Why does Apple’s two-factor sign-in think you’re hundreds of miles away?

Apple's 2FA doesn't use GPS, which results in locations that aren't exactly where you are.

apple 2fa location
Apple

Apple’s two-factor authentication (2FA) is a boon for anyone who wants to be sure that even if their Apple ID or iCloud password were stolen or found out, an intruder would still need a piece of equipment associated with the account to complete the login. These trusted phone numbers and trusted devices offer good deterrence.

When you log in to an iCloud account, the Apple ID site, or an Apple app that gives you account access or lets you make purchases, you’re prompted on a trusted device if you haven’t been challenged in a while at the software location at which you’re logging in. It’s in two parts: first, iOS and macOS show a tiny map and Don’t Allow and Allow buttons. If you tap or click Allow, you then get a six-digit code you can enter to complete the login.

mac911 2fa trusted login map IDG

This map rarely pinpoints where you’re at.

Macworld reader Sam wondered why that tiny map doesn’t show their current location. They describe it as “far away.” For me, I often get a map centered on a city a good 50 miles away, and sometimes even farther. Why is that?

Apple says in its documentation that it uses the “IP address” of the requesting device, not location services (like GPS, cell-tower positioning, and Wi-Fi positioning). The internet protocol (IP) address defines a location on the internet in terms of how a device is reached through routers, not a physical one.

Starting in the late 1990s, companies began compiling “geolocation” databases of IP addresses, and Apple likely has its own. These rely on information that internet service providers disclose in the domain names they reveal. You’ll sometimes see a city and state name in a fully qualified domain name, like adsl12321.seattle.wa.us.ispname.net. Other times, ISPs use techniques to block identification by assigning IP addresses from an internal pool it largely disconnected from geography. I assume my ISP, CenturyLink, has a big presence in Tacoma, Wash., and that’s why my map typically shows that city at the center.

If you’re using a virtual private network (VPN) or an ISP that engages in more obscurity for your privacy, the city shown could be very far away—even in another country. But you’ll know the timing: if you get a popup and you haven’t triggered it from a login, click or tap Don’t Allow and consider changing your password for that Apple ID or iCloud account ight away.

Ask Mac 911

We’ve compiled a list of the questions we get asked most frequently along with answers and links to columns: read our super FAQ to see if your question is covered. If not, we’re always looking for new problems to solve! Email yours to mac911@macworld.com including screen captures as appropriate, and whether you want your full name used. Every question won’t be answered, we don’t reply to email, and we cannot provide direct troubleshooting advice.

  
Shop Tech Products at Amazon