Hacker News new | comments | show | ask | jobs | submit login
Ask HN: iCloud forces usage of phone number for 2 factor authentication?
5 points by ploggingdev 11 months ago | hide | past | web | favorite | 2 comments
I switched from an Android device to an iPhone recently and was asked to setup an iCloud account. I went through the setup process and realized that my phone number was setup as a 2nd factor with no option to disable it [0]. Seriously? For all the talk about Apple devices being the most secure, not many people seem to be complaining about how Apple forces a phone number as a 2nd factor + account recovery method. Most people backup very personal data to their iCloud accounts and forcing a phone number as a 2FA is ridiculous. IMO Google gets 2FA right : I can setup a Yubikey + Authenticator + backup codes and remove my phone number as a 2FA method. And I also realized that there's no way to delete an iCloud account. wtf?

(First time using an Apple device, so I might be misunderstanding the 2FA situation, correct me if I'm wrong.)

[0] https://support.apple.com/en-us/HT204915

I switched from 2 Step Auth to 2 Factor Auth recently and saw the same thing. A trusted phone number is required (and verified with that code you received) but in the future you'll receive 2FA codes on your trusted devices. But to setup that first device, you've gotta setup at least one trusted phone number. More information here[0]. Relevant bits:


With two-factor authentication, your account can only be accessed on devices you trust, like your iPhone, iPad, or Mac. When you want to sign in to a new device for the first time, you'll need to provide two pieces of information—your password and the six-digit verification code that's automatically displayed on your trusted devices.


A trusted device is an iPhone, iPad, iPod touch with iOS 9 and later, or Mac with OS X El Capitan and later that you've already signed in to using two-factor authentication.


A trusted phone number is a number that can be used to receive verification codes by text message or automated phone call. You must verify at least one trusted phone number to enroll in two-factor authentication.


In my case, I switched my iPhone to 2FA first and it sent me the SMS code. Once I started switching over my other devices to 2FA, I started seeing the code popping up (along with the location of the device being logged into, like in the photos from[0]) on my device instead of being sent via SMS.

[0]: https://support.apple.com/en-us/HT204915

The verification codes popup on trusted devices but it's possible to have them sent to the trusted phone number instead. There's no way to remove the trusted phone number as a 2nd factor. From the FAQ :


What if I don’t have access to a trusted device or didn't receive a verification code?

If you're signing in and don’t have a trusted device handy that can display verification codes, you can have a code sent to your trusted phone number via text message or an automated phone call instead. Click Didn't Get a Code on the sign in screen and choose to send a code to your trusted phone number. You can also get a code directly from Settings on a trusted device.


Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact