Apple Watch Can Display Apple ID Verification Codes Starting in watchOS 6

[nitramluap]

This is my favorite. And the code popping up in a separate window on the SAME device!!!

You (and others) seem to be confusing the device verification with the *browser* verification.

These 2FA alerts are for when you log into a new (or recently updated/modified) *browser* on a device - which can be the same device linked to your iCloud Account... or not. It’s not the *device* you’re authorizing!

Faux outrage...

 

[NetMage]

It is sad that Microsoft Authenticator works so much better on the iPhone and Watch then Apple’s private authentication.

 

[Futurix]

OR even better....hitting Allow on the same Mac you're logging in on, that wants you to prove that it is you.

There's no way for them to reliably determine it using JavaScript - so I'd rather go through this extra step than compromise security of my Apple ID.

 

[PastaPrimav]

There's no way for them to reliably determine it using JavaScript - so I'd rather go through this extra step than compromise security of my Apple ID.

You'd never use Javascript for it.

This needs to be handled at a lower level.
[doublepost=1560274573][/doublepost]

You (and others) seem to be confusing the device verification with the *browser* verification.

These 2FA alerts are for when you log into a new (or recently updated/modified) *browser* on a device - which can be the same device linked to your iCloud Account... or not. It’s not the *device* you’re authorizing!

Faux outrage...

False. We are constantly prompted to approve access on the same device requesting access. It is absurd.
[doublepost=1560274639][/doublepost]

No password at all? Are you nuts?

Go ahead and explain why you need to enter a password after you've unlocked the machine, and you can't use:
1. what if someone remotes into your machine
2. what if you get up and someone else sits down before it locks.

I'll wait.

 

[MisterSavage]

False. We are constantly prompted to approve access on the same device requesting access. It is absurd.

I just logged into my developer account on appstoreconnect (from Chrome on a Linux machine) and checked "remember me". I was prompted for the 2FA code as expected. I was able to log out and log back in without being prompted again for the 2FA code. Are you sure you're accepting cookies?

 

[PastaPrimav]

I just logged into my developer account on appstoreconnect (from Chrome on a Linux machine) and checked "remember me". I was prompted for the 2FA code as expected. I was able to log out and log back in without being prompted again for the 2FA code. Are you sure you're accepting cookies?

It working 30 seconds later is not an example of a normal use case.

 

[MisterSavage]

It working 30 seconds later is not an example of a normal use case.

Ok. Glad I took the time to try and help.

 

[DeepIn2U]

About friggin' time.

Will it also do parental approvals for family purchases?

Yesssss!

I have been waiting for this for quiet some time now. I am assuming the priority of this jumped up their charts with the 'Sign in With Apple' feature,

This function on Watch should have priority in delivery since it’s always with you.

 

[Futurix]

You'd never use Javascript for it.
This needs to be handled at a lower level.

And this is precisely why this will never be implemented and should not be implemented - browsers are usually sandboxed to the maximum possible extent and no website (including Apple's own) should ever get access to lower level APIs.

False. We are constantly prompted to approve access on the same device requesting access. It is absurd.

It's not absurd - see my reply above.

 

[nitramluap]

False. We are constantly prompted to approve access on the same device requesting access. It is absurd.

It’s Apple asking you if the BROWSER ACCESS should be approved via a trusted DEVICE, which may or may not be the very device the browser is running on. Nothing abnormal about that.*

In addition to updating your browser, the 2FA seems to prompt you for a code when your IP address suggests you’ve moved location significantly - ie. travelling - otherwise it won’t bother you again if you’ve selected ‘Trust’ this browser when you login after entering the 2FA code at that location.

That’s EXACTLY how it’s meant to work... not sure why people are are getting annoyed about it. I trust the security folks at Apple know what they’re doing. They weren’t born yesterday.

* If someone has access to your device and is able to log into your iCloud Account with your username & password, you’ve already given up ‘two factors’ of the 2FA (your login details and unfettered access to a trusted device).

If they only have your username & password, but no access to a trusted device you’re safe, because they won’t see the code prompt on their computer and you can deny it from your trusted device. Why is this so hard to understand?

 

[MisterSavage]

It’s Apple asking you if the BROWSER ACCESS should be approved via a trusted DEVICE, which may or may not be the very device the browser is running on. Nothing abnormal about that.*

In addition to updating your browser, the 2FA seems to prompt you for a code when your IP address suggests you’ve moved location significantly - ie. travelling - otherwise it won’t bother you again if you’ve selected ‘Trust’ this browser when you login after entering the 2FA code at that location.

