The headline is a little misleading. The "limits" aren't with 2FA. The problem is there are holes in Apple's feature set where 2FA isn't enabled. This is an Apple problem and not necessarily a 2FA problem. As others have said, there are ways around this lost device problem like the one time use codes that Google and other companies provide.
My main hole with 2FA and Apple is that I don't receive messages on my devices – with the new system. There's still SMS / texting as an alternative but it gets annoying and is less secure too.
I am losing things constantly (laptops, phones, documents — damn you, ADD), and I wouldn't want to be locked out from my digital life just because I lost another piece of paper or device.
In compensation, my symbolic memory is excellent — never had a problem with memorizing long passwords.
Then you should be able to memorize one of your backup codes, and you'll be fine..
I don't know if Apple does this, but Google's 2FA (and others) gives you static (printable - or memorizable!) backup codes in case you lose your device.
You live exactly in one country at a time. You live in one rented apartment at a time. You have one home country. And I am going to assume you also have at least one person you can trust such as your mother / father. If I were you, I would keep that backup code with your mother. I am not Clinton so I don't expect anyone break into my house, search for some code written on a piece of paper, and then try to use that code against me.
The point is, yes, YMMV, but there is plenty of solutions. The problem with MFA is that every MFA account comes with a static backup code. You ended up reopening the problem asymmetric key / public-key infrastructure was supposed to fix.
And you're an outlier. Congratulations. I bet you also buy a new phone every twelve minutes and a new laptop every hour, switch banks twice daily and get a new set of DNA and fingerprints every week.
And it's not going to be worth the time or trouble to try to design a system that accommodates you, unless you're also a multi-billionaire. Any user-facing system will fall down when faced with certain extreme outliers who violate its basic assumptions; so long as the system works well enough, for enough people, that's not a bug.
GitHub/Google/Microsoft/Blizzard/Heroku have "recovery" or "backup" codes which you are supposed to keep in a safe place (perhaps even a physical safe) and can be used when the phone is not available(lost, locked, erased, whatever).
They are one-time only (that's why you get 10), but are not time sensitive (like those generated by app/token) so they are longer.
Phone or SMS based 2FA is inherently insecure. Can be intercepted at carrier level (and it is quite cheap to do it — some political targets in Russia and Turkey were attacked this way).
The problem is that SMS provides better recovery rates than TOTP/HOTP + backup codes, because people can go to their carrier and get a new device at the same number.
It's important to remember that availability is an important aspect of security. If you protect a user primarily concerned with mass-account takeover attacks from a low-probability threat (people intercepting their SMS channel) but introduce a high-probability threat (dropping their phone in the toilet and being locked out of their account forever) you may not have made a good security tradeoff.
Yeah but that's a different threat model than the one discussed. It will prevent 99% of attacks but someone always comes in yelling "BUT IT'S NOT PERFECT". As they say, perfect is the enemy of good.
Not everyone, but many people of varied moral qualities _do_ have access to SS7 and carrier operations, and they can be contacted and negotiated for services.
The solution which is considered to be "almost perfect" and relied upon as that, but failing unexpectedly is arguably worse than imperfect solution with known imperfections.
Black swans arise because when people design things that work 99.99% of the time, they tend to relax and rely on the system more than they should, and when this 0.001% event happens, they are completely unprepared.
The correct mode of operation is to always be prepared, without relying on the "perfect" system too much. If system is actually good, "chaos monkeys" may be employed to keep everybody prepared.
As I said above, the problem with MFA is now you have one static code for every MFA account, so we are re-introducing the problem public key infrastructure would solve, which I consider is a pretty valid limitation of MFA.
Apple has two types of what might be called 2FA, two-factor and two step authentication. If memory serves, two step has a back up code that needs to be maintained by the end user. If the user misplaces this code, the account is unrecoverable. Two factor does not have this back up code feature. When I went to the genius bar to ask about this, they said that an affected user would need to contact Apple and they would interrogate the user to confirm identity. This seemed a bit strange to me but whatever.
Now with two factor I thought a code could be generated from any previously authenticated device that is El Capitan / IOS 9.3. These devices can generate codes while offline and unconnected.
