Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
It wasn’t the first time I’ve logged in to Apple/iCloud on that iMac though, and I always use Safari too. Plus, why did it say device rather than browser, if that was the problem.

I’ve had the iMac for 8 years, longer than my current iPhone/iPad/AW, so its by far the ‘most’ trusted device I have...

It lost the cookie, the cookie expired, or the privacy website is a new “device” that’s stored on a completely separate domain and generates a new cookie. I get these 2FA pop ups when logging into different Apple sites that require my Apple ID (e.g. Maps Connect, iTunes Connect, etc).

The fact remains that it is completely safe since it’s the website you’re authorizing, not the iMac. So it doesn’t hurt to send the code to the iMac.

Sending the code to the iMac is still a good idea. What if you obtained some malware that was key logging or grabbing credentials from somewhere and decided to login itself to the Apple ID page to change your password? This would be a new “device” and you’d have to provide your 2FA, essentially stopping the malware in its tracks. Of course, that’s hypothetical, but it is a valid scenario that even sending the code to the device your on will solve.
 
  • Like
Reactions: chabig
The fact remains that it is completely safe since it’s the website you’re authorizing, not the iMac. So it doesn’t hurt to send the code to the iMac.

Sending the code to the iMac is still a good idea. What if you obtained some malware that was key logging or grabbing credentials from somewhere and decided to login itself to the Apple ID page to change your password? This would be a new “device” and you’d have to provide your 2FA, essentially stopping the malware in its tracks. Of course, that’s hypothetical, but it is a valid scenario that even sending the code to the device your on will solve.
It's not safe to send a MFA PIN to the device requesting access. It would be much safer if it knew to send it to a device not requesting access.

MFA is based on something you know and something you have. If I "have" the iMac (to receive and enter the PIN) and know the "password", it's no longer a true MFA login, as they are the same device. This discussion occurred years ago when RSA rolled out their software tokens on laptops and it would automatically put the PIN and tokencode into various apps for you. It was (and still is) considered much less secure than the hardware tokens.
 
You are missing the point. What is the advantage of sending a PIN to a trusted device to ensure its trusted?
The point isn’t to ensure the device is trusted. The point is to ensure the user is authentic. This authentication is performed by sending a code to the user’s accounts on the user’s trusted devices. Only the user will see these codes, so only a correct reply will authenticate the user.
[doublepost=1527116738][/doublepost]
I had the same bug, its sending me the code on the same machine it is asking me for... Very unsafe.
[doublepost=1527083880][/doublepost]

The code should not be sent to the same device! It should be sent to my iPhone or iPad, not the same machine I was using. Imagine someone else like a thief using my Mac and the code is sent straight to him!
Nope. A thief won’t be logged into your account so they won’t get the authentication code.
 
The point isn’t to ensure the device is trusted. The point is to ensure the user is authentic. This authentication is performed by sending a code to the user’s accounts on the user’s trusted devices. Only the user will see these codes, so only a correct reply will authenticate the user.
[doublepost=1527116738][/doublepost]
Nope. A thief won’t be logged into your account so they won’t get the authentication code.
Hacks happen and if they happen on a trusted device, then the user is allowed in, even if they are not "authentic".

The entire point is the MFA PIN should not be sent to a device where the login is occurring, as it's not the safest option.
 
  • Like
Reactions: Krayzkat
It asks for Security Questions, which I enter the correct answers for and it says they don't match.
 
Guys I’m not complaining i am merely highlighting what must surely be a bug.

Tell me what the point of sending a device authorisation code to the actual device that is in question?

Imagine visiting an ATM at a bank and when you put your card in it asks for the PIN number but at the same time shows on the screen what the PIN number is.....

It just doesn’t make sense to me either. To another trusted device logged into iCloud? Sure. To the same device trying to log into iCloud? No way.

I only come here to complain. I’ve been using a Apple stuff since the Mac 512 was current, but i’m just getting so sick of the illogical changes Apple seems to be making all the time. When I was 50 years younger I enjoyed learning new stuff, but now I just want to use it without wanting to throw it against a wall.
 
