2 factor authentication quirk?

[DaveWT]

My dilemma for the night... I had occasion to log into iCloud.com with Safari on my iMac today. I have 2 factor athentication set up so expected to receive a code on my iPhone that I would need to type into the iCloud page in Safari on my iMac.



But instead, it threw up the 6 digit code in a dialog in Safari and I just had to slide that box out of the way to type the number in the boxes so revealed. Not very secure. So I went in to check my settings. I got to the Manage your ID page and again had to log in. And again, the 6 digit code was presented in Safari without going to my iPhone.




When I check the settings I do see my iPhone's phone number properly listed as the way to contact me for 2 factor authentication.

So this behaviour here seems pretty pointless.

 

[chas_m]

It's not, even though it may not have sent the code to your phone and/or email.

The message said it was being sent to your DEVICES, which means the Mac will be included. If someone else is trying to hack into your account, they won't see the authentication code because their Mac isn't registered with Apple; yours is.

While you may have your phone number listed, make sure your iPhone is also *registered* with Apple and I think that will help ensure that you also get verification codes there in the future. Also make sure you have iMessages turned on and tied to that phone number.

 

[DaveWT]

I will have to ponder this a bit. I am not clear how else you "register" my iPhone with Apple beyond going to iCloud.com, logging in and going to "Account Settings" and then going to "Apple ID Manage" and seeing the iPhone's number listed there under Security - Trusted phone numbers".

And strangely I know in some situations I have had to enter the code on my iPhone when contacting Apple but I can't recall exactly the circumstances now.

 

[chas_m]

Your phone number can be a trusted number without even being an Apple product! You should be able to locate a list of your registered devices from the Apple ID help center. Just scroll down to devices to see and manage the list (be sure to get rid of any devices you no longer own from the list!).

 

[DaveWT]

Yes, I have been there and all the devices shown there are appropriate. So not clear why my iPhone didn't receive the code in this instance. If I had been travelling and on some strange PC to log into iCloud.com. is it clever enough to know I am NOT on a trusted device and then direct the codes to my iPhone instead. If that is the case, that is great.