Huge Flaw in Apple Account Security

Discussion in 'Mac Basics and Help' started by dfelix, Jan 31, 2017.

  1. dfelix macrumors member

    dfelix

    Joined:
    Jul 13, 2011
    #1
    So nowadays 2FA is basic account security because of more and more sophisticated hackers and whatnot, but Apple's implementation leaves a lot to be desired because

    YOUR COUNTRY DETERMINES WHETHER YOU CAN ACTIVATE IT OR NOT

    Which is ridiculous. If your country is not on a magical list that Apple cooked up of allowed country codes, you will never be able to enroll your phone number to begin the 2FA process.

    This is ridiculous. This isn't just an oversight, but a rather blatant omission of proper security practices. Every other provider who has 2FA security for their respective accounts, incl. but not limited to Google, Microsoft, Evernote, Gandi, Github, Dropbox, Facebook. Even Discord for crying out loud, will accept phone numbers from pretty much every country on earth. And yet almighty Apple, who has so many accounts and users worldwide, simply does not give a **** for any of them if they do not live in the tiniest list pre-approved of countries.

    This is idiotic. This is ********. This is yet another sign that Apple is losing its way, and is heading wherever their marketing division tells them to.

    #MakeAppleGreatAgain
     
  2. ocabj macrumors 6502a

    ocabj

    Joined:
    Jul 2, 2009
    #2
    Duo Security has similar limitations on country availability. I am guessing it has to do with the SMS requirement and the supported SMS infrastructure of said country.

    Yes, I know Apple two-factor authentication doesn't use SMS, but it does rely on SMS for the initial setup.

    As far as Apple's implementation, it is actually pretty good. I use several two-factor authentication mechanisms, and while I think Duo Security is the best platform so far because I can integrate it with commercial products as well as my own code, Apple's mechanism is about as ideal as it gets to protect an account (iCloud/iTunes) that you could potentially setup while only owning one internet capable device (iPhone or iPad). Mechanisms like Duo actually require a computer for token setup.

    But are you sure that Google and Microsoft will send SMS two factor to countries that Apple 2FA doesn't support? I'm going to guess it's probably going to be the same.

    Not to mention Google and Facebook specifically rely on their own tokens (Google Authenticator and the Facebook smartphone app).
     
  3. bcave098 macrumors 6502

    bcave098

    Joined:
    Sep 6, 2015
    Location:
    Northern British Columbia
    #3
    I don't see any "huge flaw" here. Two-factor is optional anyway.
     
  4. dfelix thread starter macrumors member

    dfelix

    Joined:
    Jul 13, 2011
    #4
    I use those without a problem. The supported countries list is very expansive. Apple's supported list is about 50 countries. It's sad, really.
    --- Post Merged, Jan 31, 2017 ---
    Not if you are serious about account security. Are you just trying to troll?
     
  5. Rok73 macrumors 65816

    Rok73

    Joined:
    Apr 21, 2015
    Location:
    Planet Earth
    #5
    Well, there is no "huge flaw" with Apple's 2FA. Your country isn't supported for some reason but that doesn't mean the 2FA is flawed. It's just the wording, you know.

    I am not defending Apple here but there are other huge companies who don't support some smaller countries for various reasons, Sony being one of them. I think it's really the cost factor which matters for them.
     
  6. ocabj macrumors 6502a

    ocabj

    Joined:
    Jul 2, 2009
    #6
    So you use Duo? I didn't count, but the number of countries for Duo is less than 50. Google and Facebook are independent of a telephone number since they rely on a time-based token.

    Anyway, Apple 2FA isn't flawed because they aren't 100% global. You can still use Apple two-step authentication, IIRC. I was actually using that for a long time before I switched over to the 'recent' Apple 2FA. Granted, two-step might also be SMS dependent, in which case, you are probably SOL as well.
     
  7. rhett7660 macrumors G4

    rhett7660

    Joined:
    Jan 9, 2008
    Location:
    Sunny, Southern California
    #7
    I also have to wonder if it is what the Country's Government wants implemented in order to sell the product there. I wouldn't be surprised if items shipped to country "X" has to service "A" implemented with service "B" disabled. The price of doing business within that country.
     
