Apple defeats its own two-factor authentication

I have SMS two-factor authentication enabled on my Apple account. I have Text Message Forwarding enabled between my iPhone, iPad, and Macintosh.

Text Message Forwarding enabled in the Messages settings on the iPhone.

Today I tried to buy an app from the App Store on my iPad. The App Store gave me the two-factor challenge: enter your password and enter the code we just sent to your iPhone via SMS.

Although my iPhone was in the other room, the Text Message Forwarding service dutifully sent the contents of the SMS straight to my iPad over the data channel and the code was visible at the top of the screen. I typed in the code and purchased the app without needing physical access to my iPhone.

The two-factor code from the SMS is displayed at the top of the iPad screen on the same page as the dialog box which asks for the code.

It’s worth noting that neither my iPad nor iPhone were connected to Wi-Fi or Bluetooth at the time. Both were connected to the internet using cellular (4G LTE). The SMS message was presumably forwarded through the iMessage system since I don’t have iCloud enabled on either device.

Congratulations Apple, you just defeated your own two-factor authentication system.

The implications for Text Message Forwarding are quite significant. By transferring SMS messages over to the data channel you no longer need physical access to your iPhone. Having physical access was the intention of most two-factor systems - something you know and something you have (you know your password and have your phone with you).

With Text Message Forwarding in place I can, for example, go travelling to a foreign country with just my iPad and leave my iPhone at home. While abroad I can use online banking which relies on SMS two-factor challenges. My iPhone stays at home, plugged in to power, and connected to my domestic cellular network. Farewell unreliable and expensive international roaming which I only needed for SMS. This is great for convenience, but it breaks the security model that the banks (and even Apple itself) had intended when they decided to use SMS for two-factor.

Incidentally, Australian telecommunications companies were calling on banks to abandon SMS for two-factor back in 2012 due to concerns about phone number porting security.