These days it’s pretty important to have two-factor authentication (2FA) set-up on your accounts. Especially the rather important accounts, like banking or the operating system on your phone. In fact Apple actually forces you to set up 2FA when you create a new Apple ID — with no option to skip, or turn it off later.
2FA isn’t a perfect system, but it does make your accounts significantly harder to access than they otherwise would be. And while it’s admirable that Apple has this stronger approach to security, its two-factor system is still remarkably backward. By which I mean, in typical Apple style, it’s far too Apple-centric for my liking.
Apple’s 2FA system favors Apple users
One of the things that experts regularly emphasise is that SMS-based 2FA is very insecure. While better than having no additional protection at all, the fact that SMS itself is inherently insecure and open to abuse means it’s not a very good way to send confidential information.
Apple’s 2FA does not use SMS by default. Every time you try and log into your Apple account, it sends a confirmation code to your Apple devices. Of course, if you don’t have an Apple device — like when you're using a service like Apple TV Plus or Apple Music on another platform — the system reverts to SMS.
Both of these things are problematic in their own way due to Apple’s never-ending Apple-centric approach to things. It's almost like a holdover from the days when Apple accounts and services were only accessible on Apple hardware.
This isn’t an issue if you’re primarily an iPhone user. No matter which way you’d prefer to get 2FA codes, Apple's approach relies on having your phone close to hand. The problem arises when you don’t have an iPhone, but still use Apple devices or services. In my case, I have an iPad for what little tablet use I do, but I also have an active Apple TV Plus subscription.
Apple’s Roku app loves to make me log back in all the time, and each time this happens I have to go through the 2FA process. Apple automatically sends a code to my iPad, which is locked away in my office and may not even be switched on, while I’m sitting on the couch with an Android phone in my hand.
It’s a minor inconvenience to have to go through the motions of claiming I never received a code, and then asking for one to be sent via SMS. But it’s not as though Apple gives me any options to do it some other way. Believe me, I’ve checked, and it seems to be a case of Apple’s way or the highway.
The only way that I can see to avoid having codes sent to Apple devices automatically is to physically remove them from your Apple ID. And that is arguably more inconvenient if you happen to have other Apple products. Plus SMS 2FA is hardly an ideal option for a company that loves to hype up its data privacy prowess.
SMS-based 2FA is hilariously insecure
The fact Apple is so rigid in its 2FA system isn’t necessarily a bad thing. The fact is, using a dedicated authentication system by default and not letting users deviate from that ensures their security is much better protected.
The problem is that the only backup — and the only option available to those who aren’t joined to their iDevices at the hip, — is nowhere near as secure.
SMS 2FA is significantly more secure than only relying on a password to keep your accounts safe. But SMS itself is inherently insecure, and that makes SMS 2FA systems vulnerable.
For starters it’s far too easy for hackers to trick your carrier into porting your phone number to a new device. It’s called a SIM Swap attack, and there’s been a surge in this happening over the past few years. There are ways you can better protect your number, but the simple fact is that once hackers have control over your phone number they can intercept everything that gets sent to it — including 2FA codes.
Plus the cell phone system is equally vulnerable to an SS7 attack, which would allow a hacker to spy on just about everything. Calls, messages, phone locations, you name it. Likewise syncing your text messages to another device puts you at risk if that device gets stolen or hijacked in some other way.
If Apple had any sense it would offer some kind of 2FA authentication that wasn’t SMS-based, just as an option for the people who have Apple IDs but don’t use an iPhone as their primary device. These people do exist, especially since services like Apple TV Plus and Apple Music are available beyond iPhones, Macs and iPads.
Then again it wouldn’t be the first time Apple left non-iPhone users at the mercy of SMS. You only need to see its ongoing resistance to RCS messaging, and the fact the company's early anti AirTag-stalking countermeasures were so iPhone-specific, to figure out that Apple apparently doesn’t care what happens to Android users’ data.
Apple is good at a lot of things, but there are times when it all seems a little… careless. The current state of its two-factor authentication is a good example of that. It’s almost as though Apple never adapted to the fact its services aren’t just available to iPhone and iPad users anymore.
This issue may only affect a very small number of people, relative to Apple's entire user base. But it’s still incredibly bizarre, and worrying, that a company that prides itself on user privacy and security doesn’t have this stuff down to a tee — for everyone, not just the ones that buy iPhones.
I can understand not giving customers the option to turn off 2FA. Likewise using SMS as authentication of last resort is better than the alternatives. But maybe, just maybe, there should be another option for users. Whether that’s people who don’t have an iDevice or the ones that would rather avoid SMS 2FA wherever possible. If everyone else can do it, so can Apple.