Since iOS11 one is forced to use 2FA, unless one wants to do without a second factor. But 2FA has the disadvantage that the passcode is transmitted to the iCloud. But I don’t know when this is the case. So I would like to know when and how this happens?
What I know is that I don’t like it and don’t need it. Can anyone help me to feel less uncomfortable with this?
An other question related to the passcode is why the phone/cloud saves the last attempt?
Edit:
I found the documentation. HT202303 says: "To access your data on a new device, you might be required to enter the passcode for an existing or former device."
So this means when I activate 2FA, my passcode is uploaded to the cloud. And for a 6-digit passcode there is no "encryption" or whatever. Is is super simple to bruteforce.
Now as these keys are transferred to China, how can I be sure that my iPhone security is not totally compromised when using 2FA?
Best Answer
As far as I'm aware, no passcodes you use to unlock your phone are sent anywhere. With 2FA, you sign into something with your passcode as normal, and then a challenge code is sent to authorized devices for you to also enter. The challenge code is generated on Apple's end of things and only sent to devices you've already confirmed. See Apple's documentation on how 2FA works.
Edit after your comment: Ah, I see the disconnect. The section you are referring to is specifically regarding Keychain escrow. This is an optional feature when setting up iCloud keychain syncing that allows apple to keep a secondary copy of your keychain. By default, iCloud simply syncs the keychains across your devices. If you set up escrow with Apple, they will keep their own copy of your keychain to be synced as your devices sync separately and securely. This allows recovery of a keychain if your only (or all) iCloud authorized device is lost. So first it's important to realize that this only applies if you setup keychain escrow.
Second, while your device passcode will be used by default as your "secure key" for the escrow, that passcode is not sent to Apple. It is instead used to encrypt the escrowed copy of your keychain. Specifically this paragraph (all quotes taken from the January 2018 iOS Security Guide linked in the comments below):
Note that the iCloud Security Code refers here either to your device passcode or the code you set up if you don't have 2FA enabled. Now take a look at how the document explains recovering an escrowed keychain:
So there are multiple steps here:
1) You authenticate with your iCloud account information
2) You then respond to an SMS sent to your previously registered phone number
3) You enter your iCloud Security Code (or device passcode in the case of 2FA).
Note specifically it says that this code is NOT sent to Apple. Instead your code is verified using the Secure Remote Password protocol. I'm not an expert in crypto so I can't explain the details to you, but what's important to note is that SRP allows verification of passwords without sending the password itself or any equivalent data.
Once this is done, your device now gets the encrypted keychain, and must still decrypt it using your iCloud Security Code (or device passcode). But that is all done on the local device.
To sum it all up, if you have 2FA enabled, and you turn on key chain escrow when enabling your icloud keychain syncing, will use your device passcode as part of the Keychain escrow security, but that passcode never leaves your device.