THAT ... defeats the entire purpose of the added security. You can't access that with two-step. Why is it accessible with two-factor?globalmatt and Rigby are correct and I was wrong. When I was discussing this with Rigby earlier, I thought he was saying the same thing... that is logging in to the iCloud account to make FMM changes. I have 2FA on and playing with it this morning I see what Rigby means.
If you go to icloud.com in an untrusted browser and enter your AppleID and password you get this screen asking for a six digit code that was sent to your trusted device (like an iPhone). If you just ignore that and click Find my iPhone at the bottom it takes you straight to the FMM screen where you can select a device and lock it down. No 2FA verification code is needed.
I guess it makes sense if you think about it. If your iPhone is stolen you would not have the trusted device to receive the code, so would need to be able to login to FMM without it.
@Rigby > I apologize for the confusion I caused yesterday.
View attachment 639741
Earlier screenshots posted indicate you can access FMP with 2-step as well. The main article states the hacker can use FMP to put in lost mode and lock device. However when you do that it locks it to the existing passcode you have on the device. So how is that a problem? I cant imagine Apple would have these 2 security options and make FMP available such that they could do any damage or lock it up. That makes zero since. I have not seen anywhere in fmp where you can do anything to lock someone out of their own device.THAT ... defeats the entire purpose of the added security. You can't access that with two-step. Why is it accessible with two-factor?
I tried it months ago but turned it off because then I can't buy shows on my ATV2.
That's actually a good point. The system only allows the person who locks the phone to set a new passcode if the device currently doesn't have one.
Consumer-oriented companies often compromise security in the name of convenience and to reduce the number of support calls they have to handle.
It should. Once two-step verification is in place, an attacker cannot sign into iCloud without the code that is sent to a trusted device.
Ah yeah maybe thats what they are talking about here. That is not as big a deal as the article implies since we all have backups AND have already put in a passcode
. The erasing would not be an issue either. This article implies they can lock and take the device ransom so its bricked until you pay the ransom which apparently is not the case unless you never created a passcode. So long as the user has a passcode set and a backup they should be fine with their device. However I can see how the 2-factor helps protect your AppleID. If someone could get in to manage that they could do some damage.
Yeah it was crazy because I've never had it work before. Still not sure how someone could have gotten a password if that's what happened. My new password is stronger, but my old one wasn't weak either using lower and uppers, special chars and numbers. I just made it longer this time. I don't share this password with any other site as I use a manager.
