Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

crashoverride77

macrumors 65816
Original poster
Jan 27, 2014
1,234
213
so 2step is finally working on iCloud.com apart from find my iphone. So when you go to look for a device you can still ERASE it. It even warns you that it will remove the device from your trusted list.
This is awesome because if your password gets stolen all your devices can be erased and removed from trusted devices and you can only log back in via your Security code. :mad:
 

madsci954

macrumors 68030
Oct 14, 2011
2,725
658
Ohio
Another way to look at it, you only have one device. It gets stolen, how are you suppose track or lock it? In its current state, you change your password, and restore your backup. The backups are encypted (if you use a passcode or Touch ID) now and your cloud data is safe.
 

Rigby

macrumors 603
Aug 5, 2008
6,210
10,148
San Jose, CA
Another way to look at it, you only have one device. It gets stolen, how are you suppose track or lock it? In its current state, you change your password, and restore your backup. The backups are encypted (if you use a passcode or Touch ID) now and your cloud data is safe.
Unfortunately nothing has changed with regard to the security of iCloud backups. It is still possible to download the backup with just the iCloud password and extract most of the data (the only exception being data that are tied to the device, like the keychain). The only thing that has changed is that users now receive a notification when their cloud backup has been accessed (previously hackers could download the backup without the owner ever knowing).
 

anyjungleinguy

macrumors 6502
Mar 6, 2012
308
217
Unfortunately nothing has changed with regard to the security of iCloud backups. It is still possible to download the backup with just the iCloud password and extract most of the data (the only exception being data that are tied to the device, like the keychain). The only thing that has changed is that users now receive a notification when their cloud backup has been accessed (previously hackers could download the backup without the owner ever knowing).

False.
 

crashoverride77

macrumors 65816
Original poster
Jan 27, 2014
1,234
213
Another way to look at it, you only have one device. It gets stolen, how are you suppose track or lock it? In its current state, you change your password, and restore your backup. The backups are encypted (if you use a passcode or Touch ID) now and your cloud data is safe.

I agree with you its just weird since 2 step is ment to make your account more secure. So a stolen password is not a disaster especially now since it works on iCloud.com apart from the fact that all your devices can still be whiped.
Why not allow find my ihpone but to erase it you will need your 2step verification key?
 

anyjungleinguy

macrumors 6502
Mar 6, 2012
308
217
This is just a bug in the Elcomsoft tool. Restoring an iCloud backup from an account with 2-factor authentication does still NOT require a secondary code. You can easily try this yourself by restoring a cloud backup to an iOS device.

You can't sign into a iCloud on a new device without a two factor authentication code. If you can't sign into iCloud, you can't restore from an iCloud backup.
 

Rigby

macrumors 603
Aug 5, 2008
6,210
10,148
San Jose, CA
You can't sign into a iCloud on a new device without a two factor authentication code. If you can't sign into iCloud, you can't restore from an iCloud backup.
I restored a new phone from an iCloud backup just yesterday. I did it from the initial setup process (the same that you get after erasing a phone). I was never asked for a secondary code.
 

Solver

macrumors 65816
Jan 6, 2004
1,220
3,192
USA
Did your account have two factor authentication activated?

Mine is activated and I couldn't restore a backup on a new device without a second authentication.
 

Rigby

macrumors 603
Aug 5, 2008
6,210
10,148
San Jose, CA
Did your account have two factor authentication activated?
Yes, of course.
Mine is activated and I couldn't restore a backup on a new device without a second authentication.
Well, that's not what I saw yesterday (but it's exactly how I think it *should* work). I don't have another new iOS device to test right now unfortunately.
 

Primejimbo

macrumors 68040
Aug 10, 2008
3,295
131
Around
I restored a new phone from an iCloud backup just yesterday. I did it from the initial setup process (the same that you get after erasing a phone). I was never asked for a secondary code.

When I set up my new iPhone 6 and my wife did too, it asked us. We sent it a text to the phone we were setting up and it went from there. Even when I upgraded my iPhone 5s to iOS 8 it asked me to verify myself. Not sure what you're doing, but 3 times it asked me.

My daughter ran into it also updating to iOS 8 along with mom on her iPad. Both also have 2 step verification set up.

So 5 family members had this happen and people on here had it happen, something tells me you don't have it set up.
Did your account have two factor authentication activated?

Mine is activated and I couldn't restore a backup on a new device without a second authentication.

It happens to me too, I was very happy
 
Last edited:

crashoverride77

macrumors 65816
Original poster
Jan 27, 2014
1,234
213
When I set up my new iPhone 6 and my wife did too, it asked us. We sent it a text to the phone we were setting up and it went from there. Even when I upgraded my iPhone 5s to iOS 8 it asked me to verify myself. Not sure what you're doing, but 3 times it asked me.

My daughter ran into it also updating to iOS 8 along with mom on her iPad. Both also have 2 step verification set up.

So 5 family members had this happen and people on here had it happen, something tells me you don't have it set up.


It happens to me too, I was very happy

Yeah they have definitely added two factor to the set up process, I had to verify both my iPad and IPhone during the setup process for iOS 8. I think it's great same goes for iCloud.com, I just wish you couldn't erase in find my iPhone without second verification first.
 

Primejimbo

macrumors 68040
Aug 10, 2008
3,295
131
Around
Yeah they have definitely added two factor to the set up process, I had to verify both my iPad and IPhone during the setup process for iOS 8. I think it's great same goes for iCloud.com, I just wish you couldn't erase in find my iPhone without second verification first.

