> Is it just the 6 digit code that Apple sends to verify iCloud access?
No. It is unrelated to Apple ID 2FA.
If its what I'm thinking of, it used to be a user-visible thing[1] back in the day.
But now with the need for increased security posture in the modern environment it is now not user visible but held locally and encrypted using the local device secure enclave key. So you would typically now see a prompt for the device password so the enclave can be accessed to access the key to setup/renew iCloud access tokens.
As far as I am aware the only user-visible string still available in the Apple world is (for obvious reasons) the FileVault recovery key on macOS devices. Which is only visible once ... shown to you when you first enable FileVault.
If its what I'm thinking of, it used to be a user-visible thing[1] back in the day.
It used to be user-visible, yes, but I wonder if TFA isn’t a little out-of-date, as the UI flow that used to work in order to see this (settings/icloud/keychain/advanced) isn’t there anymore on Mac or iOS. And random poking around indicates that they didn’t move it.
When one would be prompted to create a new code, the dialog said something about “changes to the servers” or something similar. Now, having read TFA, I wonder if that doesn’t mean an HSM got compromised somehow.
> I wonder if that doesn’t mean an HSM got compromised somehow.
I think the point is there are multiple HSMs in multiple locations under the control of different groups of people and a majority of HSMs have to agree...
First time I enabled iCloud keychain when it was released in iOS 7, it asked for both user defined security code (4-pin at the time) and a verification phone number.
When you switch to a new device and want to pull iCloud keychain to a new device you need to provide your security code (pin) and additionally a verification code that they send to the phone number.
Nowdays I’m not sure what my security code even is, because it stopped asking for it on a new devices, since you can approve pulling iCloud keychain from another device.
Does anyone know what is the "iCloud security code" mentioned? Is it just the 6 digit code that Apple sends to verify iCloud access?
> Is it just the 6 digit code that Apple sends to verify iCloud access?
No. It is unrelated to Apple ID 2FA.
If its what I'm thinking of, it used to be a user-visible thing[1] back in the day.
But now with the need for increased security posture in the modern environment it is now not user visible but held locally and encrypted using the local device secure enclave key. So you would typically now see a prompt for the device password so the enclave can be accessed to access the key to setup/renew iCloud access tokens.
As far as I am aware the only user-visible string still available in the Apple world is (for obvious reasons) the FileVault recovery key on macOS devices. Which is only visible once ... shown to you when you first enable FileVault.
[1] https://support.apple.com/en-us/101265
If its what I'm thinking of, it used to be a user-visible thing[1] back in the day.
It used to be user-visible, yes, but I wonder if TFA isn’t a little out-of-date, as the UI flow that used to work in order to see this (settings/icloud/keychain/advanced) isn’t there anymore on Mac or iOS. And random poking around indicates that they didn’t move it.
When one would be prompted to create a new code, the dialog said something about “changes to the servers” or something similar. Now, having read TFA, I wonder if that doesn’t mean an HSM got compromised somehow.
> I wonder if that doesn’t mean an HSM got compromised somehow.
I think the point is there are multiple HSMs in multiple locations under the control of different groups of people and a majority of HSMs have to agree...
I think it's longer then 6 digits. Long ago I did this and I remember it being a long code with dashes.
> long code with dashes
That sounds more like the FileVault recovery key ?
May have been, but I thought it was recovery key for lost iPhone pass code.
First time I enabled iCloud keychain when it was released in iOS 7, it asked for both user defined security code (4-pin at the time) and a verification phone number.
When you switch to a new device and want to pull iCloud keychain to a new device you need to provide your security code (pin) and additionally a verification code that they send to the phone number.
Nowdays I’m not sure what my security code even is, because it stopped asking for it on a new devices, since you can approve pulling iCloud keychain from another device.
This seems designed to provide an easy way for national state actors to get access to anything, since they can just tap and hide a SMS?
What do you mean “just tap and hide a SMS”? Maybe my brain isn’t fully booted and I need more coffee, but I’m not understanding what this means.
>SMS sent to their registered phone number
great.