iOS 11 tries to push you to activate two-factor authentication for your Apple ID, though it’s technically still optional. It indicates some features may not be available without it.
Does anyone know specifically what you can’t do if you don’t have 2FA on your Apple ID? The only thing I’ve seen so far (which predates iOS 11) is that you need it to allow a recent model Apple TV to serve as a HomeKit hub for controlling devices outside of your home network.
Bigger question: as I understand it, Apples 2FA still has to be tied to a phone number. I was under the impression this is Not Great, with SIM card spoofing or whatever. You’re addressing one vulnerability (passwords) while introducing a new vector for attack, and another potential point of failure. In my probably simplistic perspective, it sounds like I really don’t need to bother with it. I’ve got very strong unique passwords.
Anyone got any advice or clarification on the situation?
If someone steals your apple login and you don’t have 2FA, they can restore your iCloud backup which contains everything on your phone. That’s how all those naked celebrity pics where leaked last year.
You can use texts to your phone number, but I suggest not doing that as it has security implications. Apple also supports notifications to authenticated trusted devices, where it pops up on your iphone/ipad/mac. That’s the way to go.
I turned off 2FA because I started getting constant prompts for my AppleID password on the AppleTV. It’s still off but it’s started prompting for the password again, often interrupting Hulu or Netflix so it can prompt for an unneeded password.
if iOS11 is going to push me to turn it on it may push me toward another streaming device.
There’s a setting on your Apple TV to not prompt you for your Apple ID password when you make a purchase. I have 2FA turned on and my ATV never asks for my password.
Yeah, phone-based 2FA needs to die. Hackers can basically clone your number and intercept the code.
People really need to use a crypto-based code generator like Google Authenticator.
And, of course, all these corporations still need a defense against the “pretend I’m you and throw a hissy fit at a customer service rep until they give me access.”
This was my basic thought coming into this thread, but looking around it sounds like as frustrating as it is to have phone-based 2FA, it’s still safer than no 2FA at all, right? They still need to have your password first. Once they have your password, if they can intercept your 2FA, you’re no safer than you would be without it, but you’re also no more exposed than you would be without it either, so you might as well enable it for the people it does thwart.
Does that logic hold up or am I thinking about this wrong?
I have the authentication set up, and it often sends the auth message to the device that did something interesting. Like if I log into icloud from my macbook pro, it sends a message to all my devices, including…that macbook pro. So I’m copying a code from a window on my screen to another window on the same screen…
I’d think it would send the message to the other authenticated devices…
