iPhone 6(S)/Plus 2 factor authentication Apple mess

[bcave098]

My brother that I mentioned above did this (took receipt and phone to Apple store), and while they did remove the lock on his iPhone 5, his Apple ID was still locked. So it's not a full solution, and my brother still had to create an new Apple ID and lost all of his previous purchases.

He made the mistake of using an "Obama Phone" flip phone for his other device, but instead of getting a text Apple tried to treat it as a trusted phone and push the auth to it, and it couldn't display the map and the approval button. With 2 step his old phone worked by getting a text with a code, but when he went to 2 factor his old phone could no longer be used to get him into his account.

(Before all this he qualified for a govt subsidized phone but had no internet, so I sent him my old 5 so he could surf the web on it on my AT&T family plan - he didn't have any other Apple devices to use 2FA and blindly turned it on when Apple suggested it. So I sent him the old iPad mini and MacBook from 2012).

You can set up any phone number to receive the SMS or phone call to get the code, but it will not send it automatically that way, as that’s not how it’s designed to work. Typically you select “didn’t get a code” when you try to log in and then choose to send again, then repeat to get the option for SMS or phone call. Only devices with iOS 9/El Capitan or later can receive the notifications when you try to log in.

 

[conifer]

If someone stole your MacBook and knew your login password, they would be able to generate verification codes (with or without internet access) and change the Apple ID password from System Preferences > iCloud. The same is true on the iPhone in Settings > iCloud. If someone can access your trusted device(s) with the password/passcode, they have complete access to your Apple ID anyway since the device is "trusted."

This is why keeping your passwords secret is important.

It does it on the iPad too where I can type in the code on the iPad. So what is the purpose of this?

 

[bcave098]

It does it on the iPad too where I can type in the code on the iPad. So what is the purpose of this?

As I said, the browser isn’t trusted, even if the device is.

 

[conifer]

I don’t understand the usefulness of this. The safari browser comes with the OS, what is the value of it being trusted separately?

 

[bcave098]

The website has no way to know which device it is on, or whether the device is trusted. Regardless of your understanding, this is how it was designed and is expected behaviour.

 

[conifer]

Ok. We are on these forums as we think there is value for the user to understand how things work. I think you feel the same way, or you wouldn’t be here, yes?

 

[bbrks]

Well people, I am not an expert in this 2FA matter, I am only one extremely angry user patiently waiting for 24th of February to come.

And I am also convinced, that 2FA should also perfectly work and should be also designed to work with only one trusted device, which it did until that famous date.

As I said at the beginning, there is something very wrong with Apple, or maybe with their 2FA provider. I will never understand why “it” suddenly started sending 2FA verification code to me with double country code. And, believe me, I am not the first case.

Also again, I am sure there are a lot of security rules and hurdles which need to be bypassed in order to recover one account, but I find it very hard to believe that account recovery process takes almost a month! It’s just ridiculous and totally unacceptable!

 

[HeadphoneAddict]

You can set up any phone number to receive the SMS or phone call to get the code, but it will not send it automatically that way, as that’s not how it’s designed to work. Typically you select “didn’t get a code” when you try to log in and then choose to send again, then repeat to get the option for SMS or phone call. Only devices with iOS 9/El Capitan or later can receive the notifications when you try to log in.

The SMS would never show up when he did that.

 

[fsfty]

The SMS would never show up when he did that.

Google allows you to print out 10 back up codes to avoid issues like this. Doesn't Apple allow you to do the same?

 

[bcave098]

The SMS would never show up when he did that.

That’s unexpected. You’d need to work with Apple and your carrier to determine why it’s not sending/receiving.

Google allows you to print out 10 back up codes to avoid issues like this. Doesn't Apple allow you to do the same?

No. You can only generate codes on a trusted device or receive them in a trusted phone number (by SMS or voice call).

 

[davidmartindale]

If you pay attention and use it right, 2FA works great.

 

[bbrks]

But only when it doesn't

 

[tivoboy]

With 2FA you will need either a trusted device or a trusted phone number you have added like I described.

that's the point. if you've setup any other devices and they are still logged in, they will get the popup regardless of SMS phone number.

I've had none of these problems. That's not to say they don't exist, but the root cause it seems of the OP's issue is not being able to revalidate the account and get a new password. Once the new password is established, then getting the account setup on one device, then another and another is not problematic.

If one can't recall the password, or the security phrases setup, or the credit card on file, or if other devices are not signed in - then yes, getting that re-authentication and/or password reset is difficult. Should be doable in short order once you get through all those other validation steps though. The last time I did this for someone else (who had forgotten or misplaced all those details and the CC had expired so they had disposed of the card) I ended up being able to authenticate the user by items they had ordered on the app store, movies, apps downloaded, essentially a HISTORY of usage. Apple is pretty prepared to work with the user to re-authenticate.

As to the 2FA or 2 step? Isn't that essentially the same thing? If it's two STEP then there are two FACTORS required. The initial account name and password (considered ONE factor) and then the authentication CODE which is send either to a trusted device or SMS. Without BOTH of these two unique elements it won't authenticate a new (or even known but low usage) device.
[doublepost=1518115345][/doublepost]

Google allows you to print out 10 back up codes to avoid issues like this. Doesn't Apple allow you to do the same?

or just use the google authenticator APP. I think apple will move in this direction as well, soon enough. Technically, this technology has been around for decades..

 

[bcave098]

that's the point. if you've setup any other devices and they are still logged in, they will get the popup regardless of SMS phone number.

I've had none of these problems. That's not to say they don't exist, but the root cause it seems of the OP's issue is not being able to revalidate the account and get a new password. Once the new password is established, then getting the account setup on one device, then another and another is not problematic.

If one can't recall the password, or the security phrases setup, or the credit card on file, or if other devices are not signed in - then yes, getting that re-authentication and/or password reset is difficult. Should be doable in short order once you get through all those other validation steps though. The last time I did this for someone else (who had forgotten or misplaced all those details and the CC had expired so they had disposed of the card) I ended up being able to authenticate the user by items they had ordered on the app store, movies, apps downloaded, essentially a HISTORY of usage. Apple is pretty prepared to work with the user to re-authenticate.

As to the 2FA or 2 step? Isn't that essentially the same thing? If it's two STEP then there are two FACTORS required. The initial account name and password (considered ONE factor) and then the authentication CODE which is send either to a trusted device or SMS. Without BOTH of these two unique elements it won't authenticate a new (or even known but low usage) device.
[doublepost=1518115345][/doublepost]
or just use the google authenticator APP. I think apple will move in this direction as well, soon enough. Technically, this technology has been around for decades..

The only option for Two-Factor Authenication is account recovery. There are no other ways to re-authenticate.

In theory, two-factor and two-two are the same thing. But Apple has two different account security types and the way one goes about regaining access is completely different.

I doubt Apple will move to an app. All the compatible devices natively support code generation, either automatically when signing in or on-demand from Settings.

 

[HeadphoneAddict]

Google allows you to print out 10 back up codes to avoid issues like this. Doesn't Apple allow you to do the same?

One backup code for Apple, and he'd lost it a year before this happened.

PS: I have three phones, 2 iPads, and 2 MacBooks as trusted devices, so I'm bound to get one to pop up the approval box if I add another. In my Bro's case he had no other trusted device, and had given Apple his subsidized phone number as his backup. So when he switched to 2FA it somehow allowed him, but gave him a code that he lost later.

Then when he couldn't authenticate after his account was locked for entering the wrong password too many times he couldn't get back in - he was able to say that he didn't have a trusted device available and the process offered to send a text to the backup number he had on his account, but the SMS never arrived.

We got the Apple ID removed from the phone when I produced the receipt for it, but his Apple ID is still locked after year - he could never recover it because he didn't have a code they'd given him when he set it up. He knows the password is one of ten possible passwords, but Apple wont give him 10 tries to find the right one.
[doublepost=1518153293][/doublepost]Oh, and dig this - his Apple ID was his AOL email, and he could prove the AOL email was his because he could log into AOL for them at the store on their iMac, and show that the name on the AOL account matched his name on his driver's license. That wasn't good enough for them to give him his Apple ID back.

 

[bcave098]

One backup code for Apple, and he'd lost it a year before this happened.

PS: I have three phones, 2 iPads, and 2 MacBooks as trusted devices, so I'm bound to get one to pop up the approval box if I add another. In my Bro's case he had no other trusted device, and had given Apple his subsidized phone number as his backup. So when he switched to 2FA it somehow allowed him, but gave him a code that he lost later.

Then when he couldn't authenticate after his account was locked for entering the wrong password too many times he couldn't get back in - he was able to say that he didn't have a trusted device available and the process offered to send a text to the backup number he had on his account, but the SMS never arrived.

We got the Apple ID removed from the phone when I produced the receipt for it, but his Apple ID is still locked after year - he could never recover it because he didn't have a code they'd given him when he set it up. He knows the password is one of ten possible passwords, but Apple wont give him 10 tries to find the right one.
[doublepost=1518153293][/doublepost]Oh, and dig this - his Apple ID was his AOL email, and he could prove the AOL email was his because he could log into AOL for them at the store on their iMac, and show that the name on the AOL account matched his name on his driver's license. That wasn't good enough for them to give him his Apple ID back.

This is Two-Step Verification, not Two-Factor Authentication. Two-Factor does not have a recovery key or any “backup” codes.

Two-Step, as described earlier, is more rigid in that you must have 2 of the following or the account is lost forever: password, verification code, recovery key. Since it’s an optional increase in security, albeit depreaciated now, there’s no other way to gain access to the account.

In fact, when setting it up, they make you print the recovery key.

 

[verdejt]

Well update on my son's account. Received that text that my account was ready to be unlocked. proceeded and they sent a code to the number I provided as trusted (my cell). After about 20 minutes his account was unlocked and everything updated and his phone wiped and reloaded from backup and now the teenager is happy that all his playlists and stuff are back. Overall a relatively painless procedure. The 5 day wait was excruciating to him but not for me. . I'm not sure why it takes so long to have an account ready to be unlocked. Seems to me that something along the lines of 48 hours should be doable. However I will make sure to take all steps so that my accounts don't get locked again.

 

[HeadphoneAddict]

This is Two-Step Verification, not Two-Factor Authentication. Two-Factor does not have a recovery key or any “backup” codes.

Two-Step, as described earlier, is more rigid in that you must have 2 of the following or the account is lost forever: password, verification code, recovery key. Since it’s an optional increase in security, albeit depreaciated now, there’s no other way to gain access to the account.

In fact, when setting it up, they make you print the recovery key.

Regardless, his password is one of 10 that he knows but he isn't allowed to try them all, he can't receive the verification code, and the printed recovery key went missing after about a year.

 

[bcave098]

Regardless, his password is one of 10 that he knows but he isn't allowed to try them all, he can't receive the verification code, and the printed recovery key went missing after about a year.

He told Apple not to allow access without 2 of those 3 things, and it worked exactly as designed.

 

[HeadphoneAddict]

He told Apple not to allow access without 2 of those 3 things, and it worked exactly as designed.

He knows all 10 of his passwords, just not which of the 10 is with Apple, and they wont him try all 10. He also has a cell phone listed with Apple to receive an SMS but it never shows up on that non-Apple phone (Apple's fault). So he could have 2 of the 3 things after losing the printout with his code, if he could try all the possible passwords.

We begged apple to not lock the account while he tries the 10 different combinations, that are the only passwords he's ever used, it falls on deaf ears. He was too poor to buy a nice phone, and before I gave him an iPhone 5 he'd gone 3 years without using an Apple product (the iBook I sent him had died), and then he locked himself out of his Apple ID trying to start using their products again. Not a good way to start out again.

