Accessing iCloud via Web browser?

[Tartarus]

I can open Gmail from any computer. I think it does send a notification to my Android phone. But the site works when I am away from my phone. Same with outlook.com.

If I don’t have my iPhone with the Google Authenticator app on it with me, I can’t access Gmail or any other Google services.
Same goes for Hotmail and some other apps I have on my phone.

2FA is meant to make it impossible for people without access to the iPhone to access your account, be it Apple, Google or some other service.

If you by any chance don’t have your iPhone with you, you can’t prove it’s you that wants access.

Yes, 2FA is highly inconvenient if you don’t have the authenticator app or iPhone with you, but sure is much safer than not having 2FA enabled.

 

[Andrew Brehm]

If I don’t have my iPhone with the Google Authenticator app on it with me, I can’t access Gmail or any other Google services.
Same goes for Hotmail and some other apps I have on my phone.

2FA is meant to make it impossible for people without access to the iPhone to access your account, be it Apple, Google or some other service.

If you by any chance don’t have your iPhone with you, you can’t prove it’s you that wants access.

Yes, 2FA is highly inconvenient if you don’t have the authenticator app or iPhone with you, but sure is much safer than not having 2FA enabled.

No doubt, but that is not the point.

If the Web interface can only be used when one has one of the iCloud-enabled devices on oneself, the Web interface is useless.

With Gmail and Hotmail I can use the Web interface without 2FA. With iCloud I had to enable 2FA because otherwise it would not allow me to use non-Apple devices to access iCloud. (And the Web interface refuses to run on Android browsers too.)

If security were the real goal here, there would be no Web interface that cannot be used unless one has a device that can access iCloud without the Web interface. The existence of a Web interface is a security risk. The existence of a useless Web interface is an unnecessary security risk.

 

[Tartarus]

No doubt, but that is not the point.

If the Web interface can only be used when one has one of the iCloud-enabled devices on oneself, the Web interface is useless.

With Gmail and Hotmail I can use the Web interface without 2FA. With iCloud I had to enable 2FA because otherwise it would not allow me to use non-Apple devices to access iCloud. (And the Web interface refuses to run on Android browsers too.)

If security were the real goal here, there would be no Web interface that cannot be used unless one has a device that can access iCloud without the Web interface. The existence of a Web interface is a security risk. The existence of a useless Web interface is an unnecessary security risk.

I just tried and both Gmail and Hotmail asked me to enter a verification code from an authenticator app. Not sure why both services don’t require it with you. Perhaps you simply haven’t enabled 2FA for those services.

You see the web interface as a stand alone service, while I consider it a extension of the iPhone or any other iDevice.

 

[scruffypig]

And...?

“With iCloud for Windows, you’ll have your photos, videos, mail, calendar, files, and other important information on the go and on your Windows PC.”

 

[Lee_Bo]

I don't remember what it was in that specific instance. I think it was a Windows laptop. Basically, I need to use the Web interface whenever I don't have any of my iCloud-connected devices with me. (When I have one of my iCloud-connected devices with me, I use that.)

Well a specific example would help, otherwise we're all just going around in circles.

 

[Andrew Brehm]

Well a specific example would help, otherwise we're all just going around in circles.

That was the specific example: a Windows laptop and no iCloud-connected device around.

 

[Annie_M]

I frequently log into iCloud on my Windows PC at work. I do have my devices with me, so it's not an issue. I have chosen not to install iCloud for Windows on this PC because it's not "my" machine. I understand your frustration, but it's just the way it is.

 

[li2327]

Once you login to the windows device for the first time and choose trust browser. You won’t have to use a verification code again. It only forces you the first time which makes sense. I logon to my iCloud on my work windows pc without my phone. No access code needed.

 

[Annie_M]

Once you login to the windows device for the first time and choose trust browser. You won’t have to use a verification code again. It only forces you the first time which makes sense. I logon to my iCloud on my work windows pc without my phone. No access code needed.

Thank you for pointing that out!

 

[Lee_Bo]

Once you login to the windows device for the first time and choose trust browser. You won’t have to use a verification code again. It only forces you the first time which makes sense. I logon to my iCloud on my work windows pc without my phone. No access code needed.

True, but it you are logging in from a new laptop and don't have any of your devices with you, then you won't be able to trust the browser since you need the 2FA code to get in.

I guess the bottom line here is, if you are logging in from an untrusted browser, and 2FA enabled and don't have any of your devices with you, then you're up that wonderful creek with no paddle.

 

[Andrew Brehm]

True, but it you are logging in from a new laptop and don't have any of your devices with you, then you won't be able to trust the browser since you need the 2FA code to get in.

I guess the bottom line here is, if you are logging in from an untrusted browser, and 2FA enabled and don't have any of your devices with you, then you're up that wonderful creek with no paddle.

Indeed.

And that was exactly the situation I thought Web access was for.

If I have any of the other devices with me OR had time to prepare the non-registered device, I would have no need to use the Web interface anyway.

It's a perverse catch-22.

If I am lost in the wilderness (i.e. in a foreign city, robbed of my phone etc.) I have no way to access my contacts and email from a stranger's computer.

And if am not lost in the wilderness (i.e. I have all my devices and wasn't robbed) I can access my contacts and emails and have no need to use the Web interface.

 

[Tartarus]

Indeed.

And that was exactly the situation I thought Web access was for.

If I have any of the other devices with me OR had time to prepare the non-registered device, I would have no need to use the Web interface anyway.

It's a perverse catch-22.

If I am lost in the wilderness (i.e. in a foreign city, robbed of my phone etc.) I have no way to access my contacts and email from a stranger's computer.

And if am not lost in the wilderness (i.e. I have all my devices and wasn't robbed) I can access my contacts and emails and have no need to use the Web interface.

