Comment by paxys

Comment by paxys 5 days ago

28 replies

View on Hacker News

And it's even worse if you are accessing Apple services on a non-Apple device. No matter how many times I click "trust device" when logging in to icloud.com it will still make me do the password + one-time code song and dance the next day.

Another pointless annoyance - if Face ID fails when making a payment or installing an app (like it frequently does for reasons like sleeping in bed or wearing sunglasses) it won't fall back to PIN but ask you to enter your Apple account password. Why?? And of course when you're on that prompt there's no way to open your password manager without cancelling out of it entirely. Makes for a fun experience at the checkout counter...

whiplash451 4 days ago

In 2025, I don’t think that accessing apple accounts on a non-apple device is a happy path for apple anymore.

Reply View 6 replies
  • apitman 4 days ago

    "Trust this device" is the modern day elevator door close button.

    Reply View 5 replies
    • arccy 4 days ago

      I've found that it's only american elevator door close buttons that don't work.

      The rest of the world manages to keep them operational.

      Reply View 3 replies
      • pests 4 days ago

        On US elevators there is a minimum open duration to accommodate the handicapped or disabled. The door close button can’t force the door closed any faster.

        Then most set the auto-close duration equal to this minimum open duration and you get this appearance of buttons doing nothing.

        Reply View 1 reply
        • [removed] 3 days ago
          [deleted]
          Reply View 0 replies
      • CjHuber 2 days ago

        As a obsessive door close button presser, I can definitely tell you that there are many elevators in Europe where the button doesnt work either

        Reply View 0 replies
mlinhares 5 days ago

Why in the world does it need you to type a code id you have already accepted it at the other device? This whole flow is stupid, I guess they want to cover their asses.

Reply View 8 replies
  • reddalo 4 days ago

    I agree with you, but it's the same reason why Microsoft asks you to type a numeric code generated by their Outlook app in order to login. It's to prevent people from dismissing the alert by clicking "OK" without even reading (especially if they're in the middle of something else, e.g. during a scam phone call).

    Reply View 5 replies
    • brendoelfrendo 4 days ago

      Right, the numeric code is proof of intent. In theory, tapping "ok" or "yes, this is me" should be proof of intent. In reality, it's common for those who have compromised someone's password to flood people with these notifications and auth prompts to get them to eventually say "ok," even if by accident.

      Reply View 3 replies
      • mrandish 4 days ago

        > it's common for those who have compromised someone's password to flood people with these notifications and auth prompts

        And by excessive reauthing, legit platforms and apps are helping scammers by conditioning users to click "OK" or enter a passcode reflexively just to get on with their lives. Frequent reauth makes everyone less secure.

        Reply View 1 reply
        • brendoelfrendo 3 days ago

          I don't disagree, and I appreciate your keeping the conversation on-topic, but that's very much an incomplete picture. I think our modern app ecosystem as a whole conditions users to click "OK" reflexively. A hypothetical app wants permissions for your camera, location, and file storage. If you click OK, you can use the app. If you don't, some functions may not work. I think the average user gets caught in the desire to use an app for its intended purpose and the need to tinker with settings - which they may or may not understand - if they want to use that app securely. So, they just say OK to everything.

          Of course, that's not the only situation with these push notifications. MFA fatigue attacks are a real thing, hammering the user with as many notifications as they can in a short time. Maybe the user assumes it's a bug, maybe they try to deny the push notification but eventually hit the wrong button, maybe they just want it to stop; it's not so much about exploiting user conditioning as it is assuming that if you force people into an unfamiliar situations, that some of them will eventually slip up.

          Reply View 0 replies
      • deepsun 4 days ago

        Duo Mobile at least make it two clicks (on Android at least). So a distracted user would likely to swipe off the notification, instead of tapping through and clicking "Yes, it is me" on the next screen.

        Reply View 0 replies
    • mlinhares 4 days ago

      TIL, this now makes a lot of sense, won't be as mad about it anymore.

      Reply View 0 replies
  • felipeerias 4 days ago

    To prevent an attack where someone steals your username and password, triggers the 2-factor notification, and waits for you to accept it. This can be automated and repeated until you eventually click the wrong button for one reason or another.

    By requesting a short-lived code, attackers now need to communicate with you at the same time of the attack and somehow convince you to give them that code. Much harder.

    Reply View 0 replies
  • munk-a 4 days ago

    It does also increase friction for non-first party applications and Apple has a strong history of using product design to discourage non-first party apps.

    Reply View 0 replies
altairprime 4 days ago

It often falls back to PIN if you retry faceid three times. But if the app is using faceid as a biometric second factor, in addition to or instead of as a password caching mechanism, then a device PIN is not biometric attestation and so it downgrades to full password.

Reply View 0 replies
thyristan 5 days ago

Microsoft crap is similarly broken. After each and every login there is the question whether it should remember me and whether it should ask that question again. It doesn't matter at all what you answewr there, it changes absolutely nothing.

Reply View 6 replies
  • wycy 4 days ago

    I wonder how many millions of productivity hours have been lost due to millions of people having to click through these stupid, useless prompts countless times per day.

    Reply View 0 replies
  • antod 4 days ago

    That is the single most useless dialog/question in IT. I wonder how much money that costs the global economy a year.

    Reply View 0 replies
  • count 4 days ago

    Disable anti-tracking features and ad blocks, it turns out cookies and temp storage for ad tracking are how IDPs track your choice to trust the device too.

    Reply View 3 replies
    • thyristan 4 days ago

      Adblocking and anti-tracking are mandatory on my company laptop, cannot switch those off. And I wouldn't want to.

      Reply View 1 reply
    • xp84 4 days ago

      Most adblockers etc are pretty selective about cookies.

      I guess if you got really aggressive like an allow-list approach, you could have friction, but just using ublock's defaults I don't get 'unrecognized' from anything any quicker than I do on a device without it.

      Reply View 0 replies
vachina 4 days ago

Dismiss the password prompt and reinitiate the auth, FaceID will work again. I’m not sure why Apple doesn’t let us retry FaceID on the get go, but at least theres this method.

Reply View 0 replies
chrisweekly 4 days ago

related pet peeve: faceid is often (but unpredictably) really slow - like, I'm looking at the phone and in a hurry and would prefer to enter my pin but touching the screen goes back to the lockscreen, and swiping up starts faceid again.

Reply View 0 replies
KennyBlanken 4 days ago

> if Face ID fails when making a payment or installing an app (like it frequently does for reasons like sleeping in bed or wearing sunglasses) it won't fall back to PIN but ask you to enter your Apple account password.

What? FaceID will prompt for a re-try. Always. It will never fail once and then refuse to do FaceID.

If you can't figure out to lift the sunglasses off your face or sit up in bed for a second, that's not anyone's fault but your own.

Also, FaceID will never fall back to your account password for Apple Wallet transactions with a physical credit card reader.

Reply View 1 reply
  • apenwarr 4 days ago

    You’re right except in the very specific case of the App Store purchase or download process. You only get one chance at FaceID and then it demands a password. But, if you cancel and do it again, you get another chance at FaceID. It’s mystifying why they’d make that UX choice.

    Reply View 0 replies