Related Article

Availability of two-factor authentication for Apple ID

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Question:

Question: Setting up two factor authentication security issue

I have just tried again to set up two factor authentication for Apple ID and have backed off for the same reason as last time when this was first introduced, when two step authentication was abandoned. At some point in the set up you are asked to enter not your Apple ID password but your device passcode. Nobody, not even the Pope, gets my device passcode and I have never before in any interaction with Apple been asked to provide this. Surely I cannot be the only person that finds this unacceptably intrusive and a breach of security? When you reach this point there are all sorts of dire warnings about iCloud data- I never use any aspect of iCloud except for Find my phone/Mac so that doesn't bother me except that you also find that all sorts of setting in iCloud which were firmly off are suddenly on!


Why is this being done? However much I trust Apple, they are not getting the plaintext of my device access codes. My concern is that for the moment you can avoid this by having security questions instead, but what if this is stopped? Will the choice be between giving up your most precious password, or reverting to pen and paper?

iPhone 8, iOS 11.2.6

Posted on

Reply

Feb 27, 2018 1:50 AM in response to zinacef In response to zinacef

Thank you, I have read and am able to follow that and the other relevant documents. What I am 'on about' is being requested to give Apple my device password as part of setting up authentication. I have used Macs since about 1985 and this is the first time that such a request has been made. Does this not strike you as troublesome from the point of view of your own security? What is the point of features such as filevault and other features relating to security if your master password is sitting in a database in a foreign country (or any country for that matter!). If you set up two factor authentication and then change your device password, you are asked to enter the new password! There is no way as far as I can find to have two factor authentication and not give out your device password. Two factor authentication is in principle a good idea but this implementation increases one area of security at the expense of another. I don't use cloud services so from where I sit improving cloud security at the expense of my devices' security is a a very poor choice. That is what I am 'on about'. Have I missed something?

Feb 27, 2018 1:50 AM

Reply Helpful
User profile for user: fred242

Question: Setting up two factor authentication security issue