iCloud Web Less Useful With 2 Step Authentication

Recently I was on vacation in Italy with a small tour group. We checked in a hotel in the countryside in Tuscany. The next morning, jet lagged, I woke up early and decided to go for a jog. I went without my iPhone because it malfunctioned requiring a restart. My recently inserted Italian sim card required a pin to restart, which I had in my suitcase and did not want to wake up my wife. I stupidly did not get a business card from the hotel when I left.

I got lost in the Tuscan countryside. After 9 miles, I hitched a ride into the nearest village and was taken to the small police station. I could not remember the name of the hotel. The friendly police allowed me to use a computer terminal where I used the web browser to attempt to log in to my iCloud account to access my emails which had the hotel name and my contacts which had the phone number of the tour leader. Without my iPhone available, I was unable to do this because of two factor authentication.

Years ago I would occasionally use iCloud web for email or to look up a contact when my Mac or iPhone was unavailable. Security questions were used. Now with the new operating system, one needs to have a trusted device nearby to use iCloud web. However for me, if I have my Mac or iPhone, there is no need for me to use web based iCloud; needed information is on those devices. It is a catch-22 for which there is no solution, but I lament the decreased usefulness of iCloud Web. I can imagine a number of scenarios when traveling and one’s phone/computer/wallet is lost or stolen and would need to use iCloud Web.

If your point is that 2FA is a bad thing, note that you can always come up with scenarios for any security measure where the measure turns out to be a hindrance. The fact that 2FA kept you out of your account is the same reason it presents an obstacle which keeps miscreants out of your account.

A friend of mine uses a Google Voice phone number for all of his 2FA activities. This allows him to log into Google Voice and see the access codes being sent to that number. Good idea? I don’t know, but FYI. In the situation you describe, it might have helped. (Unless, of course Google Voice also uses 2FA itself.)

You can also set up trusted phone numbers to verify your identity when signing on to an unknown device. It’s good to have at least one of those numbers be that of a trusted relative or friend and one be such a person who does not live with you.

https://www.macworld.com/article/233598/how-to-add-trusted-phones-to-your-apple-id-two-factor-authentication.html

Follow up. My problem of logging on to iCloud web without a trusted device available was solved with a combination of Alan Forkosh and Gordon Meyer’s suggestions.

I set up a Google Voice phone number. 2FA is an option but not a requirement, so am not using 2FA. I changed my Google password to one I can remember without having my iPhone & 1Password available. I added that Google Voice phone number to my list of trusted phone numbers on iCloud.

I then attempted to log on to iCloud Web with an untrusted device. I was given an option of trusted phone numbers including the Google Voice number for 2FA. I had the Google Voice web page open side by side with the iCloud Web window. The text message from iCloud with the security number appeared on the Google Voice page.

2 posts were split to a new topic: Problems with Google two-step verification

A post was merged into an existing topic: Problems with Google two-factor authentication

I understand (perhaps incorrectly) from a discussion on FlyerTalk (I think that’s the correct thread, even though the title mentions Fi rather than Voice) that a user can disable or delete the associated number after activating Voice. Corrections to my understanding are welcome.

All technical things aside, just how did you get back to the hotel (and your wife)??? Or did you manage by setting up a new Google Voice number as you stated in a later post? (Sorry if I’m not reading this thread too clearly…)

Well, it wouldn’t have been possible to set up a Google Voice at the police station because one needs to get a verification code from Google sent to one’s phone.

Confounding things, we had a van that was scheduled to leave at 9:30 AM sharp with our group for a scheduled high-end winery tour and lunch at a Michelin mentioned restaurant. While I did’t know my wife’s Italian sim card number, I did know her email. At the police station the officer who spoke limited English logged into his official email account to let me send an email. He gave me his mobile number. The officer then left. The problem was an Italian keyboard has no @ key allowing me to type my wife’s email address. 10 minutes later when he returned I drew the @ symbol on a piece of paper and he showed me the key combination using the Windows key. I typed that I was ok but at an Italian police station and please call the phone number as soon as possible. I crossed my fingers my wife would check her email, as she was set up to receive notifications for text messages from me, but not email. As luck would have it, she did promptly check her email. When she read the email from an unknown address claiming to be me needing help at the police station, she assumed it to be a scam and did not respond. When nothing happened, I sent a second email with text only in the subject field, in all caps “CALL (the number) IMMEDIATELY!” She called, could not understand the Italian, hung up and had the front desk call. The police officer told me he would drive me to the hotel (it was perhaps 10 miles away in the country) after some business was taken care of. The police in the village station were friendly. I was told that this - a lost tourist - had never happened before, which made me feel more stupid.

Finally we got in the small Fiat police car. I reflexively reached for my shoulder harness, and he motioned it was unnecessary - he did not have his on. I felt uncomfortable without it, but while in Rome I wanted to do as the Romans do, so to speak. I’m sure he was familiar with the hilly, twisting, narrow Tuscan roads, but he drove really fast, with gusto, downshifting on the blind curves. It was the only time during my misadventure I felt scared.

We arrived at the hotel/villa at 9:22. I motioned to my watch so I wouldn’t appear rude, while I jumped out of the car to run to my room to take a quick shower and dress. He yelled for me to come back. I groaned, assuming bureaucratic paperwork would have to be done, causing me to miss the van. Instead, he put his arm around my shoulders, smiled, stretched out his arm, and took a selfie of both of us. I made the van’s departure without a minute to spare.

Back it the U.S. I sent a thank you letter to the police station with a photo of myself. The name of the town is Castillina.