But if the worse that can happen is they wipe my phone and I just have to restore it, I can live with it. It's a lot better than someone stealing your data.
 

Rigby

macrumors 603
Aug 5, 2008
6,210
10,148
San Jose, CA
But if the worse that can happen is they wipe my phone and I just have to restore it, I can live with it. It's a lot better than someone stealing your data.
Depends on the situation. I'm quite dependent on my phone when traveling these days, and it's not so easy to restore then. Also remember that they can just as well wipe your computer if you have "Find my Mac" activated (which is what happened to Matt Honan when his account was hacked).

I agree that 2-factor should be enabled for "Find my iPhone". At least we now get a notification when someone logs into iCloud from an unknown device and starts tracking our location ...
 

crashoverride77

macrumors 65816
Original poster
Jan 27, 2014
1,234
213
Depends on the situation. I'm quite dependent on my phone when traveling these days, and it's not so easy to restore then. Also remember that they can just as well wipe your computer if you have "Find my Mac" activated (which is what happened to Matt Honan when his account was hacked).

I agree that 2-factor should be enabled for "Find my iPhone". At least we now get a notification when someone logs into iCloud from an unknown device and starts tracking our location ...

This is the problem I see, the hassle of doing the resets. It's great that the data is safe and find my iPhone should work without 2step, just not the ERASING and LOCKING.
If someone gets the password of an Apple ID and they realise that 2step is on they will almost certainly erase the devices, even if it's just for fun because they cannot do anything else. Exactly like you said happened to Matt, and if you have no backup you could loose a lot of private data.
 

Primejimbo

macrumors 68040
Aug 10, 2008
3,295
131
Around
This is the problem I see, the hassle of doing the resets. It's great that the data is safe and find my iPhone should work without 2step, just not the ERASING and LOCKING.
If someone gets the password of an Apple ID and they realise that 2step is on they will almost certainly erase the devices, even if it's just for fun because they cannot do anything else. Exactly like you said happened to Matt, and if you have no backup you could loose a lot of private data.

At least it's a step in the right direction. As long as you don't use the same password for multiple things, you should be fine, but I do see your point. Seeing I have Touch ID now, I am going to make my iTunes password a little longer now. It's not bad now, but I think it could be better.
 

crashoverride77

macrumors 65816
Original poster
Jan 27, 2014
1,234
213
At least it's a step in the right direction. As long as you don't use the same password for multiple things, you should be fine, but I do see your point. Seeing I have Touch ID now, I am going to make my iTunes password a little longer now. It's not bad now, but I think it could be better.

Yes it is. Not having 2 step before on icloud.com and during ios set ups was a major flaw, and hindered me to moving all my emails to an icloud alias.
 

Solomani

macrumors 601
Sep 25, 2012
4,785
10,477
Slapfish, North Carolina
Need clarification regarding 2-Step Authentication:

The iCloud website states you need "another device", and that devices needs to be able to verify using SMS. But that device also needs to authenticate using a valid phone number.

Sooo…. this means that iPads, iPods, PC/Mac cannot be used to verify a 2-Step Authentication. In other words, someone correct me if I am wrong, an iPhone (or another smartphone) is absolutely necessary to own in order to even initiate 2-Step Authentication?

For example, an iMac or a PC can send messages via SMS easily. But they don't have phone numbers. Same can be said with an iPad Air or an iPod touch.
 

Rigby

macrumors 603
Aug 5, 2008
6,210
10,148
San Jose, CA
The iCloud website states you need "another device", and that devices needs to be able to verify using SMS. But that device also needs to authenticate using a valid phone number.

Sooo…. this means that iPads, iPods, PC/Mac cannot be used to verify a 2-Step Authentication.
Apple can deliver the authentication codes to any iOS device via Apple Push Notification as long as it has Internet access. The trusted phone numbers for SMS are an additional delivery channel (and the number doesn't have to belong to an iPhone, but can be any type of phone that can receive SMS). So yes, you can add your iPad as a trusted device. Using a PC/Mac is currently not possible though. As far as I remember, you are required to add at least one trusted phone number.
 

MoodyM

macrumors 6502a
Aug 14, 2008
778
25
I got asked on my iPhone 6 Plus today to verify. The only 2 options I had were "iPhone 6 Plus" or "phone number ending xxx".

So basically I'm verifying that device from the device that I'm already on...
 

crashoverride77

macrumors 65816
Original poster
Jan 27, 2014
1,234
213
Need clarification regarding 2-Step Authentication:

The iCloud website states you need "another device", and that devices needs to be able to verify using SMS. But that device also needs to authenticate using a valid phone number.

Sooo…. this means that iPads, iPods, PC/Mac cannot be used to verify a 2-Step Authentication. In other words, someone correct me if I am wrong, an iPhone (or another smartphone) is absolutely necessary to own in order to even initiate 2-Step Authentication?

For example, an iMac or a PC can send messages via SMS easily. But they don't have phone numbers. Same can be said with an iPad Air or an iPod touch.

Yes you MUST HAVE at least one valid phone number (on a device SMS Capable) to use 2step but I don't think it has to be an iphone. In addition to the phone number you can use other ios devices like iPads/iPods if you got find my iPhone turned on (think you must install the app as well).
That's what I do, use my iPad air and my telephone number. You cannot use Macs yet as a trusted device. We don't know yet how Apple will handle 2step via SMS with continuity working on ios8 and OS X Yosemite, probably the reason they delayed SMS continuity until October to figure this out.
Hope that helps but feel free to ask more questions
 
Last edited:
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.