Apple Migrating iOS 11 and macOS High Sierra Users With Two-Step Verification to Two-Factor Authentication

[iDento]

You don't need a cell phone, only a trusted device.

That's from Apple:
A trusted phone number is a number that can be used to receive verification codes by text or phone call. You must verify at least one trusted phone number to enroll in two-factor authentication.

Here's the link:
https://support.apple.com/en-us/HT204915

 

[anonnymouse]

this will only make life more difficult for those of us with older AppleIDs attached to a non-Apple email address who are forced to keep using to avoid losing 10 years of purchases. Apple still doesn't allow combining accounts.

Possibly related: Apple still (as of now) supports using two Apple ID's: one for iCloud, and a separate one for the App Store.

My (much, much older) Apple ID used for the App Store has no connection to iCloud. So, it seems there's no "trusted" devices signed in that could receive the notifications - aren't trusted devices only ones that are signed in to iCloud?

Will iOS 11 allow the current scheme of having two Apple IDs - one for iCloud and a different one for the App Store?

 

[Primejimbo]

That's from Apple:
A trusted phone number is a number that can be used to receive verification codes by text or phone call. You must verify at least one trusted phone number to enroll in two-factor authentication.

Here's the link:
https://support.apple.com/en-us/HT204915

Trusted number, doesn't have to be a cell number.

 

[steve333]

I get a notification when I start my computer that I need to step up to 2 step authorization in order to log into icloud.
I still haven't done it. Why don't they leave us the heck alone and let us decide if we want it or not?

 

[iDento]

Trusted number, doesn't have to be a cell number.

What can it be then? My first language isn't english! Maybe I am missing something?
It can't be a landline, right?

 

[Primejimbo]

What can it be then? My first language isn't english! Maybe I am missing something?
It can't be a landline, right?

It can be a land line. I know people who use it as a back up. It calls you, and says the number.

I seriously don't know why people are complaining about this. They are protecting you data. If something happens to your Apple ID (gets hacked), you call Apple.

At this point if you don't comply after the date, the Apple ID holder is responsible for all that happens... if someone gets it and makes charges against it. That's just my opinion.

 

[RobinInOR]

Well, it took me 45 minutes to set it up for 2 ipads, 1 phone, 1 mbp, and I'll probably have to do something for the tv. I had to start it a couple of times with some extra reboots. It would ask me for the password for ipad 1 and then it wouldnt take it, had to try a couple of times

Interesting, i did my iphone last, which is a6+ with a 4 digit passcode. When my mbp safari asked me for a passcode to get into the apple dev website, it asked me for those 4. I wonder if i had done my newer devices last it would have used that 6 digit

Simple in concept, but when you have a bunch of devices, you really have to pay attention to which code goes where, if its asking for the verification code, your icloud password, or your device password. Errors in macOs and my 12.9 ipad didnt help at all. Macos kept giving me system preferences errors.

 

[thefourthpope]

This always gives me a frustrated chuckle when I receive the code on the very device I'm trying to sign on with. Seems like apple should know that the device is trusted (else why send a code there?) and therefore let me sign on to iCloud.com or whatever. And then I chuckle again when the first email I see when I sign onto iCloud is....an email from apple, telling me that I've signed on.

Of course I'm glad they have security in place.

 

[rob_saunders]

As someone who travels constantly and has a new sim every week, two factor is already the bane of my existence. If this is true, I am either jailbreaking or moving to android, because I literally cannot use two factor sim based auth. And I'm an Apple iOS developer so this isn't really a light decision - what the hell apple.

 

[Primejimbo]

As someone who travels constantly and has a new sim every week, two factor is already the bane of my existence. If this is true, I am either jailbreaking or moving to android, because I literally cannot use two factor sim based auth. And I'm an Apple iOS developer so this isn't really a light decision - what the hell apple.

What does a SIM car have to do with this? It's connected to you Apple device. How can people be mad when they are given stuff to protect their data? I constantly swap SIM cards on my work phone, haven't had an issue.

You need a number of some sort, it doesn't have to be yours. It can be a land line as well.

iPod Touches don't even have a SIM card.

2 years ago celebrities get their pictures leaked: "Apple must do something, this is outrageous!"
Now: "Apple is making me protect my data! How dare they!"

All they are doing if you have the old system, they are moving you to the new system. I don't even think they require anything at all.

The title even has migrating in it from old to new, not forcing.

 

[jimthing]

Possibly related: Apple still (as of now) supports using two Apple ID's: one for iCloud, and a separate one for the App Store.

My (much, much older) Apple ID used for the App Store has no connection to iCloud. So, it seems there's no "trusted" devices signed in that could receive the notifications - aren't trusted devices only ones that are signed in to iCloud?

