2FA on MacOS from Android

Hi gang,
I’m a MacOS lover and a iOS hater. When it comes to the handheld device world, I just prefer Android. It seems that MacOS is more and more Demanding that I use 2 Factor Authentication. However, with no iOS devices, I’m not sure if it is even possible. (I searched and couldn’t find this question, though it does seem like something you’d address). Any info from this group would be great.
Thanks All!

Under Windows, Linux and Android I use a Yubikey for 2FA where possible. I find them more convenient and more secure than using a smartphone. I also have a backup in my safe for the event that the first one gets damaged, lost/stolen - I’ve been using them for nearly a decade and haven’t damaged or lost one yet - you just disable the damaged/lost one on all services that use it and carry on with the backup (remember to order a new backup though! :wink: ).

I use it for Windows and Linux logon, 2FA for 1Password and LastPass, and for my Microsoft, Twitter and Google account, for example.

I’m assuming that the integration with iOS is unique for macOS and it won’t work with other platforms.


Apple wants you to have a “trusted device” for the second factor. That’s usually a second Apple product, but you can also use a phone number, instead. Instructions here:

It’s kinda absurd that there no option to use an authenticator app. Their security scheme is annoying a few months ago my password randomly stopped working and to regain access I had to enter both a code that was emailed to me and one texted to me and then wait for Apple to vet me. It was super annoying.

As @big_D mentioned, YubiKey is a great solution and it works on all platforms, seemingly including Mac:
Using YubiKey with macOS - YubiKey

@Leo I think you’re a YubiKey (or similar) user, right? Any thoughts about using with Mac, or any changes on the new M1 Macs?

There is a difference between using the Yubikey ON the platform or WITH the platform. You can use a Yubikey on MacOS (or probably even iOS) because it appears as a USB device, frequently a USB keyboard, but a data device with a special protocol for FIDO. That doesn’t mean that the OS itself will accept it for authentication events.

Did you follow my link? That was how to use it to log onto macOS.

It is odd though that Apple doesn’t support authentication apps. I still have a very old iPhone 5c. The only thing it gets used for is 2FA for my Apple account.

@big_D I think you’re confusing Apple’s two-factor with general two factor. Apple has its own system which does not support the Yubikey as far as I know. That’s the one that sends a code and map location to another Apple device.

I’d guess Apple’s argument is that by keeping it inside their own ecosystem they can ensure it’s more secure.

A… I’m geeking out a bit having a back and forth with Leo!
B… I’ll give it a shot with a phone number. It doesnt really say how it communicates with that number. Assuming it’s a text of a code and I type that in? I guess I’ll fund out. I have avoided it until now because I was a bit afraid I’d be locked out. The documentation just isnt clear enough in that moment its asking. I’ll give it a shot. Thanks gang!

1 Like

An automated voice actually calls you!

Is it Siri? If so… I might be on the fence again! :roll_eyes::grin:

The Yubikey link shows a user sticking the Yubikey into their MacBook to log onto macOS itself - you see the logon screen and then the desktop.

Securely log in to macOS with the YubiKey, a powerful security key, by using the native smart card (PIV) mode or by setting up Challenge-Response using the Yubico Pluggable Authentication Module (PAM). These methods help better create the ideal ecosystem for a password-less future.

The macOS Login Tool allows for secure two-factor authentication on Macs using the HMAC-SHA1 challenge-response feature of the YubiKey. It seems to be a UNIX PAM module for enhanced authentication, similar to how it is done on Linux.

Note: Enabling full disk encryption (FDE) with FileVault is highly recommended when using the macOS Login Tool. If you do not enable FDE, it is possible to reboot the Mac into recovery mode and disable the 2FA requirement.

I think there is a confusion here between authenticating to the device (MacOS) and authenticating into the Apple ecosystem (AppleID). Certain events in the Apple ecosystem (such as adding a new device) require you to authenticate your AppleID, and in that case they seem to roll their own system using trusted devices, and the Yubikey can’t be used (that I am aware of.)

Ah, okay. The OP sounded like he was talking about macOS, my mistake.