IOS "Two-Factor Authentication" and PCs on the web

My phone and Mac are bugging me to turn on Two-Factor Authentication but I haven’t found any description anywhere of how web access via my work PC would get me into iCloud. It’s not my PC and I’m not allowed to install personal software on it. Will I still be able to use the PC to access my calendar, notes, reminders, et cetera?

Thanks!

I go to iCloud.com and have access to everything there.

Accessing icloud.com will get you into the things you want–currently. If you turn on 2FA, iCloud will sometimes ask you to confirm yourself by typing a 4-digit code into your work PC’s web browser. They’ll give you that code over your phone, which means the phone requires internet access at your work.

I’m almost certain you would, they seem to have thought it out pretty well

I would absolutely turn it on

We might have a different president if people had used two factor authentication

They text it to you via SMS, right? That doesn’t require internet access, just cellular service.

Yep.

Thanks everybody!!

Of course, the NIST has pointed out that 2FA is really not secure and should be avoided.

Which, oddly, has resulted in none of the big companies switching over to an actual secure system.

Anyway, don’t think that you’re going to be safe using it.

To be fair they have said the 2FA via SMS should be avoided.

SMS has variable and often low quality encryption, and this is only on the radio link anyway. The link from the sender to the radio network provides no encryption. So any state actor could be reasonably expected to be able to intercept an SMS based 2FA login key. Interception by other nefarious actors is probably not too hard either.

This doesn’t mean 2FA is a bad thing. Indeed if you use Apple’s closed environment and have an iPhone the second key won’t come via SMS anyway. iMessage has end to end encryption. The lack of this with SMS is its downfall.

As noted by the NIST report, the foremost problem is the SMS being sent to a faked phone number.

End-to-end is fine if both ends are first verified as being authentic.

And if you have verified that the SMS is being sent to the correct device in the correct hands then you’ve gotten to the level of security you need anyway. I.e., the authentication has been achieved. Sending an SMS at that point is a waste of bits.