfalconebmop

Oh, I forgot to mention this other bit.


Unlike two-step verification, SMS verification codes are generally only used as a backup authentication method to the 6-digit push notifications if the login circumstances allow. 6-digit push notification codes are implied to be the most useful and secure of Two-Factor Authentication's authentication methods.


Additionally, enabling Two-Factor Authentication assigns a LOT more importance to the Mac login password and iOS passcode.

Technically, a user must know their Mac login password or iOS passcode to reset their iCloud password or to access any of those SMS/pushed verification codes.

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Receive verification codes with no access to trusted phone number.

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up