So i just logged in on my iMac and straight away i get warning messages sent to my iPhone, iPad, and the same iMac i'm actually using, stating that a new device has signed into my account. It then gives me a two-factor authorisation code on the iMac that i'm currently using to input into the iMac i'm currently using.

I've had this iMac for 8 years....

you did NOT have two-factor authentication on anything Apple more than 2-3yrs tops since Apple never implemented this that long.

Source:
Oct 7, 2015 https://www.macworld.com/article/29...cation-bumps-up-security-and-ease-of-use.html

https://en.wikipedia.org/wiki/Multi-factor_authentication
In 2016 and 2017 respectively, both Google and Apple started offering user two-step authentication with push notification as an alternative method

The email has been there for about 10yrs.

This article is completely focused on something else related to privacy, security, and retaining of end user data.
 
you did NOT have two-factor authentication on anything Apple more than 2-3yrs tops since Apple never implemented this that long.

I don't think i claimed to have HAD two factor authentication for 8 years, but that i have had the particular iMac in question for 8 years, and since it was brand new it has always been associated with my apple account.
 
  • Like
Reactions: DeepIn2U
Please share the data to support the claim. I would love to see that. Thanks in advance. :)

GDPR was mentioned when it was announced Apple would be providing this. It’s been in the news lately as well. Safe to assume people know what’s going on. Weird to think it’s just Apple updating their privacy policy etc for the good of the customer only.
 
It's not safe to send a MFA PIN to the device requesting access. It would be much safer if it knew to send it to a device not requesting access.

MFA is based on something you know and something you have. If I "have" the iMac (to receive and enter the PIN) and know the "password", it's no longer a true MFA login, as they are the same device. This discussion occurred years ago when RSA rolled out their software tokens on laptops and it would automatically put the PIN and tokencode into various apps for you. It was (and still is) considered much less secure than the hardware tokens.

Except the iMac is not the device requesting access. It's your Safari browser, which is effectively sandboxed away from the rest of the processes and cannot see the 2FA request. So yes, it is safe.

The iMac as a device is trusted and not making the request, which is why it makes sense that the iMac retrieves this 2FA code. It's preventing automated logins from proceeding to mess around on your Apple ID page. If you were really authorizing the iMac, you'd never see the 2FA popup since it doesn't have the necessary token to retrieve these Trusted Device alerts.
 
Except the iMac is not the device requesting access. It's your Safari browser, which is effectively sandboxed away from the rest of the processes and cannot see the 2FA request. So yes, it is safe.

The iMac as a device is trusted and not making the request, which is why it makes sense that the iMac retrieves this 2FA code. It's preventing automated logins from proceeding to mess around on your Apple ID page. If you were really authorizing the iMac, you'd never see the 2FA popup since it doesn't have the necessary token to retrieve these Trusted Device alerts.
I'm not discussing the device. I'm saying if the creds were being used by an unauthorized user from a trusted device, MFA provides no value if the unauthorized user can see the MFA pin.
 



apple-data-and-privacy.jpg
Apple now allows its customers to download a copy of their personally identifiable data from Apple apps and services. This can include purchase or app usage history, Apple Music and Game Center statistics, marketing history, AppleCare support history, and any data stored on Apple servers, including the likes of calendars, photos, and documents.

This article outlines the steps you need to take to request a copy of your data from Apple. As of writing, the service is available to customers in the European Union, Iceland, Liechtenstein, Norway, and Switzerland, but Apple will be rolling it out worldwide over the coming months. If you live in a country or region that's not listed above, you can still contact Apple to request a copy of your data.

Apple promises to fulfill all data requests within seven days. Bear in mind that the size of the data download depends on the items that you choose to include (iCloud Photo Libraries can be several gigabytes, for example), but Apple will divide it into multiple files to make the download more manageable.


Click here to read more...

