Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: Have I found a big flaw in iCloud two factor authentication?
13 points by scrumper on Nov 4, 2014 | hide | past | favorite | 6 comments
I just set up two factor authentication. The only trusted device I have is an iPhone. I signed into the iCloud website on my laptop to test it out, and the two factor code SMS then appeared right on my messages app on the laptop itself. This seems to defeat the purpose.

I have Yosemite/iOS 8's new SMS forwarding set up so I can text my Android-owning friends from my laptop. I suspect this is the culprit.

The solution would be using some Authenticator app on the iPhone itself, but without that, it seems like 2FA isn't safe if you're using SMS forwarding with the new versions of Apple's OS's.

Am I missing something obvious?

Thanks




The phone needs to be connected over the same wifi for the sms messages to be pushed to the computer.

It wont happen if the phone is not on the same wifi. So the assumption is if both your devices are on the same wifi network, you have ownership of both and can verify. Now if someone steals both, you have bigger problems.

Go ahead and test this after turning off wifi on your iPhone and see if this happens.


No, thats phone calls. SMS relay works no matter what network the units are connected to.


Aha - that's good. Will test that out but that addresses the concern. Thanks.


Doesn't this only happen if you were on the same Wifi network with your phone and laptop?


This is the same question that I had while using Pushbullet. If notifications appear on the laptop, then 2FA isn't really helping.

Pushbullet allows you to "mute" SMS notifications, but that's one of the key features. How do others solve this?


Like in iPhone you can choose what content you want to display in your notifications. Pushbullet should push an update so that people can choose to display only the title of the notification and not the body.




Consider applying for YC's W25 batch! Applications are open till Nov 12.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: