Skip to content

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Apple iMessage/Facetime #975

Closed
mxxcon opened this issue Feb 12, 2015 · 37 comments
Closed

Apple iMessage/Facetime #975

mxxcon opened this issue Feb 12, 2015 · 37 comments
Labels
question Issue contains a question.

Comments

@mxxcon
Copy link
Contributor

mxxcon commented Feb 12, 2015

http://techcrunch.com/2015/02/12/apple-adds-more-security-to-imessage-and-facetime-with-two-factor-authentication/

Btw, should these services be added separately from Apple's "retail" entry?

@mxxcon mxxcon added the question Issue contains a question. label Feb 12, 2015
@RichJeanes
Copy link
Member

If they're separate from your retail account, then yes. I'm not an Apple user, but I'm pretty sure they are. Aren't iMessage/FT part of iCloud? I thought that already had TFA?

@Carlgo11
Copy link
Member

@RichJeanes iMessage & FaceTime are separate from iCloud.

@mxxcon
Copy link
Contributor Author

mxxcon commented Feb 13, 2015

Iirc it's all the same account, but apparently different products have different authentication mechanisms.

@jamcat22
Copy link
Member

jamcat22 commented Feb 13, 2015

Apple has two different systems for additional verification.
The first is 2FA (two-factor authentication), and the second is 2SV (two-step verification).
Both are separate mechanisms and how they work varies greatly.

2FA (two-factor authentication) 2SV (two-step verification)
- Protects all parts of your account (except those listed towards the end of the comment) - Protects certain parts of your account
- Code entered in special box (for software that supports it), app-specific passwords (for certain software), added to end of password (for software without built-in support), or no code required at all (for software that isn't protected by 2FA; see list below) - Code entered in special box (for software that supports it), app-specific passwords (for certain software), or no code required at all (for software that isn't protected by 2SV)
- Requires a device running at least OS X El Capitan or iOS 9 to enable and receive codes - Can be enabled on any Apple ID using the Manage Your Apple ID page
- After enabling on a macOS/OS X or iOS device, SMS or Phone Call can be used to receive codes in addition to push notifications - SMS or a push notification to an iOS device can be used to receive codes
- At least one SMS number is required - At least one SMS number is required
- Codes are 6 digits - Codes are 4 digits
- Recovery is dynamic and does not require a recovery key - Recovery is static and requires a recovery key

As of March 21st, 2016, 2FA is available for all Apple IDs. In order to enable it, ensure you are running at least OS X El Capitan or iOS 9.3, and follow the instructions available here.
If you'd like to upgrade from 2SV to 2FA, follow the instructions available here.

If you still receive an error indicating that your account isn't eligible to enable 2FA, ensure all devices connected to your account are updated to the latest macOS or iOS version and try enabling the feature on an iOS device running the latest, non-beta version of iOS 9.3 or above.

Only certain parts of your account are protected by 2SV.
All parts of your account are not yet protected by 2FA. The list of services it does not protect is towards the bottom of this comment.

Currently, both 2FA enabled from a supported device and 2SV enabled from the Manage Your Apple ID page protect:

iCloud Keychain has separate SMS/software 2FA that is required and is enabled even if you don't have 2FA/2SV on your Apple ID.
Remotely deactivating iMessage from the Apple self-solve website (which you can find out more about here) requires SMS 2FA even if you don't have 2FA/2SV on your Apple ID.

While 2SV doesn't protect, 2FA still protects:

2FA/2SV might not protect:

  • Using iAd Producer to upload ads to the iAd server
    • Status: Not Tested
  • Signing into Apple School Manager
    • Status: Not Tested
  • Signing into the TestFlight app on tvOS
    • Status: Not Tested

Neither 2FA NOR 2SV protect:

FAQs:

2FA (two-factor authentication) 2SV (two-step verification)
Main FAQ Main FAQ
Switching from 2SV to 2FA
Availability FAQ
Getting a verification code
SMS FAQ
App Specific Passwords FAQ App Specific Passwords FAQ
Password Reset FAQ Password Reset FAQ
Recovery FAQ Recovery FAQ

@RichJeanes
Copy link
Member

Why? Just... Why?

@Carlgo11
Copy link
Member

@RichJeanes most big companies provide bad security for it's customers. If it's not outside threats it's the company itself. No matter what OS your phone runs it's vulnerable. Apple, Google, Windows. Not to mention the 3d parties of the Android OS....