Article Link: How to Request a Copy of Your Apple ID Account Data
I do not trust any corporation to keep data. Or worse to report it, could be hacked. These days corporations are “democratic” and would, like Hillary influencing the USA to sell 20% of its uranium to Putin and make 145 million commission for the “Clinton foundation”, something that required 15 top signatures including Obama’s. These days there are no saints, no honesty. Could apple if offered a trillion dollars to set up its auto car software towards a missile to “protect the USA” do it and then some politician blow up a whole country? For a Trillion? How about would apple’s car play affiliates like now lexus or others end up used “wrongly?” Apple car play is in several USA car companies that also make war tanks. So where is the connection between the Democrats and the reps? Italy has 12 political parties, half of which see the USA democrats as rich capitalists. there are no saints. Our data should be deleted, not kept.
[doublepost=1527198515][/doublepost]Data should be erased, not kept.
 
Hacks happen and if they happen on a trusted device, then the user is allowed in, even if they are not "authentic".

The entire point is the MFA PIN should not be sent to a device where the login is occurring, as it's not the safest option.
Where would you send the MFA PIN if a hacker has both your iPhone and your Mac?
[doublepost=1527257643][/doublepost]
I'm not discussing the device. I'm saying if the creds were being used by an unauthorized user from a trusted device, MFA provides no value if the unauthorized user can see the MFA pin.
It’s up to you to make sure unauthorized users don’t have access to your device. If they do then all bets are off.
 
Last edited:
Where would you send the MFA PIN if a hacker has both your iPhone and your Mac?
[doublepost=1527257643][/doublepost]
It’s up to you to make unauthorized users don’t have access to your device. If they do then all bets are off.
Its impossible to protect every possible use case. When multiple trusted devices are available, then the PIN should not be sent to the device the login request was sent from.

Again, hacks happen, even when you have done your best to prevent unauthorized access to your account. Sending an MFA pin to a devi e requesting the login is a poor idea that's out of your control.
 
Ah, good point. I was taking this as a request on an app that knew the device was trusted.

Still, it adds nothing to security by sending it to the device requesting the access. I'm not sure there's a way to fix that.

Of course there is, don’t have your Mac registered as a trusted device.
[doublepost=1539816377][/doublepost]
It wasn’t the first time I’ve logged in to Apple/iCloud on that iMac though, and I always use Safari too. Plus, why did it say device rather than browser, if that was the problem.

I’ve had the iMac for 8 years, longer than my current iPhone/iPad/AW, so its by far the ‘most’ trusted device I have...
You’ve had this explained to you several times now.

Also it doesn’t matter if you’ve owned a device ten minutes of ten years, if you register it as a trusted device its just as trusted as any other device, I don’t know why you keep pointing out how ancient your Mac is like that has anything to do with it.
 
Ah, good point. I was taking this as a request on an app that knew the device was trusted.

Still, it adds nothing to security by sending it to the device requesting the access. I'm not sure there's a way to fix that.

The broswer doesn’t realize it’s on the same device. I completely understand whst youre saying though and youre right. Its a little pointless
[doublepost=1539818129][/doublepost]Yet why cant we clear out info we dont want Apple to have instead of completely deactivating our account?
 
Would've been nice for that time I wanted to recover a single photo from my iCloud backup. I had to wipe an iPhone just to iCloud restore it and get the photo.
 
You're missing the point where the login was done on a trusted device. The entire point of two factor authentication is something you know and something you have. If Apple considers the iMac trusted, then why is it asking for a PIN?

Imagine if someone else gained access to the iMac via their creds. What good is two factor if the PIN is sent to the intruder so they can just enter it?

This only works where you have authentication turned on for that device (apple does not allow a device to be trusted that isn’t password/Touch ID/face ID enabled). That authentification is also not allowed to be the same as your Apple ID auth. Because your browser is sandboxed, it asks for authorization AFTER you enter your Apple ID and password (known 1) You then have to authenticate on a trusted device that has its own authentication (have 1 + known 2). If you are logged in currently on a known device you can get the code immediately on that device, otherwise you have to authenticate on that device before you can get the code.

In summary to hack an Apple ID with two factor auth enabled, you must know the Apple ID and password, have physical access to a trusted device and also know that device’s authentification. This is actually a three factored auth but for whatever reason (marketing likely) they still call it two.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.