Apple Two Factor Authentication and Sign-In Location

I set up two-factor authentication for my Apple ID yesterday. I had tried previously, and it was a disaster. In spite of some confusing instructions from Apple, it seems to have worked so far.

But I was surprised to find that, when I was logging into different devices, it didn’t show the correct location.

I’m not near London; I’m about 100 miles away.

Coincidentally, Glenn Fleishman has an article in Macworld about this today. But he doesn’t really explain why this happens. He mentions someone in Louisiana, who is told he’s logging in near San Fransisco; or his wife, who gets told she’s logging in about 30 miles from where she is.

I don’t use a VPN, which would certainly affect this, and I find it surprising that the Apple devices that already know my exact location can’t pass this info on to Apple’s authentication servers. Because if I look on Apple Maps on the same iPad, it pinpoints me, exactly where I am.

This is particularly disturbing because it may make you think that someone is trying to hack your account. If you have just tried to log into your Apple ID on a device, you can safely assume that the alert is simply worng. Or can you? This doesn’t seem like good security to me.

7 thoughts on “Apple Two Factor Authentication and Sign-In Location

  1. If Apple are using a 3rd party product to to the 2-factor then it is likely that it is just using the geo-location of your IP address, and that means your location is your ISP gateway location where your IP address exits the internal ISP network and shows up in the public Internet.

    Cheers, Liam

    • How does that make sense? The device knows my precise location – either through a cell tower, wifi router, etc. – and it should display that location. What’s the point of this otherwise?

  2. I don’t think it’s the device end that is generating the location – I think it’s the server end, and that it’s a 3rd party product (lie Duo, or SecureID) that Apple is using – and that 3rd party server-side software is using the geolocation of your the IP address it sees the Apple ID sign-in request for it’s location information. Doing that is poor form, but most of the enterprise software works that way.

  3. I live in Melbourne, Australia, and when I log in I routinely get the message that I’m logging in in Sydney, almost 1000km away. What’s even worse is that when I log in to iCloud mail in Safari on my MacBook Pro, I get the “AppleID Sign In Requested” message on that same MacBook Pro! (As well as on my iPhone). Which makes it officially useless as a security feature.

  4. I get hooked by this “location” thing all the time by Facebook — and have even been locked out several times because they then require you to identify friends from random photos in the friend’s photo library … like cars and office buildings. (Sheesh!)

    I travel a lot and am logging from places all over the world and this location thing is a really irritating system. As smart as those guys are, you’d certainly think they could have already come up with a better system.

    I mean how likely is it that some “unauthorized” log-in is going to have a) my email, b) my password, and c) my “secret” question all correct. I use iron clad passwords, usually at least 16 characters, generated by the killer password generator, and my “secret” answer to the “secret” question is known ONLY by me.

    IMHO, Medium has the ideal security system … you log in with your email address, and they email you a new, unique PIN to get in. If the criminals can get in that way, I’ve got a lot worse problems than accessing Medium . . . or Apple for that matter.

    Since every device has a unique IP address, hard coded to the machine, you’d certainly think Apple would be smart enough to identify the device with 100% accuracy. Again, if the crooks have the device, you’ve already lost anyway.

    just sayin

  5. On a good day, an Apple login thinks that I am 50 miles from my actual location. Usually, it’s 150, and often, 280. I live in a sparsely populated state, but the system often ignores the nearer, larger cities, in favor of obscure ones.

    Another problem is that every browser is seen as a “new device”, which means each time I launch a browser for the first time, I have to have two devices handy, so that I can confirm on the second device the distance-delusional login location of the first. OS upgrades and some browser upgrades restart the whole process. It’s a dumb system, and user-hostile. Some of its elements decrease security, and all of them decrease convenience.

  6. Same happens to me here in Melbourne, Australia. It was really worrying the first time it occured. I thought someone had hacked into my account from across town from where I live. It happens every time I initialise a new device. As someone who turned away from Microsoft’s ecosystem about 10 years ago, I feel that Apple today is showing the same lack of attention to detail that Microsoft has always shown. In doing that, Apple is letting itself down. Today, I feel Apple is no better/different than Microsoft – Apple’s stuff doesn’t ‘just’ work – same as Microsoft’s stuff doesn’t. I feel let down.

Leave a Comment