Become a MacRumors Supporter for $25/year with no ads, private forums, and more!

Two-factor authentication asks for device passcodes - legit?

augu2000

macrumors member
Original poster
Nov 18, 2008
38
0
Hi,

When setting up two-factor authentication, I was asked to enter device passcodes/passwords, in addition to the iCloud password. Is this normal? Why are my device passcodes/passwords needed? Will this make my devices less secure?

Thanks!
 

duanepatrick

macrumors regular
Dec 22, 2019
199
84
It depends on the TFA application. It may ask you for your mobile number (for sending of codes), pairing your device to the TFA application (via push msg, face ID, or fingerprint).

Then TFA will require the needed authentication info via text (code), push message (that you need to accept), face ID (your face ofc), or fingerprint scan (your fingerprint ofc).
 
Comment

gnasher729

macrumors P6
Nov 25, 2005
17,387
4,610
Hi,

When setting up two-factor authentication, I was asked to enter device passcodes/passwords, in addition to the iCloud password. Is this normal? Why are my device passcodes/passwords needed? Will this make my devices less secure?

Thanks!

The reason why you are asked to identify yourself as the legitimate user using FaceID / TouchID / device passcode, is because it would be quite bad if some hacker were able to set up two-factor authentication for your phone, so this will be normal. You should only ever be asked to enter the passcode _on your device_. Anyone asking you to enter the passcode on a website, that is an attack - don't enter it. Only enter the passcode on your device.

If a family member learns your passcode, and they can access your phone, for example while you are asleep, that of course makes your device much less secure. Same if a colleague at work learns your passcode, unless you look after your device like a hawk.

Hackers are usually working remotely, so even if they had the passcode of your device, without your device it is absolutely worthless. There's absolutely nothing anyone can do with your passcode other than typing it into your device. Only if someone is specifically after _you_, and with deep pockets, they might try to trick you into handing over your passcode and then send a burglar to your home to get the matching device. If you are in doubt: Enter a random passcode instead of your correct passcode. If you are tricked by some hacker, they don't _know_ your passcode, so they will accept that random code you entered. If your phone complains, then you know you are not being tricked.
 
  • Like
Reactions: duanepatrick
Comment

augu2000

macrumors member
Original poster
Nov 18, 2008
38
0
Thanks! What was kind of weird is that (I believe) that I was asked to enter a device's passcode into another device. E.g. to enter an iPhone passcode into my macbook. I don't exactly remember this, because there were several steps in the setup process, but I do think that that's what happened. It seemed strange, and made me think that my devices' passcodes/passwords were being kept in storage somewhere. Is that the case?
 
Comment

Boyd01

Moderator
Staff member
Feb 21, 2012
5,142
2,394
New Jersey Pine Barrens
Thanks! What was kind of weird is that (I believe) that I was asked to enter a device's passcode into another device. E.g. to enter an iPhone passcode into my macbook.

I wonder if it's continuity/handoff between your phone and MBP? It's enabled on my new Mini and I was a bit surprised the first time I saw it. You don't have to manually type in codes that are sent to the iPhone via SMS, which is handy. But I don't ever recall having it ask for my phones unlock code, if that's what you mean.

I recall getting a message on the Mac that I had to unlock my phone in order to do something like import photos, but that needed to be entered on the phone itself.

 
  • Wow
Reactions: duanepatrick
Comment
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.