Update 4/15/19: Apple says the problem isn't with iCloud's two-factor system, but rather with the way browser is treated. A representative explained that browsers are treated as separate trusted devices, thus sending the code to all other devices, including the one you're using.
With an iCloud account and an Apple device, two-factor authentication is quite different than it is on any other device or account. As is the Apple way, 2FA on your iPhone or Mac is baked into the device you own, setting up a system that is theoretically as secure as a security key. Except when it’s not.
Here’s how it works. When you’re trying to log into your iCloud or Apple Music account account on your iPhone, you’ll first be prompted to enter your password. Once that is recognized, you will then be asked to input a code that has been sent to one of your trusted devices, say an iPad. You’ll get a message on your iPad informing you that someone is trying to log into your account and asking whether you want to allow it. Then you’ll receive a six-digit code that you’ll enter into the boxes on your iPhone.
If you don’t get the code (which happens from time to time), you can request a standard SMS code or use one of the randomly generated ones in the Settings app on your iPhone or System Preferences. Just tap on your iCloud name on the iPhone or Account Details on the Mac, then Password & Security, and Get a Verification Code. A six-digit code will appear, which can them be entered into the appropriate boxes on your other device.
While it appears as though Apple has all of the 2FA bases covered, its proprietary system of trusted devices isn’t without its flaws. For one, it works best when you have more than one iOS device. Not only does it add an extra layer of protection by bringing a second device into the mix, it’s true 2FA, pairing something you know (your password) with something you have (your device).
Holes in the security system
But if you only have a single Apple device, you’re kind of out of luck, and that’s where the trouble starts. If an iPhone is your only Apple device, for example, you’ll basically be stuck using SMS. Obviously you won’t be able to get a code on another Apple device, but Apple limits trusted devices to iPhone, iPad, or iPod touch with iOS 9 and later, or a Mac with OS X El Capitan and later. That means you can’t use a PC, Chromebook, or Android phone, which is a major limitation. And since you’ll be signing into iCloud in the Settings app, you won’t be able to get a verification code using the built-in authenticator tab either.
While you’re technically protecting your account and services via 2FA, it’s the least secure way. The issues with spoofing and straight-up stealing text-based codes as they arrive are well-documented. Granted, most Android users use one of those two options on their phone as well, but at least they have the option to download an authenticator with biometric authentication. Since Apple doesn’t yet support hardware security keys for iCloud, you really have no other choice but to use a second Apple device.
If the implementation of iCloud 2FA with a single Apple device is bad, however, it’s downright defective when you need to manage your account over the web. When you input your password to log into your Apple ID account page, whether or not it's stored in the iCloud Keychain, Apple will automatically prompt you to enter a 2FA code, as it should.
However, that code goes to all of your trusted devices—including the one you’re using. If you’re using Safari on your Mac, the 2FA code will pop up on the same screen, which kind of defeats the purpose and leaves your most sensitive data vulnerable if your Mac gets stolen. That means all someone would need is the password for your Mac (since most models don't have Touch ID) and they could get access to your entire account, assuming you have iCloud Keychain enabled on the Apple ID page.
That’s the case no matter where you log in—iPhone, Mac, PC—Apple will send your 2FA code to whomever is trying to log into your account from one of your trusted devices. Apple told me that the issue isn't with iCloud's two-factor system, but rather with the way browser is treated. As a representative explained, under iCloud 2FA browsers are treated as separate trusted devices, which is why codes are sent to the same device you are using. That makes sense, but it's still giving users a false sense of security and makes Apple’s otherwise strong 2FA system into a less-secure 1FA one.