That’s a great story!!! (I’m sure you didn’t think so at the time but hopefully you do now)

I’m guessing his selfie was titled “The Lost Tourist”

;)

Diane

What a wonderful story @emiron, and just goes to show that contrary to the tone of news we read nowadays, there are plenty of kind human beings who will go out of their way to help others. (This community is another example ) I was also once stranded in the Japanese countryside, and was able to get back to a train station thanks to kindness of strangers.

Thanks too to @eccparis for asking the question!

Yegads , I nearly broke out in a cold sweat as I followed the recital of your ordeal!

FWIW, since I return to Europe once a year from stateside except during recent pandemic times (having lived in Paris for 20 years), I switched to T-mobile which offers unlimited international texting and even unlimited data (albeit at 3G speeds) in some 210 countries, so that I wouldn’t need to swap SIM cards while traveling. And if I wanted to have high speed data (so that I could use Google Maps while lost at some street corner in Madrid ), I could just sign up for a pass for the duration of my trip. Which has come in most handy — which is even how a mobile phone is called in German, a “Handy”, no joke!

But just like you, I used to swap SIM cards though the other way around, putting a prepaid US SIM into my (French) iPhone. When I moved back to the US, I simply turned the same US number into a permanent one, i.e., I didn’t have to memorize a new number

And when I discovered the T-mo offer, I switched and voilà ! This has proven a godsend in many ways, not only the convenience for “me myself and I” (à la Billie Holiday!), but also putting my family at ease, for example, as I can even share my location with them, etc.

Last but not least, when I invested in an Apple Watch, I made sure to get a cellular model which allows me to remain connected without having my phone on me.

Then Apple offered an Apple Watch cellular model that also works for international SOS, so I upgraded pronto. Of course I hope never have to use that particular function, but the peace of mind is definitely worth the investment. Because… one never knows what may happen, as your own recent harrying experience shows us all too well.

Admittedly all these ‘precautions’ may appear an overkill to many, but alas, experience has taught me to cover all bases — or at least try to consider all possible angles, in order not to find myself in a predicament that I can’t get out of ‘easily’, relatively speaking.

(I had spent a week in Tuscany back in 2006, and know exactly the kind of roads you’re talking about! Fortunately I was driven around by an Italian friend from Florence, who definitely wore his shoulder harness, thank goodness, even though he DID drive like an… Italian )

Addendum: downshifting for blind curves may even be more efficient than using brakes, at least that’s what I had been taught driving a stick shift. Any thoughts on that from anyone here?

With regard to foreign sim cards, may I add that with current phones having an e-sim, it makes traveling even easier. I switched my US T-mobile number to the e-sim and now buy a physical 5gb data local sim card when I’m in Europe (e.g. 10 euro for 30 days in the Netherlands).

Joyce - Are you able to disable the e-sim when traveling in Europe? I really don’t want to be charged for spam calls from the U.S. when traveling in Europe. Incidentally, one side benefit of removing my U.S. sim card for a couple of weeks is I now get less spam calls. That may just be a coincidence.

I’m not a fan of 2FA, although I understand perfectly why my bank requires it. Recently I could not log into my online banking, as the verification notification was not being sent to my iPhone. Nobody knows why it stopped. There had been iOS updates, and a refresh of Firefox on my Mac, so maybe that had something to do with it, or perhaps it was an issue at the bank’s end. I could still use their app on my phone to log in (no 2FA there, just facial recognition). So I rang the help number and spent two hours on the phone. I couldn’t understand the agent, nor her supervisor, who sounded like tagalog was their mother tongue. Partly because of language issues, and partly because the bank has made us all go ‘paperless’ I could not answer security questions like ‘what was the amount of your last telephone bill?’ My bank statements are all online, and the issue is that I cannot access them. How shall I be able to answer such a question. That made me ask for a supervisor for the first time in my 64 years! Same issue. They told me I had to go to my branch to sort it out and all my accounts were to be LOCKED until I did so. I recently moved house, and now live an hour and a half drive from my branch. I recently had a bone marrow transplant, and I’m supposed to isolate as Covid will probably be lethal for someone with my degree of immunosuppression. But with no options available, I drove off rather angrily, and used up the assistant manager’s lunch hour. She couldn’t get through to the bank’s helpline (2 hour wait), and in the end turned off 2FA, which required answers to questions about my accounts that she could look up and I would never have been able to answer. Then on trying to log in we had to switch 2FA back on, and then use their app on my phone to OK notifications. It worked! Then another drive home. A shame I didn’t get one of their ‘How did we do?’ e-mails after that call! I’d have given them lots of bad marks.

So I just ran into this recently too. Every now and then I’d run into a site where the SMS text message with my 2FA code wouldn’t arrive. None were essential until I ran into a problem with a local bank where I really needed to do something that needed the 2FA access.

Because I’d seen this happen on some other sites, I called T-Mobile instead, and the customer support person removed a block that was on my number preventing such messages from getting through. I have to call back to find out more about it, like why it affected only two local banks, the TaxCaddy service, and the Social Security Administration login. But as soon as they lifted the block, everything worked.

I’m planning to write an article about it once I learn more.

Please do. I’d like to hear about some mysterious “SMS block” T-Mobile thinks they need to have in place without informing their customers about.

Ed, Yes, it appears you can do so. Once you have the foreign sim in you can name it (e.g. travel), and it sits next to my T-mobile line (called ‘primary’) under settings>cellular. Either one or both can be switched off. I have never done this, but that option is there under settings>cellular>primary (or ‘travel’).

That is scary. I have a different carrier, but the thought that they could selectively block a certain class of text messages without my knowledge is sobering to say the least. I always felt that should I lose my phone, I would still have the Messages app on macOS where I could get the 2FA codes (in fact, that’s where I get 99% of them anyway). But if the message isn’t even delivered…