Apple ID Two-factor authentication from APPLE cannot use auth apps?

[Branaghan]

Explanation:

++++++++++++++++++++++++++++++++++++
Those apps are called Authenticator apps — and the technical standard they use is called TOTP (Time-based One-Time Password).

- How it works:

When you set up 2-Step Verification, the site gives you a TOTP secret key (usually shown as a QR code or text string).

You add this key into the authenticator app.

The app then applies the TOTP algorithm (defined in RFC 6238) to generate a 6-digit code that changes every 30 seconds.

Since both your app and the server know the same secret and both have their clocks in sync, the codes match without needing internet.

- Examples of such apps:

- Google Authenticator
- Microsoft Authenticator
- Authy
- 1Password / Bitwarden built-in authenticators
- FreeOTP (open source)
++++++++++++++++++++++++++++++++++++

For Windows 11 (PC) I use "WINAUTH", for iOS I prefer "Raivo":

‎Raivo - freeOTP authenticator

‎Abra o Raivo Authenticator com um toque, faça login com o FaceID e copie sua senha de uso único para o seu Mac com um toque usando o aplicativo complementar Raivo MacOS. Usar um autenticador multifatorial nunca foi tão fácil! • Faça backup/sincronize senhas de uso único no iCloud...

apps.apple.com

For Android, AEGIS: https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis&hl=pt_BR

++++++++++++++++++++++++++++++++++++

So, here's my issue:

- My Apple ID uses an email that is never logged anywhere, not even in my PC.
- My Apple ID uses a 2nd email account for recovery, that is never logged anywhere, not even for my PC.

Emails #1 and #2 (GMAILs) use 2FA, but do not rely on "other devices" or SMS (both accounts don't even have phone numbers inside them).

The GMAILS use a password + a 6-digit code from one of those authenticator apps, like Raivo. I saved the "TOTP" key for them, so the auth apps work even offline. Also saved the 10 backup codes, in case something goes wrong.

I don't rely on "other devices" for 2FA (Gmails), and removed the devices they were logged in. Once I use the Gmails, I always hit "exit" and/or clear cookies.

This Youtube video shows in practice how this method works. Which is my favorite, I must say.

+++++++++++++++

When I created my Apple IDs, I used 3 questions + answers, such as "what was your favorite friend when you were a kid", "where were you born", with answers that didn't relate to each question.

If we enable 2FA for APPLE IDs, we have a short window to disable it, otherwise it's there for good. But (and here's the thing):

#1 - Apple IDs with 2FA use SMS only, or "other trusted devices that logged into your account before";
#2 - Apple IDs with 2FA DO NOT rely on auth apps, with a provided TOTP key.

And #2 is the reason why I never enabled it, until now.

Isn't #2 a bad move from Apple?

#2 is also something bank accounts never do, but most sites I know are familiar with. For example, Instagram, Uber, my country's local "eBay" website, I think Microsoft and Gmail...

Most users are not savvy enough to know how to use these auth apps. Others are, then why not offer this to them?

 

[joevt]

Problem with SMS is that it usually only works if you have a cell phone.

 

[Branaghan]

Problem with SMS is that it usually only works if you have a cell phone.

Using SMS for 2FA is idiotic, and so is having a cellphone related to any account. There was this time my Gmail (Google account) was locked for 1 month while I was trying with their free help forums to simply change the previous number it was related to. Since I stopped using it, it was gone forever, and I got a new SIM. Google, however, ignored the email account recovery method of sending a code, and only relied on SMS.

At least Google allows accounts to exist if there is no associated phone number to them. We can safely remove them later. 2FA is done in my case with password + 6-digit generated code, only.

In my opinion Apple should have allowed this method of using a TOTP key with these 30-second generated codes. Also, 10 backup codes to be written in a safe location, too.

Instead, Apple IDs only use these methods:

- Other trusted devices
- SMS

As for Gmail, I have complete control over my accounts and have even saved the TOTP keys from all of them. All of this is written in a password-encrypted file from Notepad++ (also PDF with a strong password).

 

[bob_zz123]

Nobody said that Apple HAD to support the TOTP standard that is used by other organisations. They obviously made a decision that they would roll their own proprietary system that leverages the fact that they can communicate and send secure notifications to Apple devices to achieve a similar result. Annoying as it might be, they are not the only organisation that does this - Blizzard / Battle.net do a similar thing with their proprietary Authenticator.

That said, if you are looking for a way to decouple your MFA from trusted devices then Apple ID now supports FIDO2 keys (Yubikeys) for MFA so you can buy yourself a couple of them and enroll them to your Apple ID. I have 3 set up, all stored safely in different places. No, it's not free (sorry about that) but it is industry standard.

 

[Branaghan]

Sending notifications for other Apple devices to allow 2FA to work is perhaps the worst decision ever made in history, what if all your stuff is stolen, or if you only have 1 device? SMS use for any sort of auth should have been banned for now, everywhere. Both methods are failed, and Gmail also allows me to use "other trusted devices" as a method, but of course like SMS, I chose not to use it.

Then there's the great idea of not alowing to disable 2FA anymore, if you do enable and let some time pass. I am still using 3 security questions and random answers (which I also wrote) to gain access to this Apple ID, if needed.

In my opinion, Apple should have provided the TOTP key and we would only need to insert this "seed"/combination into any authentication app.

That way, you can only log into the account if you know the password + the random 30-second, 6 digit combination, generated by such authentication apps.

And remember these auth apps (like Raivo, Aegis) can use a master-password, too, to reveal the codes, or your Face-ID, fingerprint. So it's always two passwords + a random code.

Plus, the auth apps work even offline.

Who could have asked for a better system?

That is the best way of gaining access to any account. Even Instagram uses it. Multiple services that use 2FA can work this way, even sites like Macrumors. Sending codes to emails (to access in a 2FA fashion) is useful if you leave the Gmail / other email accounts not logged 24/7, for the hackers to access them (in case your phone is lost). Which is what I do with my primary email, used for sensitive communications, related to major services.

For regular use and not relevant emails, I have a 2nd Gmail always logged.

 

[bob_zz123]

Sending notifications for other Apple devices to allow 2FA to work is perhaps the worst decision ever made in history

Wow, dramatic much!! I'm sure in the history of our civilisation, I can think of worse decisions made than Apple's decision on how they implement MFA.

Like I said above, if you want to decouple Apple MFA from a trusted device, you can purchase an industry-standard, widely used FIDO2 key and use that as the second factor, so "if all your stuff is stolen or you only have one device" then you can use that! They also work offline, and (happy to debate you on this!) would argue that they are more phishing resistant than OTP secrets which can be phished, set up on multiple authenticators if compromised with no knowledge of the account owner, etc.

 

[Branaghan]

You are advocating for a physical device (FIDO) which is useless because it can be lost, stolen or damaged. That way, you are not going to be able to log in anymore.

How I log everywhere:

- First, I have a "master-file" with all my passwords, TOTP keys (seeds) and even the 10-backup-codes for Gmail.

It's available as TXT (Notepad++ encrypted, with their plugin) or PDF. In both cases, with a strong-password, that can't be guessed or brute-forced in any way.

That file has multiple online and offline copies. If my house burns down, I'll still have access to it, from Google Drive, Dropbox, Internet Archive, anywhere there's a copy, not just my SSD, iPhone or flash drives.

GMAIL, Apple ID, etc.:

- Recovery: email #1 (#1 = associated with banks and important services, too)

#1 is never logged anywhere, even the cookies are deleted, always log off once use it.

#1 uses #2 (another GMAIL) as recovery email. #2 uses #1 or anything else.

Other methods of recovering their password: none. No phone number.

Apple ID:
-- No 2FA enabled
-- Stil uses the 3 questions/answers (written in that TXT/PDF, so I'll never forget them)

-- 2FA as I use anywhere:

a) Password
+
b) The TOTP / 6 digit code, from the auth app;
--- The auth app also has another password, for me to gain access to the codes.

So the attacker would need to access a) and b) at the same time.

Plus, my PC (Windows 11) has two methods of login: Bitlocker encrypting everything (and it can also be used for those pendrives with the TXT / PDF files) and the Microsoft regular password. Of course the longer-key which Bitlocker may ask (if we make some hardware changes, such as updating firmware) may be required. This is also saved inside the TXT / PDF file, too, since it's a very long combination.

The fact this PC has two more layers makes it even more difficult to hack me.

There will be no "physical keys", SMS, or "trusted devices" in any of my 2FA, since all of these fail to provide me with any benefit.

Using a hardware key as your passkey is inconvenient, it has to be physically present, too, and you'll spend $$$$ on that idea.