That’s EXACTLY how it’s meant to work... not sure why people are are getting annoying about it.

* If someone has access to your device and is able to log into your iCloud Account with your username & password, you’ve already given up ‘two factors’ fo the 2FA (your login details and unfettered access to a trusted device). If they only have your username & password, but no access to a trusted device you’re safe, because they won’t see the code prompt on their computer and you can deny it from your trusted device. Why is this so hard to understand?

Yep. Just verified *again* by logging into my dev account on appstoreconnect. Wasn't prompted for 2FA because I asked it to remember me.

 

[ErikGrim]

It’s Apple asking you if the BROWSER ACCESS should be approved via a trusted DEVICE, which may or may not be the very device the browser is running on. Nothing abnormal about that.
...
Why is this so hard to understand?

Absolutely agree. It may be counter-intuitive, but you are allowing access from a new browser session that happens to be running on a trusted device you are logged in to. Easy.

 

[PastaPrimav]

It’s Apple asking you if the BROWSER ACCESS should be approved via a trusted DEVICE, which may or may not be the very device the browser is running on. Nothing abnormal about that. Why is this so hard to understand?

Asking you to approve a device from that device is idiotic and a flaw in the system, regardless of how you spin it.

 

[nitramluap]

Asking you to approve a device from that device is idiotic and a flaw in the system, regardless of how you spin it.

Is that a fact?

If someone is logging into your account with a web browser on YOUR trusted device without your permission, you’ve clearly already given up ONE of the two factors in 2FA - they shouldn’t be logged into the device in the first place. That’s the whole point.

It’s really not that hard to understand.

 

[PastaPrimav]

If someone is logging into your account with a web browser on YOUR trusted device without your permission...

Full Stop.

If this is happening, then you have failed, not Apple, and you've created a scenario that 99% of people do not have to deal with. No one is accessing my unlocked, personal Macs, and never will. I should not have to deal with this sht because Apple designs the entire experience around their stupid shared office experience.

 

[Iconoclysm]

OR even better....hitting Allow on the same Mac you're logging in on, that wants you to prove that it is you.

Which is actually a smarter function than it seems on the surface.
[doublepost=1562624091][/doublepost]

Full Stop.

If this is happening, then you have failed, not Apple, and you've created a scenario that 99% of people do not have to deal with. No one is accessing my unlocked, personal Macs, and never will. I should not have to deal with this sht because Apple designs the entire experience around their stupid shared office experience.

This is, believe it or not, something you're going to see more often from EVERY vendor in the near future. And it will eliminate the need for passwords.

 

[Shirasaki]

If someone can give us a document or something underlining how 2FA in general actually works, and how the 2FA will fail, that would be fantastic. For me, since I never feel I truly understand how 2FA works, I cannot plug my use case and feel confident I will always be able to access my account no matter what. Given Apple will not allow you to turn off 2FA once activated, I don’t want to risk locking my account out.
A side note, I have lost my account access to an important government website because I lose access to the “second factor” of authentication without backup solution.

 

[Iconoclysm]

If someone can give us a document or something underlining how 2FA in general actually works, and how the 2FA will fail, that would be fantastic. For me, since I never feel I truly understand how 2FA works, I cannot plug my use case and feel confident I will always be able to access my account no matter what. Given Apple will not allow you to turn off 2FA once activated, I don’t want to risk locking my account out.
A side note, I have lost my account access to an important government website because I lose access to the “second factor” of authentication without backup solution.

It's the same old simple process: Something you have, Something you are, and Something you know. That government website is using archaic technology, trust me.
[doublepost=1562627126][/doublepost]

Asking you to approve a device from that device is idiotic and a flaw in the system, regardless of how you spin it.

I love how you call this idiotic but it is the STANDARD for 2FA.

 

[Shirasaki]

That government website is using archaic technology, trust me.

Yes, that website does not have a nice design of 2FA. But still, what Apple tells me about how 2FA works is a bit vague.

Anyway, I think I need to find how 2FA truly works myself.

 

[Iconoclysm]

Yes, that website does not have a nice design of 2FA. But still, what Apple tells me about how 2FA works is a bit vague.

Anyway, I think I need to find how 2FA truly works myself.

Unfortunately, it's not a popular deep dive topic. But what I mentioned earlier is the root of all of it. In this situation, the something you own piece is solved by the Mac itself. Your location when you click the button to allow it is Something you are (and your location which matches the request). The password was something you know.

Windows Hello works identical to this.