 

[bcave098]

He knows all 10 of his passwords, just not which of the 10 is with Apple, and they wont him try all 10. He also has a cell phone listed with Apple to receive an SMS but it never shows up on that non-Apple phone (Apple's fault). So he could have 2 of the 3 things after losing the printout with his code, if he could try all the possible passwords.

We begged apple to not lock the account while he tries the 10 different combinations, that are the only passwords he's ever used, it falls on deaf ears. He was too poor to buy a nice phone, and before I gave him an iPhone 5 he'd gone 3 years without using an Apple product (the iBook I sent him had died), and then he locked himself out of his Apple ID trying to start using their products again. Not a good way to start out again.

Of course Apple isn't going to allow a large number of attempts, it would undermine the security in place. Apple sends codes for 2SV by SMS; as long as he was using a supported carrier, he should receive them, regardless of device, as there's no way Apple would be able to know if a phone number is an iPhone, Android, Windows Phone, Blackberry, etc.

Because Apple takes its users' account security seriously, its support advisors have limited powers. They cannot authorize additional attempts, and when you're using 2SV or 2FA they cannot do anything if you can't log in to your account. But, again, if you've enabled these features, you asked for it to be harder to work with your account. The setup for 2SV is very clear that you need 2/3 to log in and to keep the recovery key safe or risk losing the account (something that can't happen with 2FA since it uses account recovery instead). It sucks but it was his responsibility to protect his own account after he deliberately enabled 2SV.

 

[bbrks]

Because Apple takes its users' account security seriously

Forgive me, but because of this, I have to wait for a whole month for account recovery process to finish....each time, so I have a half functional phone for 3 months now. Hilarious

 

[bcave098]

Because Apple takes its users' account security seriously

Forgive me, but because of this, I have to wait for a whole month for account recovery process to finish....each time, so I have a half functional phone for 3 months now. Hilarious

Yes. You told them to increase the level of security. Account Recovery helps ensure only you can access the account, as previously discussed.

 

[HeadphoneAddict]

His other phone was a govt subsidized phone (remember he is poor) and I gave him the iPhone 5 so he could be back on the internet. Apple's text wasn't compatible with those free "obama Phones".

And what about the fact that he proved to Apple that he owns and controls the aol.com email that was used for his Apple ID?

He showed them his AOL account profile and history, with year and years of emails that identified him, and showed his driver's license that proved that was him - in a court of law he had enough evidence to prove that he was the owner of that Apple ID. And they still would not unlock the Apple ID and lift the limit on the number of allowed password attempts.

The account has been idle for over a year now, so it's not like anyone else is going to come forward and claim the account.

 

[bcave098]

His other phone was a govt subsidized phone (remember he is poor) and I gave him the iPhone 5 so he could be back on the internet. Apple's text wasn't compatible with those free "obama Phones".

And what about the fact that he proved to Apple that he owns and controls the aol.com email that was used for his Apple ID?

He showed them his AOL account profile and history, with year and years of emails that identified him, and showed his driver's license that proved that was him - in a court of law he had enough evidence to prove that he was the owner of that Apple ID. And they still would not unlock the Apple ID and lift the limit on the number of allowed password attempts.

The account has been idle for over a year now, so it's not like anyone else is going to come forward and claim the account.

As I said, device doesn't matter. I'll presume you mean that the device doesn't support SMS, then I'm not sure how it was set up in the first place since you need to verify the number first.

Again though, he told Apple to limit the options for gaining access to the account. By enabling 2SV, he told Apple to only accept 2 of 3 specific pieces of information as proof of ownership. Period. And again, they have no way to "lift the limit on the number of allowed password attempts," as I said.

No one can ever access that account again. This is a lesson to him (and you) to read the instructions and protect sensitive account information.