Guys I’m not complaining i am merely highlighting what must surely be a bug.
Tell me what the point of sending a device authorisation code to the actual device that is in question?
Imagine visiting an ATM at a bank and when you put your card in it asks for the PIN number but at the same time shows on the screen what the PIN number is.....
You get a two-factor authentication code on every device that’s logged in to your iCloud account. To be logged in to an iCloud account on a device, you have authenticate with a second factor.
Apple doesn’t know if it is you logging in to the Apple web site or someone else. If it were someone else logging in to your account from a computer that hasn’t been two-factor authenticated, they wouldn’t get this code and wouldn’t be able to authenticate with a second factor. Hence, they wouldn’t be able to hack into your account.
[doublepost=1539826964][/doublepost]
What if a user only has one device? What if the user has a Mac and an Android phone? How would you handle this?Hacks happen and if they happen on a trusted device, then the user is allowed in, even if they are not "authentic".
The entire point is the MFA PIN should not be sent to a device where the login is occurring, as it's not the safest option.
You should have FileVault enabled and your login protected with a password. You should also set your Mac to lock the screen within a few minutes of inactivity. This way, only the user will be able to log in from this computer unless the user is doing this under duress.