User profile for user: jennamarietx
jennamarietx Author
User level: Level 1
67 points

Two-factor authentication problem

When I login to my Apple ID or iCloud.com on my Mac, Two-Factor Authentication pops up a notice saying "Your Apple ID is being used to sign in to a new device. Enter this verification code on the web to sign in," and displays the code. Yes, I mean it pops up this notice on my Mac screen, right alongside the browser window where I am trying to login! Is this STUPID or what? I see no advantage whatsoever from a security standpoint; after all, if someone knew my ID and password and was at my Mac to login, this layer of "security" would only cost them a few seconds of delay.


Comments and advice are more than welcome!


Thanks,

Jenna

Mac mini (Late 2014), iOS 12

Posted on Sep 22, 2018 6:23 PM

Reply

Similar questions

4 replies
User profile for user: FoxFifth
FoxFifth
Community+ 2025
User level: Level 10
475,395 points

Sep 23, 2018 5:16 PM in response to jennamarietx

jennamarietx wrote:


... Actually, I understand how two factor authorization is supposed to work; ..

Sorry but you don't. I had the same reaction when two-factor was first released but after some thought I realized that Apple's security team understood exactly what they were doing. The code is supposed to be sent to all of your trusted devices including the device that is originating the request and that does not reduce the security of your Apple ID in any way.


jennamarietx wrote:


...therefore the "crook" attempting to login to my Mac would not have access to the code and would be unable to login. ...

The two-factor code has nothing to do with anyone trying to log into your Mac. It is to prevent someone from logging into your Apple ID.


Note that if they 1) know your Apple ID password and 2) also have stolen one of your trusted devices and 3) also have the passcode/password to access that device, they can then access your Apple ID.


And they can do that whether or not Apple sends the code to the originating device. If they had all of those things and Apple did as you think they should and did not send the code to the originating device, all the thief would have to do is attempt to log into your Apple account via a Windows PC for example; then using the 3 things above they would have access to your Apple account.

Reply
User profile for user: FoxFifth
FoxFifth
Community+ 2025
User level: Level 10
475,395 points

Sep 22, 2018 7:00 PM in response to jennamarietx

Two factor authentication is designed to protect your Apple ID. If someone knows your Apple ID password and if they have access to one of your trusted devices (i.e., if they have the device and have the passcode to unlock the device), then they have both of the two factors. It does provide an increased level of security -- without two factor, they would only need to know your password.

Reply
User profile for user: jennamarietx
jennamarietx Author
User level: Level 1
67 points

Sep 23, 2018 4:02 PM in response to FoxFifth

Thank you for your reply. Actually, I understand how two factor authorization is supposed to work; if the verification code was sent to my iPhone or to either of my iPads, then it would indeed make sense, because none of these devices would be likely to be near my Mac; therefore the "crook" attempting to login to my Mac would not have access to the code and would be unable to login.

As I described, what actually happens is the verification code is sent to my Mac, the exact same Mac that I am attempting to login to--how does this provide security? Any hacker would laugh his head off if he encountered this sort of scenario.

Seriously, why doesn't Apple send the code to whatever device is NOT being logged into? Such as my iPhone.

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Two-factor authentication problem

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up