[sschueller]

They also never bothered to implement the 2 factor code popup on old systems but forcing user to use 2fa.

So you now get to explain to grandma that she needs to enter her icloud password, get a password error, click on approve on her iPhone, then enter her password again with the 6 digit code shown on the iphone appended to the end of her password.

[hn_throwaway_69]

I made the mistake of reinstalling macOS on my late 2015 rMBP using internet recovery. I found myself locked in a loop where I couldn't upgrade to the latest macOS because it required 2FA.

I called Apple Support and didn't tell me this information and simply said they can't bypass or disable 2FA. It was only by researching that I discovered this workaround.

This was one of the worst user experiences I have experienced on an Apple product.

[easton]

I feel like they patched in an error message explaining this on older versions of OS X, because I definitely was prompted to do it this way. Maybe just in iTunes?

[qwertox]

That's a neat hack if you only have one input box. But all the extra code on the backend needed to differentiate between a normal password and a password+pin sounds like something which could accidentally weaken security.

[dzhiurgis]

It's really not that complicated given it's a fixed 6 digit appendage

[garmaine]

A secure app shouldn’t be sending passwords in the clear though.

[mc32]

Maybe they’re leveraging radius for some of of that?

[Fnoord]

Or PAM, or BSD_Auth, or AD, or ... there's a lot of options.

Supposedly they can also see which capabilities the client has, allowing the fix server side. Why they did that we can only speculate, same with why its not well known.

I can imagine an engineer with a kid who got a handmedown from mom/pop, and they silently fixing it this way because its within their expertise.

I'd like to hear the authentic story behind it. Hopefully one day!

[eyelidlessness]

Oddly, this is explicitly spelled out in old versions of iOS. I learned of it recently because my aging iPhone 8 died and I tried to revive my iPhone 5 while waiting for a replacement. (It did start up but was basically useless otherwise.)

[uneoneuno]

WHAT! How did I not know the append-the-code trick

[sschueller]

I spent some time searching the web in my frustration thinking that 2fa was impossible on this MacBook. I think it was a stackoverflow comment somewhere that said to try this...

[dzhiurgis]

It's a common hack, i.e. Salesforce does same for the security token, IIRC same with github.

[bmarquez]

I've also seen the "append the 2fa code at the end of your password" trick work for other older products that only have one input box. An example is the discontinued Amazon Kindle Windows UWP app.

[gordeh]

From memory, the error message it gives says this is what you do. Though I've long since accepted that no one ever reads what the message says.