Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
iOS 15 Includes Built-In Password Authenticator With Autofill, Replacing Google Authenticator and Authy
- Thread starter MacRumors
- Start date
- Sort by reaction score
Maybe. Assuming the actual code is just a TOTP, you might be able to cancel the existing code and have the server issue a new code. But, if this is private server, you would need to check with your IT department.
Or, if this actually a Google service, it may be using push notification versus TOTP. Then you will still need Google Authenticator.
I see people mentioning 1P having OTP support, which it does, but to have the login information as well as OTP in one place kinda nullifies the idea of "two factors" needed to sign in. You shouldn't keep your eggs in one basket and it could be worthwhile to still use 1P and migrate 2FA to native settings.
I abhor companies that only allow 2FA via SMS. I wish more companies would adopt U2F, especially Apple, an Apple U2F key could be pretty cool.
I abhor companies that only allow 2FA via SMS. I wish more companies would adopt U2F, especially Apple, an Apple U2F key could be pretty cool.
Well first thing, its no use that they get the 2FA code because they also need the password in the first place. Even if he got the code it means nothing. Second, if it was so why all companies doing it? Google, Microsoft, Apple, Twitter, Visa, all requiring numbers for verification and 2FA.
Last, how is the authentication app is trusted? No one answered my question? How do you know this app is mine? what happens when the app is deleted or my phone is stolen or the app that the device is on is not near me or broke or being serviced?
You just made me feel good about my M1 air purchase for the first time. Thank you. I have an insane number of passwords in keychain I would like to backup to my other password manager.
Since many people have no clue what TOTP (Time-based One Time Passwords) are, most companies still have to offer SMS based 2FA as an alternative. Google, Microsoft, Twitter all offer TOTP 2FA as an alternative and recommend this over SMS due to security concerns. Apple utilizes its own solution. Google & Microsoft also offer more secure solutions that utilize their own Apps and push notifications.
Yes, a bad actor still needs to have your password to initiate the login. However, this solution is meant to protect against brute force attacks using a password breach. if someone gets your password and has your phone #, they can get an SIM card that spoofs your phone # and can receive your texts, including 2FA codes. No one can spoof a TOTP 2FA without having physical access to the authenticator app.
Not sure what you mean "trusted". When you sign up for 2FA, you are given a QR code to scan. This generates a unique code in your app that is the seed for the code generator. No one else will be able generate the same set of codes. I can't setup 2FA in your account unless I somehow logged in already.
If you lose your phone or don't have access, there are a couple of solutions. First, use an App that backups your 2FA and/or shares with your other devices. Most solutions do this (Google Authenticator being a rather unique exception). Also, when you generate a TOTP, you are also given a setup of backup codes. If you ever lost your phone and have no backup device, you can use one of the backup codes to get in to your account and then setup 2FA again.
The username and password are trivially easy to get. Most people use passwords that are easy to guess and reuse them across sites, and there are hundreds of millions of leaked/hacked credentials available online.
When you turn on 2FA on a particular site, it presents you with a QR code containing a number unique to your account. You scan that code with your authentication app and it does some crazy math with the number from the code and the current time to generate a one-time passcode (OTP). You enter that OTP into the site and your authentication app is verified and paired with your account. Anytime you need to log into your account again, you just open your app to get a new OTP. If you want to learn more, I suggest you start here: https://authy.com/blog/understanding-2fa-the-authy-app-and-sms/
Authy offers an option to backup your codes to the cloud, so if you lose your device you can just download the app on a different device and log back in (you can also turn this feature off for additional security).
I save the recovery codes. I did have one instance where the codes wouldn't work on one account. As a result, I got locked out.
"Your iCloud Keychain is encrypted when transmitted to your devices and when stored in iCloud, and cannot be read by Apple."
Not only that, it makes our devices the hardware authenticator that we have been using up to this point, such as Google Titan, and YubiKey. It's pretty amazing what Apple is putting under the hood in so many areas. Application developers are going to be challenged to keep their stuff relevant.
I also do screenshots of the QR codes and store them in secure notes in 1Password so I can program multiple YubiKeys without having to go to the website and create a new 2FA setup.
Yep.... now we have auto-spelling check on iOS, so you don't need to download one.
But it literally is that easy. Source: me, having used that single option for years to give away old phones.
