

Ask HN: Have I found a big flaw in iCloud two factor authentication? - scrumper

I just set up two factor authentication. The only trusted device I have is an iPhone. I signed into the iCloud website on my laptop to test it out, and the two factor code SMS then appeared right on my messages app on the laptop itself. This seems to defeat the purpose.<p>I have Yosemite&#x2F;iOS 8&#x27;s new SMS forwarding set up so I can text my Android-owning friends from my laptop. I suspect this is the culprit.<p>The solution would be using some Authenticator app on the iPhone itself, but without that, it seems like 2FA isn&#x27;t safe if you&#x27;re using SMS forwarding with the new versions of Apple&#x27;s OS&#x27;s.<p>Am I missing something obvious?<p>Thanks
======
shekyboy
The phone needs to be connected over the same wifi for the sms messages to be
pushed to the computer.

It wont happen if the phone is not on the same wifi. So the assumption is if
both your devices are on the same wifi network, you have ownership of both and
can verify. Now if someone steals both, you have bigger problems.

Go ahead and test this after turning off wifi on your iPhone and see if this
happens.

~~~
msh
No, thats phone calls. SMS relay works no matter what network the units are
connected to.

------
joshschreuder
Doesn't this only happen if you were on the same Wifi network with your phone
and laptop?

------
napoleoncomplex
This is the same question that I had while using Pushbullet. If notifications
appear on the laptop, then 2FA isn't really helping.

Pushbullet allows you to "mute" SMS notifications, but that's one of the key
features. How do others solve this?

~~~
firangistan
Like in iPhone you can choose what content you want to display in your
notifications. Pushbullet should push an update so that people can choose to
display only the title of the notification and not the body.

