[hoorible]

Apple’s implementation uses SMS as a backup. Thinking is probably that if you only have one device, it’s usually your phone; so you would have been able get your 2FA code via text. It’s not easily discoverable though, so easy for you to miss it.

[varenc]

You can use SMS as a backup 2FA to login to your online Apple ID account, but that's not enough to access the iCloud keychain.

The decryption keys for that data are only stored on your iDevices. It's E2EE after all. So while you can access your Apple account via the SMS 2FA backup, you won't be able access your actual iCloud Keychain data/passkeys without some sort of access to your iDevices. (it might be sufficient if they're online somewhere and you have their login credentials?)

A bit confusing, but if it really is E2EE, then you can see why SMS alone wouldn't be enough to recover your Passkeys.

[FateOfNations]

There is a procedure for recovering access to the E2EE data in the event that you no longer have access to any of your Apple devices.

https://support.apple.com/guide/security/secure-icloud-keych...

[chrishas35]

> Apple’s implementation uses SMS as a backup.

I hope they'll go away from this, or at least give the option. I won't use their password/key storage until they do. 2FA is only as good as the weakest link, and SMS is the weakest possibility.

[daveoc64]

I don't think they can get rid of it, as not everyone using Apple's services has a supported Apple device.

They don't offer a standard like TOTP, so SMS is the only option.

[r00fus]

Is it possible to disable SMS at the carrier level?

[bloppe]

2FA is as strong as the strongest link, not the weakest. You need both factors, not either factor.

In this case, it's just that one of the factors has a weak backup option.

[avh02]

Until the "try another way" option is a weaker form of 2fa, like sms.

[al_borland]

So if I have a single device, a phone, and it gets stolen... what is the path to get my data back? And in the interum, if the theif swaps my SIM into another phone they now have my 2FA via SMS?

This all seems very messy when bad things happen.

[MBCook]

They solved this with a feature called “Recovery Contacts” in iOS 15(?). You can set them up and they’re people who cannot access your account but can help you regain access if necessary (such as your one device case).

I think you still need to know your password, but that’s pretty reasonable.

They also added a similar feature to allow you to get into a loved one’s account/phone after their death if they set it up.

[fauigerzigerk]

>They solved this with a feature called “Recovery Contacts” in iOS 15(?).

That doesn't solve it for me. None of my trusted contacts has an up-to-date Apple device.

[r00fus]

I think the answer to the "stolen SIM" from Apple may just be "use e-SIM".

I agree the inability to remove SIM as backup 2FA method is troubling. I would sign in blood any liabilities to be able to remove SIM as a backup auth.

[avh02]

Sim cards can have pin codes

[Spiritus]

Get an e-sim