@jamcat22
Copy link
Member

@RichJeanes I know. At least Google and Microsoft's 2FA protect everything.

I don't understand why Apple can't just use one SSO server with one sign in page for everything.

@mxxcon
Copy link
Contributor Author

mxxcon commented Feb 13, 2015

@jamcat22 They have so many different systems that it's difficult to use a single authentication method. They coded themselves into a corner.
"Apple is a hardware company". 😉

@jamcat22
Copy link
Member

@mxxcon 😄

@jamcat22
Copy link
Member

jamcat22 commented Mar 20, 2015

Just updated my previous comment with the following changes:

Things 2SV also protects:

  • Using Photos for Mac (Beta) to order photo prints
  • Signing into your Mac with iCloud to recover/reset FileVault (Yay!)
  • Signing into the Apple Beta Software Program (AppleSeed)
  • Signing into Apple Software Customer Seeding (AppleSeed)

Things that 2SV didn't protect but are now protected:

  • Signing into My Support Profile (stores your device info for quick support and keeps track of your support cases and warranties)

Things 2SV also does not protect:

  • Using iPhoto to order photo prints

@jamcat22
Copy link
Member

Maybe we should find a way to group big websites together...
That way we could show what parts of the website support 2SV and what parts don't.
And maybe we could have something that says every part of a particular website is protected (like Microsoft).

Just thinking...

@RichJeanes
Copy link
Member

Apple is so disparate in their sign-on services that we could (almost?) justify creating an "Apple" category...

@jdavis
Copy link
Contributor

jdavis commented Mar 26, 2015

@RichJeanes I get the idea but no, haha. I won't stand for that =]

If anything, why not put @jamcat22's analysis into a note and then link to that for the docs?

@jdavis
Copy link
Contributor

jdavis commented Mar 26, 2015

Actually, @RichJeanes. This would be the perfect time to use the link: option under exceptions: as detailed here: https://github.com/jdavis/twofactorauth/blob/master/CONTRIBUTING.md#exceptions--restrictions

You can create an exception and then turn that on and it will link there with more details. It was sort of a half-ass idea that isn't even being used so it might need to be worked on.

@jamcat22
Copy link
Member

@jdavis how does the exception link even work? I have been wondering about that for ages.

@jamcat22
Copy link
Member

Where does the link go? How do you set it? Is it a separate link from the doc file?

@RichJeanes
Copy link
Member

That's what I was trying to ask in #1022 and @jdavis pointed me here 😖
Definitely something that needs to be addressed in our documentation.

@jamcat22
Copy link
Member

jamcat22 commented Apr 13, 2015

Updated my comment again with the following changes:

  • Links have been added wherever possible.
  • Corrected the fact that iCloud Keychain also supports software 2FA
  • Added the fact that remotely deactivating iMessage from the Apple self-solve website (which you can find out more about here) requires SMS 2FA even if you don't have 2FA/2SV on your Apple ID.

Things 2SV also protects:

Things 2SV also does not protect:

@jamcat22
Copy link
Member

@jdavis Can you please explain how the exception link function works? Where does the link go? Can you define where the link goes? Can you have text in the exception box at the same time?

@jamcat22
Copy link
Member

jamcat22 commented May 25, 2015

Updated my comment again with the following changes:

Things that 2SV didn't protect but are now protected:

@jamcat22
Copy link
Member

jamcat22 commented Jun 30, 2015

Updated my comment with the following changes:

Things 2SV also protects:

Things 2SV might not protect:

Things that 2SV didn't protect but are now protected:

Things 2SV also does not protect:

@jamcat22
Copy link
Member

Updated my comment with the following changes:

Things 2SV also might not protect:

If anyone has a screenshot of iTunes for Desktop requiring a verification code, please comment below.

Things 2SV also does not protect:

@jamcat22
Copy link
Member

jamcat22 commented Sep 15, 2015

Updated my comment and other comments with the following changes:

  • Clarified 2FA vs 2SV.
  • Added descriptions of 2FA and 2SV.
  • Changed terms in all comments to reflect terminology.
  • Added FAQ links for 2FA.

Things that 2SV didn't protect but are now protected:

  • Using your Apple ID to lookup products you have or get support on the Apple website

Things 2SV also does not protect:

@Carlgo11
Copy link
Member

@jamcat22 you missed a dot somewhere in that comment.

@jamcat22
Copy link
Member

@Carlgo11 Bring. It. On.

@jamcat22
Copy link
Member

jamcat22 commented Oct 12, 2015

Updated my comment and other comments with the following changes:

  • Changed descriptions of 2FA and 2SV into a table for easier comparison. (So cool!)
  • Updated comment links to new URLs.
  • Updated status of multiple bug reports.
  • Updated status of submissions to Apple Product Security.
  • Updated FAQ links.

Things that 2SV didn't protect but are now protected:

Things 2SV also does not protect:

@jamcat22
Copy link
Member

jamcat22 commented Dec 15, 2015

Updated my comment with the following changes:

  • Updated the "My Apple ID" website name to "Manage Your Apple ID"

Things that 2SV didn't protect but are now protected:

[Important side note: While the Apple Store Account (payment info) page is now protected by the newest version of their sign in page, the main Apple website login (also used for the Apple Store) is still not. This means people can make purchases without using 2SV, but they cannot modify billing info.]

By the way, have you guys seen the new Apple ID website? It's amazing. Still nowhere near as complex as Microsoft or Google though.

@2factorauth 2factorauth locked and limited conversation to collaborators Mar 13, 2016
@jamcat22
Copy link
Member

Updated my comment with the following changes:

  • Reclassified items on the list as either being protected by both 2FA and 2SV, only 2FA, or neither 2FA nor 2SV.

Things neither 2FA nor 2SV protect:

@2factorauth 2factorauth unlocked this conversation Mar 13, 2016
@Carlgo11
Copy link
Member

What about make a note/ page about this?

@jamcat22
Copy link
Member

@Carlgo11 I'm thinking of either doing that, or linking directly to this issue, depending on if we can have notes pages with Markdown. I'd be open to coding it in HTML, but then it won't look quite as nice.

@jamcat22
Copy link
Member

Updated my comment with the following changes:

  • Indicated the fact that, as of March 21st, 2016, 2FA is available for all Apple IDs.
  • Added instructions on how to enable 2FA successfully, how to deal with the most frequently encountered error, and how to upgrade from 2SV to 2FA.
  • Made headers one size larger.
  • Removed bold font for report status items that are set to "Not Submitted".

Things both 2FA and 2SV protect:

@jamcat22
Copy link
Member

jamcat22 commented Jan 23, 2017

Updated my comment with the following changes:

  • Updated information on upgrading from 2SV to 2FA.
  • Added FAQ links for switching from 2SV to 2FA, and password resets.
  • My Support Profile, which was used to store your device info for quick support and keep track of your support cases and warranties, now redirects to Apple's Get Support website, which is listed in the comment as - Using your Apple ID to lookup products you have or get support on the Apple website and therefore is covered by both 2FA and 2SV.

Things that might not be protected by 2FA/2SV:

Things that 2FA didn't protect that are now protected, yet are still not protected by 2SV:

Things both 2FA and 2SV protect:

Things that 2FA protects, but aren't protected by 2SV:

@jamcat22
Copy link
Member

jamcat22 commented Feb 22, 2017

Updated my comment with the following changes:

Things both 2FA and 2SV protect:

Things that 2SV now protects, in addition to already being protected by 2FA:

Things 2FA/2SV might not protect:

  • Signing into the TestFlight app on tvOS

@jamcat22
Copy link
Member

Updated my comment with the following changes:

Things 2FA protected in the past, but are now no longer protected by 2FA or 2SV:

Seriously Apple‽ I honestly can't believe that in addition to 2FA/2SV being so segmented, convoluted, and poorly thought out for years now, items which used to be protected by 2FA are now being left unprotected! This is just ridiculous for a company as large and detail-oriented as Apple.

@jamcat22
Copy link
Member

jamcat22 commented Feb 26, 2017

Updated my comment with the following changes:

Things both 2FA and 2SV protect:

@jamcat22
Copy link
Member

jamcat22 commented Jun 7, 2017

Updated my comment with the following changes:

Things both 2FA and 2SV protect:

Things that 2SV now protects, in addition to already being protected by 2FA:

@gingerbeardman
Copy link
Contributor

Apple Migrating iOS 11 and macOS High Sierra Users With Two-Step Verification to Two-Factor Authentication
https://www.macrumors.com/2017/06/12/ios-11-macos-high-sierra-two-factor-auth/

@2factorauth 2factorauth locked and limited conversation to collaborators Oct 5, 2021
@Carlgo11 Carlgo11 closed this as completed Oct 5, 2021

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

Labels
question Issue contains a question.
Projects
None yet
Development

No branches or pull requests

6 participants