2FA - to do or not to do?

For various reasons I am concerned about 2FA which I haven’t configured for my Apple account. Currently my MBP (m1) ipad and iphone can all receive my messages and sms’s - this has been setup this way for ease of use. In my way of thinking this makes the 2FA in my case, ineffective (please correct me if i’m wrong). The secret questions works quite well for me.

I have two issues at the moment. The first is that I have now obtained a personalised domain and will need to change my Appleid as the old email addresses will cancelled in the future. Will apple force me to setup 2FA when I change my id? Secondly and conflictively there are features that require 2FA, eg using a ipad as a second monitor when i’m on the road, that are desirable.

Would a security key like the yubi be the answer? I have been retired for a looong time and haven’t had any experience with authentication apps or hardware keys.

Any thoughts, ideas or comments will be appreciated.

Thanks

Apple’s 2fa in this case just means that when a new device or web browser session tries to log into your Apple ID, every trusted device that has already logged in will receive a special system message (not sent by sms) that shows the approximate location of the new device and asks to approve the login. If you approve it, a 6 digit number is displayed which must be entered on the new device to complete the login.

4 Likes

And you will be able to still receive Messages on all devices, which seems to be the main concern. I have 2FA set up on my Apple ID, and it only shows up if I want to log into icloud.com, or need to log in again when downloading from the AppStore. One thing that amuses me is that the log-in authorization and the 6 digit number shows up on all of them, so whichever device is requesting the log-in also receives the 6 digit code, which removes the security advantage of a second device authorizing the first. If someone stole one of them, and happened to know my Apple ID password, they would get the 6 digit code as well!

1 Like

So you already do have 2FA on your Apple account after all.

Also, adding 2FA if you didn’t have it doesn’t affect iMessage at all.

The six-digit code isn’t displayed anywhere unless one of the logged-in trusted devices okays the new login.

1 Like

It seems like that, but if you think about it, if you’re logged into your Mac, it is a trusted device—you’ve proved that you know its login password. So it’s totally legitimate to use the Mac itself as the trusted source for a 2FA code that’s being asked for by a Web browser running on that Mac.

Arguably, Apple could, at least for its own sites and services accessed from Safari, detect that you’re logging in from a trusted device that has already authenticated and not ask again. (Heck, maybe they do—I don’t use Safari to log into Apple sites often enough to detect patterns like that.)

2 Likes

Only those devices currently logged-in to your iCloud account. Your trusted devices. Which is really no different from installing an authenticator app on multiple devices, loaded with the same TOTP keys. Anyone logged in to one of your devices will be able to get the codes.

Which is (yet another reason) why you should not leave your devices unlocked and logged-in where untrusted people can access them.

If, for example, your phone’s screen is locked, it won’t show the code. It will say there’s an authentication attempt, but if you tap “Allow”, you will need to unlock the screen before it will show you the code.

Similarly for your Mac. If your screen is locked or if you’re logged out, it won’t show the code until you unlock it and/or log in to the correct account.

If someone knows your Apple ID password and tries to authorize a new device, the code will pop up on your other devices, but not that one until after the authorization is complete.

But if someone steals your phone and knows your unlock/login credentials, then you’re already in big trouble and must immediately take action to lock-down everything.

3 Likes

When I log in to icloud.com, and I provide the 2FA code, I see a checkbox to trust the computer. This puts a cookie in the browser, so I won’t need to re-authenticate for a while. But it does expire, so I need to periodically re-enter a 2FA code even with that checkbox. And if I log off (not just close the browser window), it also loses the cookie, requiring a new 2FA exchange at the next login.

1 Like

Two things I suggest keeping in mind as you make your decision:

  • A weakness of “secret questions” is that if the answers are actual answers, as opposed to random characters, an attacker might be able to find the information by looking you up on social media, by using a search engine, or by prompting a generative AI. Also, short, real words can be vulnerable to dictionary attacks.
  • As adoption of Passkeys becomes more prevalent, SMS and authenticator app 2FA methods will become less and less relevant.

Wirecutter has a good explanation and discussion of physical security keys here, if you’re interested: https://www.nytimes.com/wirecutter/reviews/best-security-keys/

2 Likes

Who says you have to use “actual answers” or personal info? AFAIK, random “answers” are fine and my PW manager can store and use them just like any other login info. :grin:

4 Likes

Nobody “says” it is required…but as textbook authors love to write, it is left to the reader to envision scenarios where people might do exactly what they are asked to do by a website owner.
:slight_smile: