I know when you first set up your mac with your Apple ID, up pops the authentication dialog on your phone and then once you confirm, a number pops up. That’s fine. In fact, this happens when you try to log into the Apple Store or when you log into iCloud for the first time.
How to make this happen every time you log into your Mac rather than just the first time? I would especially like to see this happen when the computer is shut down and rebooted (e.g. someone may have stolen your computer).
I would assume it is possible to make things work exactly as you would like them too. My guess is they probably don’t because it would require making the PC forget that it has already had 2FA used. Which would probably also make other things forget that information making a lot of other things a lot more complicated. Think the days of Vista when they first introduced UAC and it would constantly ask if the user was authorizing an action to the point that people just clicked through it without reading. I know on Windows it is possible to make the PC revert back to a saved state each time someone logs out of it or daily. Companies use that for Kiosk type machines and guest machines. Beyond that I assume that OS makers removed this type of behavior to enhance the user experience and it would probably take some manipulating or 3rd party programs to achieve what you are looking for.
I understand where you are coming from but I don’t think it would be such a burden to have 2FA kick in when a person restarts their computer or logs out of their account.
I’m not saying it would be a burden to have that happen at all, I’m just saying that I believe they went the direction of ease of use for the user because most people won’t use things that complicate their experience until faced with a situation that makes them feel insecure enough that they are willing to go the extra step to make their information and systems safe. Everything today is about convenience I believe that is among the biggest reasons people have a hard time adopting a different OS like Linux is because it is a little more complicated and a little less polished then Windows that was made to be very user friendly at the expense sometimes of security. Apple is the same way except they are a little more security oriented.
Now that I think of it, why does Apple require you to enter a passcode when you restart rather than ask for your fingerprint (if you have a computer with a fingerprint reader)? I would think your finger print is more secure? And why not, as a matter of 2 factor, require both when you reboot?
Everybody continues (rightly) to press us to use 2 factor for banks and other highly sensitive websites, why not do this for our own computer? And if you don’t set Last Pass correctly, if someone does get into your computer, all they have to do is open Last Pass and they have all your passwords.
And to make matters worse, if they have your password to your bank from Last Pass and your bank is set to send a 2nd code via text, all someone needs to do is open Messages on your Mac to get that code!
Exactly, as I said everything is being made more convenient but at the risk of less security, I believe @Leo has said it multiple times, you can have convenience or you can have security but most pick convenience over security thinking nothing will ever happen to them.
Smartphones do the same thing, they ask for your pin code or something along those lines after restarting and will not let you use fingerprint. A flaw in the technology maybe? Security reasons for not letting biometrics start until the device is signed in? I don’t know the answer to that one. I’m sure there is software out there that adds these additional security features to your device.
I just ran into this topic, a little bit late. I think there are more subjects within this community than I normally see.
I believe the 2FA we Apple users see on our Apple devices when we first log on to them is related to the device logging into our Apple ID account, not our logging onto the user account on the device. And, not only do we have to authenticate logging in, but we have to authenticate signing out of the Apple ID account. Try disabling Find My Phone or Find My Mac.
And you don’t ever want to lose your Apple ID password or ability to recover it, because if you cannot disable Find My … or log into the account, you cannot recover the device to factory settings.
And, beware. If you have set up your Mac to use iCloud Drive for Desktop & Documents (default for setting up a Mac), they disappear from your computer every time you sign out of iCloud. Same with a bunch of other iCloud based features on the Mac but they give you the option to keep the data on the device.