The 2FA security is there to keep strangers from editing or removing stuff in your iCloud.
Say you make iCloud on the web accessible in a read-only version without 2FA, you eliminate the deleting and editing stuff, but still keep it possible for strangers to access your private information.

The best thing you could do is to write down the most important phone numbers on a piece of paper and keep it on your person at all times.

While the scenarios you think of are all stuff that can happen at anytime, I actually appreciate the way 2FA works in this case and wouldn’t want Apple to change it if it will affect protection and security in a negative way.

 

[Lee_Bo]

If I am lost in the wilderness (i.e. in a foreign city, robbed of my phone etc.) I have no way to access my contacts and email from a stranger's computer.

If I'm lost in the wilderness, accessing my contacts and email are going to be the last thing I want to do.

 

[Andrew Brehm]

If I'm lost in the wilderness, accessing my contacts and email are going to be the last thing I want to do.

You really must continue reading the entire sentence before you reply!

 

[Andrew Brehm]

The 2FA security is there to keep strangers from editing or removing stuff in your iCloud.
Say you make iCloud on the web accessible in a read-only version without 2FA, you eliminate the deleting and editing stuff, but still keep it possible for strangers to access your private information.

The best thing you could do is to write down the most important phone numbers on a piece of paper and keep it on your person at all times.

While the scenarios you think of are all stuff that can happen at anytime, I actually appreciate the way 2FA works in this case and wouldn’t want Apple to change it if it will affect protection and security in a negative way.

I can imagine dozens of situations where I can lose literally everything except what I can remember.

As I said in a situation where I have not lost my stuff, I don't need the Web interface.

And in a situation where I need the Web interface, I need my stuff to be able to use the Web interface.

2FA is great for security but without the Web interface, it would be even more secure. Why keep a Web interface around if users can only access it when they don't need it? I cannot imagine a situation where I have one of my iCloud devices around but would prefer to use the Web interface instead of the apps on the device.

I also have a suspicion that the four-to-six digit code on my phone is easier to hack than a 20-characters password of the Web interface. So if someone steals my phone, which I (and he) can use to access my data, why make it hard for me (and less fo for him, since he has my device) to access the Web interface?

 

[Just_Me_D]

I can imagine dozens of situations where I can lose literally everything except what I can remember.

Dude, if you’re 50 and older this is a reality with or without iCloud...

As I said in a situation where I have not lost my stuff, I don't need the Web interface.

Understood and you already know you don’t have to use the web interface.

And in a situation where I need the Web interface, I need my stuff to be able to use the Web interface.

This will likely be the case for any service that offers 2FA and a web interface.

2FA is great for security but without the Web interface, it would be even more secure. Why keep a Web interface around if users can only access it when they don't need it? I cannot imagine a situation where I have one of my iCloud devices around but would prefer to use the Web interface instead of the apps on the device.

I hear you, but just because you can’t imagine a situation where you’d prefer the web interface while your devices are with you doesn’t mean others will feel the same way. When I’m at work, I have dozens of tabs open in my web browser. Even though my iPhone is on my desk, I don’t want to use it to access certain information because I already have the tab open in my desktop’s browser.

I also have a suspicion that the four-to-six digit code on my phone is easier to hack than a 20-characters password of the Web interface. So if someone steals my phone, which I (and he) can use to access my data, why make it hard for me (and less fo for him, since he has my device) to access the Web interface?

Unless you have a code of 1234 or 123456 or some crap like that then I would agree. Other than that, I disagree. You only have a certain amount of chances to input the correct passcode before being locked out of the device.

 

[Tartarus]

2FA is great for security but without the Web interface, it would be even more secure. Why keep a Web interface around if users can only access it when they don't need it? I cannot imagine a situation where I have one of my iCloud devices around but would prefer to use the Web interface instead of the apps on the device.

I use the web interface from time to time to scroll through my contacts and edit some stuff. It’s easier and faster to do on the web interface than on an my iPhone.
Other people may find other useful purposes for the web interface. You’re not being forced to use it.
Apparently Apple deemed it necessary to launch a web interface and keep it online. Don’t forget having such an interface and maintaining it takes time and costs money. So why would Apple still keep it up if what you say is true for the majority of their users?

I also have a suspicion that the four-to-six digit code on my phone is easier to hack than a 20-characters password of the Web interface. So if someone steals my phone, which I (and he) can use to access my data, why make it hard for me (and less fo for him, since he has my device) to access the Web interface?

You suspect wrong. If someone steals my phone they would have the hardest time to enter my device by hacking it. Even if they managed to do that, the first I’d do is to change my iCloud password so they have no way to use my phone to enter my iCloud.
And obviously I’d wipe out my device remotely before they had the chance to do stuff. But that’s me.

And frankly, you sound bitter. Who hurt you?

 

[Andrew Brehm]

And frankly, you sound bitter. Who hurt you?

Apple.

They make me jump through hoops to use iCloud from Android (Web site doesn't work, iCloud insists on 2FA).

And since I have to use 2FA for my Android devices to work with iCloud, the Web interface is now useless to me.

I will switch to Outlook or Gmail for everything soon enough. They are both less interested in blocking competitors from their service and life appears to be easier for the users.

 

[Tartarus]

Apple.

They make me jump through hoops to use iCloud from Android (Web site doesn't work, iCloud insists on 2FA).

And since I have to use 2FA for my Android devices to work with iCloud, the Web interface is now useless to me.

I will switch to Outlook or Gmail for everything soon enough. They are both less interested in blocking competitors from their service and life appears to be easier for the users.

You can receive 2FA on your mobile number on any device.

 

[Andrew Brehm]

You can receive 2FA on your mobile number on any device.

That would again be a situation where I don't have to use the Web site because I have my phone with me with address book and calendar and email and everything.