Apple Two-factor authentication questions

iOS 11 tries to push you to activate two-factor authentication for your Apple ID, though it’s technically still optional. It indicates some features may not be available without it.

Does anyone know specifically what you can’t do if you don’t have 2FA on your Apple ID? The only thing I’ve seen so far (which predates iOS 11) is that you need it to allow a recent model Apple TV to serve as a HomeKit hub for controlling devices outside of your home network.

Bigger question: as I understand it, Apples 2FA still has to be tied to a phone number. I was under the impression this is Not Great, with SIM card spoofing or whatever. You’re addressing one vulnerability (passwords) while introducing a new vector for attack, and another potential point of failure. In my probably simplistic perspective, it sounds like I really don’t need to bother with it. I’ve got very strong unique passwords.

Anyone got any advice or clarification on the situation?

If someone steals your apple login and you don’t have 2FA, they can restore your iCloud backup which contains everything on your phone. That’s how all those naked celebrity pics where leaked last year.

You can use texts to your phone number, but I suggest not doing that as it has security implications. Apple also supports notifications to authenticated trusted devices, where it pops up on your iphone/ipad/mac. That’s the way to go.

Thanks. That all mostly fits with my understanding, but in Apple’s page here it says:

So it’s still making me include a phone number, which in an ideal setup I wouldn’t use as part of the 2FA, right?

On this page it says you don’t. What they call 2F “verification” used phone numbers. 2F “authentication” uses trusted devices.

But honestly it’s been over a year since I did this, so I don’t remember.

I turned off 2FA because I started getting constant prompts for my AppleID password on the AppleTV. It’s still off but it’s started prompting for the password again, often interrupting Hulu or Netflix so it can prompt for an unneeded password.

if iOS11 is going to push me to turn it on it may push me toward another streaming device.

There’s a setting on your Apple TV to not prompt you for your Apple ID password when you make a purchase. I have 2FA turned on and my ATV never asks for my password.

Yeah, phone-based 2FA needs to die. Hackers can basically clone your number and intercept the code.

People really need to use a crypto-based code generator like Google Authenticator.

And, of course, all these corporations still need a defense against the “pretend I’m you and throw a hissy fit at a customer service rep until they give me access.”

I tried turning authentication (not verification) on, but it still asks for a phone number first thing. What a bummer.

This was my basic thought coming into this thread, but looking around it sounds like as frustrating as it is to have phone-based 2FA, it’s still safer than no 2FA at all, right? They still need to have your password first. Once they have your password, if they can intercept your 2FA, you’re no safer than you would be without it, but you’re also no more exposed than you would be without it either, so you might as well enable it for the people it does thwart.

Does that logic hold up or am I thinking about this wrong?

Yeah you still want to use it.

Saying it isn’t perfect isn’t the same as saying that nothing is better.

Yeah, it’s better than nothing, but if you have the choice, don’t go with the SMS-based option.

I have the authentication set up, and it often sends the auth message to the device that did something interesting. Like if I log into icloud from my macbook pro, it sends a message to all my devices, including…that macbook pro. So I’m copying a code from a window on my screen to another window on the same screen…

I’d think it would send the message to the other authenticated devices…