From Apple's perspective, this is pretty simple. The company has sold a billion iDevices, whose features we control, so that's a lot of something you have. And everyone already has passwords, even though passwords often easy to guess.
So what could go wrong?
I recently enabled two-factor authentication on my Apple account. I'm surprised at how clumsy the implementation is. Let me show you.
The first time I used it I saw a log in attempt from Happy Jack, Ariz.
I had no idea where Happy Jack was, and for a moment thought it might be a hacker. It's 40 miles away and tiny. So yeah, geographic accuracy is not good.
But I can live with that, even though it is sloppy. You click Allow.
This is the weirdest part: the next window presents you with a six-digit code to enter into your PC/Mac to authenticate the system.
Think about this. You are sitting in front of PC/Mac. You are holding the phone in your hand.
You receive the Sign in Requested notification. You click Allow. You should be done, right?
But no! You have to enter the Apple ID Verification Code on your PC/Mac. Which is weird.
Because if the phone signaled Apple that you are allowing access, you've satisfied the have with the know. And if you have the device and can click allow, obviously you can read the digits.
Entering each digit is six extra steps beyond Allow that you don't need.
How about zero digits? Would zero digits work for you?
There's an alternative method, which I've been using for years, from Duo Security. It is a simple as possible method that requires only one click.
I've tried to figure out Apple's logic, and the best I've come up with is that it reduces message traffic. But six digits? Would three or four be less secure, given a limited number of attempts? Less security friction please!
The Storage Bits take
Perhaps Apple is protecting itself -- and us -- from some awful iPhone security issue . In which case, why don't they fix that?
The important thing is to get millions of people using 2FA to improve security on the internet. Adding complexity, where none is needed, drives people away from greater security.
Maybe I'm missing something here, but as I've been using Duo for years, I think not. Apple, let's tweak your 2FA to make it the easiest to use -- so everyone does.