The six digit code will appear on all trusted devices associated with your account. How it enhances security is if somebody discovers/guesses your Apple ID and password, and they are not using one of your trusted devices, they will not get the prompt with the six digit code, so cannot complete the login. It enhances security by preventing login on foreign devices.
I have four vaults myself, with my subscription plan. This allows me to segregate my personal passwords from passwords I have for a company for whom I consult, and for a non-profit for which I I am a trustee. But I have only a small subset of my passwords in a separate vault that have only critical accounts. When I travel internationally, 1Password allows me to turn on something that they call Travel Mode that allows only that vault to be seen. If I am asked by authorities to provide a password to, say, my Facebook account, I can say that I do not know the password and can only access the password when I am home. (Travel Mode is restricted only to hosted subscription plans.)
It sends the popup to all devices logged in to your Apple ID. Since you were connecting from your own Mac, you saw it there. You should have also seen it on any other iDevices (iPod Touch, iPhone, iPad) logged in to your iCloud account.
If you were connecting from a different computer that is not already logged in to your iCloud account (e.g. a friend’s computer, work computer or even the same computer using someone else’s login), then it would not show any popup, but your other devices (phones, Macs, etc.) would show it.
Note that this is an actual 2FA system. The iCloud server is not sending you the number, but is sending a notification requesting that your computer generate it locally (unless you request it be sent as a text message to a trusted phone number). If you don’t get an alert (e.g. because your phone doesn’t have any network connectivity at the time), you can manually request a code from it (similar to how various authenticator apps work).
Interesting. I had no idea about this. I figured it was sufficient that the notification communication channel was encrypted.
So then what does it actually transmit to the client? A nonce of some kind, and then a locally stored private key can generate a 6 digit code that is unique to that client but which satisfies the cryptographic match the server is expecting?
I don’t know what it’s doing under the covers. I assume that it installs a key during the iCloud login process and then generates codes from it, similar to how other 2FA code-generators work.
I’m assuming that the command to pop up the alert dialog and then show a code if you accept the request is delivered via a mechanism similar to iMessage (or maybe even the same mechanism). All it really requires is a constant value to mean “someone requires a code” and the location, so it can fetch and display the map image.
1Password (subscription mode) can have multiple vaults shared multiple ways.
Setting up multiple vaults should be preceded by searching the AgileBits documentation and definition of a clear business purpose for their use. It does not hurt to establish test vaults with test sharing arrangements before committing real data.
Since 1PW is being discussed: I know nothing more about 1PW’s technology and security than what’s available on their site and many reviews, but I’ve been using it for years for all kinds of things I need to keep confidential - not only logins and such, but financial stuff, some patient stuff (I’m a doctor), personal documents, etc., etc. Admittedly, I’m not the worrying type, but IMO 1PW, with all its features and improvements over time, is easy-to-use, safe and secure, and has never given me cause to worry. I highly recommend it.
Update: I have read rumors about upcoming find my features that could help in some of these cases. It apparently still works even on a phone that is powered down. Of course if they put it in an shielded bag, that advantage could be defeated.
