ICloud – Does iCloud Two-factor authentication send a code to the same device as a log in request

apple-idicloudSecuritytwo-step-authentication

My Apple-ID (e.g., on https://appleid.apple.com/ ) is set up to require entry of a 6-digit code sent to my registered Apple products.

This code is being sent to the same device I'm currently requesting to log in. I feel this absolutely defeats the purpose of this 2-Factor Authentication: If a person knows my password, this person can receive the code on that device, and access my apple account without any problems.

Is this a bug or can I set up / change how this security step works?

Best Answer

This is how it works and isn't a bug. It's two-factor authentication, not prevention.

Yes, it's being sent to that device but, as you mentioned, it's also being sent to all other devices signed-in with the same Apple ID. This is meant to notify the user that a sign-in is being attempted.

To use your example, if you're trying to log into a Mac that means you're not currently logged-in. In that case, the Mac will not get the code because it's only sent to devices that are logged-in with that ID. Your Mac is not logged-in at that point.

You can prevent this in two ways:

  • mark the browser/device as always trusted (which makes you less secure - the log in request won’t then broadcast to all your other devices)
  • remove that device from your trusted list - all sign in requests will require a different device to receive your 6 digit pin (further locking down that one device - at the expense of not being able to use it as an approved for your iCloud)

If you're already logged-in to your Mac and now you want to add a new device to iCloud, your Mac will get the code because it's a device logged-in with your Apple ID and you've previously 'trusted' that Mac. So now, the code is alerting all your devices that a login attempt is currently being made.

This Apple 2FA page can provide additional info.

Related Question