Will iOS 11 allow the current scheme of having two Apple IDs - one for iCloud and a different one for the App Store?

This^.

Tried using 2FA with my 'store' A-ID (simply "firstname.lastname"; note NOT a full email address!) and it doesn't even give you the option of using it... so how the flip does this then work, Apple!

Of course their (totally useless) help page simply omits this detail completely, as per usual.

 

[rob_saunders]

What does a SIM car have to do with this? It's connected to you Apple device. How can people be mad when they are given stuff to protect their data? I constantly saw SIM cards on my work phone, haven't had an issue.

You need a number of some sort, it doesn't have to be yours. It can be a land line as well.

iPod Touches don't even have a SIM card.

2 years ago celebrities get their pictures leaked: "Apple must do something, this is outrageous!"
Now: "Apple is making me protect my data! How dare they!"

All they are doing if you have the old system, they are moving you to the new system. I don't even think they require anything at all.

The title even has migrating in it from old to new, not forcing.

You obviously didn't read my message. Land line? I already said I travel full time and don't have regular access to a sim. And "What does a SIM card have to do with this?" Obviously you didn't read the article either.

Many security authorities are coming out with advisories saying SMS is not a secure mechanism and recommending not to use it for two factor. Which it isn't... any security professional will tell you the same. It's just so easily flawed.

NIST just a few months ago declared the age of two factor with SMS as over and started putting pressure on regulatories to remove or discourage it - and here we have Apple classing it as a more secure feature. Lol. They really keep doing everything to prove they've lost touch lately.

Lastly, yes it's a migration to the new system but it also says 2fa is required to use many features of iCloud, so... we don't know what those are but I assume account administration and Apple Pay and what else? Is it really excusable to be locked out of a product you own and features it should be able to do because you don't happen to have a SIM card, or more likely, don't want your identity verification mechanism to be at the hands of some random phone company?

So... enough said.

 

[masterhiggins]

I can't wait for MacOS High Colonic.

 

[PBG4 Dude]

@rob_saunders Apple doesn't use SMS to xfer 2fa codes. It uses your iCloud account to xfer codes to devices connected to your iCloud account.

 

[Primejimbo]

You obviously didn't read my message. Land line? I already said I travel full time and don't have regular access to a sim. And "What does a SIM card have to do with this?" Obviously you didn't read the article either.

it doesn't use SMS like the old system, that's the point. You obviously don't know how this works.

If you read the article, you would have read this:

The two security methods are similar in many ways, but two-factor authentication automatically sends a six-digit verification code to all trusted devices registered to a given Apple ID, whereas two-step verification manually prompts users to send a four-digit code to any SMS-capable trusted device registered.

see, so SMS on the new system.

Many security authorities are coming out with advisories saying SMS is not a secure mechanism and recommending not to use it for two factor. Which it isn't... any security professional will tell you the same. It's just so easily flawed.

again, it doesn't use SMS, and you don't even need an internet for it to work. SMS is only a back up, that's it.

NIST just a few months ago declared the age of two factor with SMS as over and started putting pressure on regulatories to remove or discourage it - and here we have Apple classing it as a more secure feature. Lol. They really keep doing everything to prove they've lost touch lately.

you're right, again doesn't use SMS. But even if you use SMS, you rather use nothing than SMS?

Lastly, yes it's a migration to the new system but it also says 2fa is required to use many features of iCloud, so... we don't know what those are but I assume account administration and Apple Pay and what else? Is it really excusable to be locked out of a product you own and features it should be able to do because you don't happen to have a SIM card, or more likely, don't want your identity verification mechanism to be at the hands of some random phone company?

Apple isn't forcing you to do this. I think if you don't use the extra security that Apple offers, if anything happens to that persons Apple ID, they (the Apple ID holder) are held 100% liable for any changes and any issues.

2FA is needed for home kit, and to log into a Mac using an Apple Watch. I think that's it. So if you don't use that stuff, then don't use it at all. Again, an iPod touch does not have a SIM card. My iPad and MacBook doesn't have a SIM card either and I get the 6 digit code sent to them, again you didn't read the article. I just popped my SIM card out of my iPhone, logged into iCloud .com, and still got the 2nd factor sent to me over wifi.

Again, there is an option to get the 2nd factor without cell or internet on any trusted device. Settings > Apple ID > password and security > get a verification code and its right there.

So... enough said.

I seriously don't know what the big issue is. Do you log into iCloud all the time? I do maybe once a week, and it's not an issue. The only time you need the 2nd factor is when you get a new device or log into iCloud.com (and you can have the computer remember you if you want).

 

[jc1350]

I applaud Apple for implementing two-factor auth, but I wish they would use TOTP like all my other accounts (Microsoft, Google, Dropbox, and my employer). One program (Authy is my chosen app) rules them all.