  8. Rok73 macrumors 65816

    Rok73

    Joined:
    Apr 21, 2015
    Location:
    Planet Earth
  9. dfelix thread starter macrumors member

    dfelix

    Joined:
    Jul 13, 2011
    #9

    Sorry, no, I misunderstood the question. I don't use DUO, but I just checked the page and yes, I can sign up as it does accept the phone number formats in my country. The countries list is much more expansive than 50 though, so they must have updated recently

    The Apple account is. Any other major provider is actually global, or at least, they try to be by providing this very basic account security feature for all of their users. Of course, to use an iCloud account (and therefore syncing my contacts, for example) securely I would require 2FA, but I can't get it because I can't get the SMS to enable the damn thing.

    This, in 2017, and with all the hacks that have been going on, is backwards. Even moreso when Apple likes to tout security as one of the core features of its OS.

    Of course, it's also baked into Sierra. And I can't use it. No one in my country can. That is sad.
    --- Post Merged, Feb 2, 2017 ---
    I haven't researched this completely, but I'm willing to go out on a limb to state that you can only enable 2FA if your country can have an iTunes account. Which means, that despite being able to BUY an Apple device internationally and very nicely inflating their stock price while doing so, you cannot have the most basic of account security added to your account if you do not live in an eligible country.

    This is completely and totally backwards logic, not just an oversight. Once again, I haven't done a full research on this but this is exactly the stuff that it appears to be.

    This is starting to smell like a petition to me. I'm certainly not the only person in the world in this boat, but most likely the only affected person who knows about it and gives a damn.
     
  10. bcave098 macrumors 6502

    bcave098

    Joined:
    Sep 6, 2015
    Location:
    Northern British Columbia
    #10
    The "basic" security features of an Apple ID or iCloud account are the security questions. Everything else is an optional increase in security, and therefore not a "huge flaw".

    A "huge flaw" would be the ability to access an account without providing correct account details or a way to access the details of multiple accounts without authorization.
     
  11. cswifx Suspended

    cswifx

    Joined:
    Dec 15, 2016
    #11
    Apple doesn't want people calling them telling their support telling them 2FA isn't working when it's their country that isn't letting them activate it. That's pretty much why. You can link any of the pre-approved countries' phone number to your 2FA (or if you want to be accurate, 2SA) to any country's account without an issue.
     
  12. dfelix thread starter macrumors member

    dfelix

    Joined:
    Jul 13, 2011
    #12
    It IS a flaw, because just a password does not cut it in 2017 anymore. Not letting a huge number of people activate it, most not even knowing what it is or why you use it for, is negligent for such a big company. And the flaw is not technical, as you can see a plethora of other, smaller companies completely allowing anyone to activate 2FA on accounts on their sites.

    It goes without saying that 2FA is a necessity for anyone online right now, particularly for important accounts such as an Apple ID (find my phone, password recovery for macOS accounts, email, apps purchased, etc.)
     
  13. Phil A. Moderator

    Phil A.

    Staff Member

    Joined:
    Apr 2, 2006
    Location:
    Shropshire, UK
    #13
    I counted 137 countries on the supported list here: https://support.apple.com/en-gb/HT205075

    While not perfect, it's still the majority of the world and the linked document says it's a gradual roll-out so presumably that figure will increase over time
     
  14. Nermal Moderator

    Nermal

    Staff Member

    Joined:
    Dec 7, 2002
    Location:
    New Zealand
    #14
    I can't really blame Apple for wanting to get it right, and gradually enabling countries as the various quirks are worked out. Some other services, like Microsoft's, had some glaring oversights in certain countries.

    For example, how do you know what route a message needs to take? It seems that Microsoft was looking at the NZ number allocation table to see which provider allocated my number. But I'm no longer with that provider. There's also another layer below that.

    Whose allocated pool did the number come from? Which provider currently owns that number? Which provider is the customer actually with? In my case, it's a different company for all three! Microsoft's authentication texts didn't function reliably for me until 2-3 years after the service first became available. And this doesn't even consider incompatibilities between the various technologies; until a few years ago it was common for "special" characters to appear as question marks when messages were sent been different providers.

    It seems that it can be difficult to handle this properly, and this is only in one country. Now imagine trying to track down every country's quirks. I'm not surprised that a "slow and steady" approach is being favoured here.
     

Share This Page