It‘s the same level of easy that an app like Authy is, which is not installed on your work computer. I can‘t remember the last time I used Authy on a Windows PC, it‘s usually way too convenient to open the app on my iPhone next to me.
Ok, I finally figured it out. I feel like they could somehow make it easier to discover how to enable it.
Out of curiosity, why would you give folks your locked phone? To hammer some nails into the wall?Nope, if you don’t want people to see your photos, you’ll have to continue not giving folks your unlocked phone
Anyway, it's not quite as simple as that. I've got plenty of stuff on my phone I don't want others to see. And no, it's not porn. There are pictures of me during my weight loss attempts I'd rather not have someone see, there are pictures of sensitive data I keep there just because I need it with me at all times. And it's not limited to photos - I've got notes I'd rather keep private. And other data. I'd still like to be able to hand my phone to someone else for a short while for them to use without having to worry about them gaining access to my financial details etc.
Apple's view of "it's your device and nobody else should ever be allowed anywhere near it" doesn't work in real life unless you don't have anyone to share even small parts of your life with.
It gets even worse if you have kids who'd want to play a game for a while. Do you trust your phone to them for that time? Of course not, you need to buy them another 600e+ iPhone just to play a few games every now and then. It'd be so much easier I had phone-wide options on defining apps and/or hidden data in apps that have such option to be protected with FaceID. I could lock out everything I don't want people to access and be able to let them use my phone for a short while without them reading my messages, browsing any more of my pictures I don't want them to see and/or prevent them accessing certain apps. Browsing history (or rather, the open tabs) I'd also prefer to keep to myself so that they'd be locked to private mode or something unless I unlock the open tabs. I've got dozens of pages open and I don't want someone accidentally closing them or using them to browse for something else. I don't even want them to leave their pages open when they hand the phone back to me. Having the unlock option separate would allow me to use my phone 99% as before while being able to hand it to anyone for any reason for a short while without having to worry about anything. It's just stupid they haven't come up with this so far. Maybe they should hire me. :/
(Yes, I know there are some parental locking features but they don't work for this.)
Well, I wouldn’t give my phone, locked or unlocked, to anyone I didn’t want to have access to that information. And, it really is that simple.
I could come up with “reasons” to give the keys to my car and the keys to my house just as easy as someone could come up with “reason” to give people the ‘keys’ to their phone. It still doesn’t mean that doing that is a good idea!The key here, is that you SHOULD worry about anyone with physical access to your unlocked phone gaining access to anything on your phone. The moment you hand someone your unlocked phone, it wholly depends on the trust you have with that person. You’re hoping they don’t have a device that will swipe your data or install anything malicious on your phone. If they don’t, cool! If they do, you may never even know. Well, until they use the information.
OR spend $299 on a Switch that comes with a dock they can play on the TV?
Look, I get that folks have a strong social desire to give the device they own, that has SO much of their important personal information, to other people, perhaps including strangers. The fact, though, is that has NEVER been a good idea. It’s been known for awhile that the easiest way for someone to break in to your phone, is to have physical access to it. A large number of the security exploits described over the last year even start with, “First, the attacker must have access to the device.” And, having physical access to a phone that is ALREADY unlocked? That’s a huge part of the job done for them.
Just to point out, saved credit card in Safari autofill and other financial information require an additional unlock to access that information. Most places also require the 3 digit code on the physical card at the back before you can buy anything else.
Apple Wallet only uses the last 4 digits of the card to help identify which card you’re using, but can’t be used for anything. It doesn’t have the security code (3-digit code on the back of the card). Unless the person you gave your unlocked phone knows your passcode, then they won’t be able to access your financial information or use Apple Pay to buy anything.
You can also password protect information in the Notes App (for which you can use faceID to unlock; requires an additional scan of faceID/touchID/or whatever password you set to do so).
This is perfect. Those whining about anti-competitiveness need to chill. You're too wrapped up on political rhetoric. Having to rely on another app you need to download, open and move back and forth from is very inefficient. I am surprised Apple did not implement this years ago.
It's convenient, but undermines security. 2FA codes really shouldn't be stored together with your passwords. 1password has the same feature, but I think even they admit it isn't as secure as using a completely separate authenticator.
These are all temporary solutions until we get to the point of not needing passwords at all. That can't happen too fast. For now the most secure 2FA would be hardware keys. They will lead to the passwordless world we're dreaming of.