 

[Supermacguy]

As someone who travels constantly and has a new sim every week, two factor is already the bane of my existence. If this is true, I am either jailbreaking or moving to android, because I literally cannot use two factor sim based auth. And I'm an Apple iOS developer so this isn't really a light decision - what the hell apple.

You should file a bug/complaint to Apple directly. Maybe it will mean "dev phones" have a different way to authenticate or get put into "dev mode" like Android does it.

 

[centauratlas]

This over authentication trend is tiresome. What is worse is when they assume that you have a cellphone. Not everyone has a cellphone and not everyone who has a cellphone has cell service at home. There are large swaths and many pockets of the USA without cell service. The US Social Security office now requires you to have a cellphone to do this sort of authentication where they text a code to your phone that you are then supposed to enter on your computer at their web site. There is no other way. I talked with their 'customer' service and they said that they're getting a lot of complaints about this and will fix it 'soon' but that was last year.

Get a free Google Voice number and then you can access it (text messages, voicemails etc) from wherever you have the computer. (And it is funny the social sec uses SMS when that is completely insecure - the only point is that there are options that are free).

 

[jimthing]

Get a free Google Voice number and then you can access it (text messages, voicemails etc) from wherever you have the computer. (And it is funny the social sec uses SMS when that is completely insecure - the only point is that there are options that are free).

Only US folks can use Google Voice numbers. So it isn't a good enough solution.
-----

2 step: is the older SMS only system.
2 factor: newer iCloud notification system (with fallback to SMS).

If forced to, even SMS's less secure system is better than one step 'password only' system before it. As more than one piece of info required is better than just a single piece.

However, I too wish Apple would use the more universal 30 second 'one-time passcode' system that nearly everyone else uses. It's available in password apps like 1Password and Lastpass, along with authorisation apps and is really easy to set-up via QR codes when instigating.

 

[PBG4 Dude]

All you need is an iDevice. Doesn't even have to be connected to the internet.

In iOS 11, go to Settings --> Accounts & Passwords --> iCloud --> tap your AppleID --> Password & Security --> Get Verification Code

Tapping "Get Verification Code" will generate a usable code.

 

[Luke MacWalker]

Two-factor authentication also displays a map on all trusted devices with an approximate location of where an Apple ID sign-in attempt occurred when a user is trying to access the account from an unknown device or on the web.

I wish the location was less approximate: last week it was about 250 km off (155 mi) for me. A few months ago, elsewhere, it was off by 1000 km (620 mi). Pretty confusing… and definitely not looking good.

 

[Primejimbo]

I wish the location was less approximate: last week it was about 250 km off (155 mi) for me. A few months ago, elsewhere, it was off by 1000 km (620 mi). Pretty confusing… and definitely not looking good.

I don't even care about that at all. If I get that pop-up, and I'm not doing anything, thats the only thing I will worry about.

 

[Luke MacWalker]

I don't even care about that at all. If I get that pop-up, and I'm not doing anything, thats the only thing I will worry about.

So you would worry often if you had several trusted devices, because more often than not one of them would get the pop up few minutes later. Worse: the pop up doesn't always disappear after it was used from another trusted device: then when you find it few hours later, or the next day, it is definitely very confusing… and in all cases it doesn't look good for Apple. I don't understand why such a big error in the location happens while at the same time Find my Mac can locate this very device perfectly.

 

[Primejimbo]

So you would worry often if you had several trusted devices, because more often than not one of them would get the pop up few minutes later. Worse: the pop up doesn't always disappear after it was used from another trusted device: then when you find it few hours later, or the next day, it is definitely very confusing… and in all cases it doesn't look good for Apple. I don't understand why such a big error in the location happens while at the same time Find my Mac can locate this very device perfectly.

I have a total of 3 trusted devices and 2 are either at home, or all 3 with me.

This also doesn't sense what you're saying at all. If I get a pop up, and it's not from me, I will take action. The fact that the pop up is 100 miles away is nothing to me. If I got a pop up and it's 5 feet from me and I'm not doing anything, I'm still going to worry and take action. I've never had a pop up not go away either. I once had it pop up for no reason at all, I haven't logged onto iCloud or anything for weeks, I took action and changed my password. Glitch or not, I rather be safe than sorry.

 

[danmart]

This also doesn't sense what you're saying at all. If I get a pop up, and it's not from me, I will take action.

The problem occurs when your devices need to re-authorise for some reason. My dad gets these messages regularly, and as best we can tell it's either one of his AppleTVs or his iPad that is asking for confirmation, even though he hasn't done anything to prompt that. It seems that, after a period of inactivity, the devices request authorisation again and since he doesn't use all his devices regularly this seems to exacerbate the situation.

So it isn't always a simple situation.