iOS: Why does Apple ask for your passcode when setting up two-factor authentication?

A Macworld reader who prefers to remain unidentified (since
we’re talking about security issues) wondered why Apple asked
for his iPhone passcode when he was setting up two-factor authentication (2FA).

I am a great supporter of 2FA as a way to deter the potential
of ne’er-do-wells achieving access to your accounts through
password breaches or other problems, since 2FA requires a
physically present element in your possession (like your Mac or
another iOS device) to confirm an account login.

However, our reader didn’t want to give up his passcode to
Apple. What’s the point of having a secret passcode that
protects your data and keeps criminals, governments, and nosy
parkers out of your affairs if you simply hand it over?

Hold the phone, I wrote back—quite literally: hold the phone.
The problem is that Apple is explaining poorly why they’re
asking for your iOS’s passcode. The company does everything in
its power to never know your secret codes, and this case isn’t
an exception. It’s just that Apple, in an effort at simplicity,
doesn’t provide reassurance and documentation about what’s
happening behind the scenes.

The dialog our reader sees reads as follows:

mac911 passcode 2fa entry request
IDG

Apple asks for your passcode for some 2FA activations, but
doesn’t transmit it.

That sure sounds as if Apple possesses the passcode after you
enter it. However, Apple uses an encryption technique in which
it makes use of the passcode only when it is entered on the
device to encrypt the set of data described. It doesn’t retain
the passcode in unencrypted form on the device ever—the
passcode itself is stored only in a cryptographically
transformed version in iOS devices’ Secure Enclave chips—and
the passcode isn’t passed off your device to Apple. Instead,
only the encrypted form of the data becomes available on other
iOS devices. Using the same passcode on these other devices
unlocks that encryption on those other devices. Apple never
possesses the secret: only you do. You typically see this or a
similar dialog only with iCloud Keychain, which is the basis
for a lot of user-access-only transfers of data via iCloud.

The uniqueness of this request for one’s iOS passcode makes it
seem different, and, without a lot of reassurance, it seems
wrong.

Apple explains this in painstaking detail in a white paper,
iOS Security,” updated mostly recently in
January 2018. But it could provide much less exotic warm
fuzzies by stating: “Your passcode never leaves your device” or
something similar. It doesn’t even mention the possibility of
the above dialog box in its
2FA setup instructions
, seemingly an oversight.

Never take it on trust what a company is doing with your data.
That makes this undocumented and underexplained portion of 2FA
setup unfortunate on Apple’s part, even if we can determine
that it’s still adhering to its security and privacy
philosophy.

Ask Mac 911

We’ve compiled a list of the questions we get asked most
frequently along with answers and links to columns:
read our super FAQ
to see if your question is covered. If
not, we’re always looking for new problems to solve! Email
yours to [email protected] including screen captures as
appropriate, and whether you want your full name used. Every
question won’t be answered, we don’t reply to email, and we
cannot provide direct troubleshooting advice.

%d bloggers like this: