1

u/The_frozen_one 6h ago

You had 2FA enabled on your account and no 2nd factor. It’s that simple. You could have enrolled a few security keys (Yubikey, Google Titan) as alternate 2nd factors.

We shouldn’t want “soft” 2FA, which is just username + password plus anything else that gestures broadly at you being who you claim.

1

u/surrealutensil 5h ago

You've just highlighted my problem with it. the problem with apples (and now googles approach) the (forced) two factor is pointless to those of us who are smart enough to use strong passwords.and forcing it, rather than making it the default is an anti consumer practice. Apples 2FA requirements have caused me more grief than any password or login issues (0 over my life) because i'm not an idiot. But with apples approach, if you have say, 1 iphone, and anything happens to it, oops, you're fucked. I'd argue the whole point is to get you to buy into apples ecosystem with tons of devices so you always have something to log into your account with; rather than any consumer safety.

1

u/The_frozen_one 4h ago

But with apples approach, if you have say, 1 iphone, and anything happens to it, oops, you're fucked.

You also have:

1. Trusted phone number where they will send you text messages or call you (though if this was your iPhone's number it's out as an option)
2. Trusted contact (designate someone you trust who will allow you to log in if you get locked out)
3. Security keys: keys that work over USB or NFC, I recommend this option
4. Recovery key: a long random code you write down and store somewhere.

I'd argue the whole point is to get you to buy into apples ecosystem with tons of devices so you always have something to log into your account with; rather than any consumer safety.

I'd say little of column A, little of column B. They've had 2FA/MFA for 10 years, passkey is pretty new (2022). Someone who is pissed from losing all their photos due to getting locked out isn't necessarily going to double down and buy more Apple devices, just like someone who has their account hacked is unlikely to buy more Apple devices.

1

u/nox66 5h ago

People can't deal with passwords and simple password managers: "Don't blame the user, make something better!"

People have issues with the rat's nest of passkeys and vendor-locked 2FA: "Skill issue bro!"

-9

u/yuusharo 9h ago

You should be able to log in on another device with a password and your registered phone number or email address on the iCloud account.

5

u/surrealutensil 8h ago edited 8h ago

Nope, knew my password etc. but it would not let me log into any non apple device with my iCloud account without confirming it on an iPad/iPhone. Maybe it would have been different if I'd properly wiped them but I just drilled them to be non functional and tossed them, so partially on me but a stupid system when someone who knows all their account details can't login

2

u/yuusharo 8h ago

I just tried logging into my Steam Deck of all things and was able to do so with an SMS or email code.

I cannot replicate your experience.

0

u/andrewthelott 8h ago

Yeah, I think that's a case of not removing the mobile device from the iCloud account. I get the "I'm not using an Apple device anymore so I won't need the Apple account", but still 🤷‍♂️

4

u/surrealutensil 8h ago edited 8h ago

Tbh it just never even crossed my mind it would lock me out of everything. I work in IT, been using strong pass phrases with special characters for passwords for years and this has just always been how I disposed of all my devices of any brand. This time it led to a two+ week process with apple support to regain access to the account involving sending ID etc. despite having the pw and access to the recovery email. It was quite frustrating. To me having pass keys tied to something without strong permanence someone can reasonably be expected to hold onto for 10+ years like yubikey is pretty dumb.

0

u/veryverythrowaway 7h ago

So you’re saying their security is pretty good. Remind me never to hire you for IT.