Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
How to Enable Two-Step Verification for Apple ID
- Thread starter MacRumors
- Start date
- Sort by reaction score
ArtOfWarfare
macrumors G3
What about the people who own Android phones? Or no phones at all?
Obviously they continue using passwords like the cavemen they are. For the rest of us (of which I imagine you are probably one), Apple should have done away entirely with the need for passwords by now.
tennisproha
macrumors 68020
Question. So say you lost your trusted devices and you need to login to iCloud.com to use find my phone to find said devices. What do you do now?
iMerik
macrumors 6502a
But Touch ID replaces the need to type in a password, it isn't designed to act as and replace a two-step verification step like a time-based or one-time-generated code.
You asked, "Wasn't the iPhone's fingerprint scanner supposed to do away with passwords?" You didn't ask, "Wasn't Touch ID supposed to become the second factor in a multifactor authentication solution?" I see a difference; maybe I'm wrong.
iMerik
macrumors 6502a
Good question. You'll see when you log in that iCloud says you can still find your phone without needing to enter the two-step code. You'll also notice there is no padlock on Find My iPhone in iCloud.
Attachments
tennisproha
macrumors 68020
mw360
macrumors 68020
I'm sorry I don't understand what you're saying. I offered a design scenario where TouchID could replace the need for passwords and simultaneously provide multi factor authentication. I only offered it because you said you couldn't see how that could be possible. I'm not really sure why you're rejecting it now.
iMerik
macrumors 6502a
I wasn't rejecting your new idea; I was simply pointing out what you said in your original post about it replacing passwords and then how you switched over to wanting it to replace multifactor authentication. Those are different discussions in my mind.
In regards to your new design scenario, I imagine it has a lot to do with the security concerns around accepting data from outside sources during the authentication process. There are probably man-in-the-middle concerns with your design. iCloud can push a code out to an iPhone without much security concern, because you are viewing the code on a device you have in your hand and then typing it back in your computer, a separate device. If you allow devices to check your Touch ID and then send a signal back to iCloud for the multifactor, now Apple has to worry about code injection vulnerabilities and MitM attacks where the confirmation being sent back to iCloud may not actually be your iPhone & Touch ID.
That's my guess anyway... could be way off. It's a little more like you are proposing, in terms of not dealing with these pesky codes, when authenticating iCloud Keychain on your phone. If your phone is an iOS trusted device, you pick it during authentication and then your phone receives the code and immediately accepts the code without forcing you to enter it manually. This is how I hoped FaceTime and iMessage would have worked instead of requiring an app-specific password.