To generate an offline code from a Macbook, turn off WIFI then open Settings > iCloud > Account Details > Get Verification Code.
To generate an offline code from an iPhone/iPad, put in airplane mode, > Settings > iCloud > tap your picture / name / Apple account icon-y think at the top > Get verification code.
So when I read this article, I'm thinking to myself that myabe I know a trick that the author did not.
It sounds like his complaint is that Apple doesn't use 2FA when you acknowledge your 2FA device is unavailable (I had trouble following the article). This is admittedly bad. All they need is an offline code or something like Google's recovery codes. It's actually somewhat disappointing that so few sites have something like that.
The limits described in this article are where all components are part of the same system - the 2FA device (iPhone) can be disabled from the same system (iCloud) that is protected by the 2FA device. Thus compromises had to be built into the system to allow device recovery, since that is also part of the same system.
Were iCloud 2FA provided by an Android device (or PC or Blackberry or RSA keychain), this problem could be easily obviated.
It's a bit of a catch 22, if you lose your iPhone then you need some way to locate it / erase it without having your iPhone. I don't think it's a big deal, you should have backups anyways.
One thing they could do is, if you have more than 1 device on your account, then force you to use another device for 2fa.
It occurs to me that the "use another device" verification process built into iCloud Keychain would work well for this. You could make the entire thing cryptographic, actually: just store each device's "erase code" in the Keychain, such that you have to auth yourself on one of the devices that has the unlocked keychain in order to (automatically) grab the erase code and send it to the associated device.
I'm still locked out of a 2FA-enabled Dropbox account. I broke my phone while my laptop was undergoing maintenance. Still have a log-in token on the encrypted drive of a laptop whose boot password I've since forgotten...
I once left my bag with both inside. It surfaced in city's lost and found two months after, thankfully. But if I had 2FA enabled, it would have been mighty inconvenient.
I keep some Google and Github account recovery codes on a slip of paper with my passport, some more in my wallet, and all in an encrypted file on a server with SSH access.
Hopefully that's enough that I'm not too inconvenienced, should my phone be stolen.
For holidays (6 weeks per year) plus one or two business trips (up to 2 weeks per year), plus about 1 weekend a month.
But does it matter?
Should my wallet and phone be stolen whilst I'm away, I can log in to my server using SSH (and a long password), then decrypt a file containing the backup codes (PGP with a long passphrase). Then I can access GMail/Github.
I use 2FA and love it, however one issue I faced that I wanted to highlight for anyone having missing sms issues... in our country we can keep the number but change phone company, called porting number to other carrier... it works great however international sms which is mostly the case with 2FA messages, never work after number porting. Do not know it is just issue with our country porting config or universal problem. So anyone having issue of no sms received...may look into it if number ported...
Why not simply disabling "back to my iPhone"?
I question its value against theft - thieves these days know about taking your device offline. Sure, it is useful if you forget your phone somewhere, but how often does that happen?
It seems the intrinsic risk of attack you expose yourself to by having "back to my iPhone" enabled is greater than the risk of forgetting your iPhone somewhere...
Find my iphone also has the benefit that if you erase and lock your lost iphone, then (in theory) the device becomes useless as it will refuse to reactivate, even with a factory reset. (aka "Activation Lock"). The idea is to make stealing these types of devices much less attractive (by killing off any resale value)
What's the goal of a "Find my iPhone" attack? Ransomware?
Also puzzled that the attacker manages to guess the victim's password (described as complex). In my experience, 3 incorrect login attempts on iCloud block the site for a while.
2FA? Several years ago I have enabled 2FA on Facebook. One day they they stopped sending SMS and thus I wasn't able to log in to Facebook for arounnd half month. Fuck 2FA on Facebook!
when an attacker is trying to access my Find My iPhone feature, I expect Apple to offer a different version of the their 2fa - either by user pre-authed device along with a special secret (those offline password print outs) or another form (landlines, biometrics, knowledge based, etc.).
remote wiping someone's one can a very serious threat if they don't offer something that handles both the usability requirements and the security of the service.
