Should two-factor authentication let me verify via a single device?

Allen thinks something is off with Apple’s two-factor authentication (2FA) system which is a replacement for its older two-step verification system. He’s verified and MacBook and his iPhone, but notes that when he logs in via a browser to the Apple ID site or iCloud.com using his MacBook…

…my MacBook will display a map with the option to select Don’t Allow or Allow. When I select Allow, I then get a pop-up with my verification code. Using this verification code, I’m able to log in with no issue.

He sees the same map and code on his iPhone, if it’s turned on.

The issue here, however, is that I’m logging in with my MacBook but also getting my verification code on the same MacBook. Is this how it’s supposed to work?

It seems a little counter-intuitive I agree, and it’s a reason that some security experts don’t label Apple’s 2FA as “real” 2FA, but think it’s still just a two-step process. True 2FA comprises two of the following things: something you know, something you have, or something you are. Mostly typically, that’s a password, a phone or token-generating device, or a fingerprint. (It can also be a PIN, an RFID card that’s tapped against a reader, or your retina.)

The first factor is typically the password or PIN, which you know and anyone can enter from anywhere, making it globally insecure. The second factor for most consumer and small-business purposes is a code that’s generated and sent through a means that’s separate from the pathway that you’re using to enter the password. That prevents someone who can gain access to the password also gaining access to the code.

When you log into Dropbox or Facebook or Google, you can use either a Time-based One-Time Password (TOTP), in the form of a short code texted via SMS or generated via an authentication app, like Authy or Google Authenticator. To make it a true second factor, you shouldn’t be able to receive or generate the code on the same device on which you’re logging in. In many cases, the same device is used, which reduces security.

However, someone has to gain access to something, like your incoming SMS messages or your actual phone, which dramatically reduces the odds of any arbitrary person with your password also gaining access to an account. So it’s still very useful.

Apple skews even further towards a second step instead of a second factor, which is what you’ve seen. Once you’ve set up a device as a trusted one with 2FA for your Apple ID, that device is always available to authenticate any connection that needs it except logging back into the iCloud control panel in OS X or Settings > iCloud in iOS.

Thus, when you log into a Web site in OS X that requires authentication from a trusted device, all your trusted devices—including the one on which you’re browsing—wind up qualifying. Because someone needs physical possession of that trusted device, this doesn’t eliminate every risk, but it does get rid of most of them.

Ask Mac 911

We’re always looking for problems to solve! Email yours to mac911@macworld.com including screen captures as appropriate. Mac 911 cannot reply to email with troubleshooting advice nor can we publish answers to every question.