With Apple's Find My solution, when logging in via iCloud.com there is a 2FA bypass link to the Find My web app. If you want to access other iCloud web apps, 2FA is required, but not for Find My. A nice quality of life feature that has probably gotten thousands of people out of a bind.

  Just don't log out. Let us collect your data forever and at all times. No need to restart your computer, ever.

  You're dumb because you didn't create hard copy two factor backup codes! User error. 

Some potential explanations by people who don't want to resolve this admittedly difficult problem to solve. I find these issues difficult when also considering security keys like Yubikey. Like you can't clone a yubikey and that's considered a feature not a bug. So what, you want me to have everything on a usbc device that barely pokes out of my laptop? That's very easy to lose. Fall off my keychain? I've had many usbs do that (__especially__ the small ones).

I am really happy that there are people doing security and making things more secure, but the truth is that usability is necessary too. The reason Signal is so great is not just because encryption, it is because my Grandma can use it. Not aware of any other encrypted text message system besides iMessage and WhatsApp that has that usability and those come with strings. I really think there needs to be something similar for MFA. Consider the user.

Edit: A possible suggestion for FindMyDevice is to have trusted users. That you can give your wife, friend, whatever permission to find your device without needing to sign into your account or any other permissions. This seems like a relatively obvious solution, is there something wrong with it? Google devs, can't you patch this in in a few weeks (or less? But we all know, bureaucracy exists)

The suggested solution for loosing a Yubikey is to already have n>=2 set up for your account. Apple won't even let you enable it without having two.

> The suggested solution for loosing a Yubikey is to already have n>=2 set up for your account

>> I find these issues difficult when also considering security keys like Yubikey. Like you can't clone a yubikey and that's considered a feature not a bug.

Yes, I am quite aware of this. My complaint is that I cannot expect my grandma to be able to perform this action. It would even be difficult if there was a cloning program, but without it, this is certainly an insurmountable task.

Sure, you can make the argument that my grandma is dumb and tech-illiterate, but the truth of the matter is that this is the bar for the average person. You, me, and other Hacker News users would have no issues with these tasks, but this is not representative of the general FIRST WORLD population. Not to mention those in developing countries.

The technical aspects are great! But they also need be made available for the average person. Be that by bringing the average person up to sufficient level or through careful design to bridge this gap. But what is clear is that the current state of things is insufficient. Especially consider that this is Apple's main value: design.

You should have multiple access to important accounts. Yubikeys are great for this. I keep a couple in an envelope with important instructions.

I understand your frustration, and device sharing is obviously a missing useful feature.

But I absolutely don't want it to work without 2FA, and if your only 2FA is your phone you have other problems.

A "feature" designed to help you find your lost phone that can not work when your phone is lost is clearly designed poorly.

All Google had to do here was copy Apple's solution of having access to that one feature work with only the user name and password.

This is just classic Google product management.

Why? Why not just have it let you know via a message pop up that location tracking is active?

If you don't get that message because you don't have your device that means you're not being tracked / are looking for your device and if you get that message because you have your device you've now been warned that someone has breached your account.

My wife and I had this exact same sort of situation and now we're both logged into each other's accounts. We never have trouble finding our phones now but it does introduce other problems. Such as not knowing if some sort of security alert is being generated by my spouse and now we have to communicate about it.

Does Android have an equivalent of the "Find my Friends" feature? I assume that would be easier/more secure than logging into each others accounts.

I have no idea why they sunsetted Latitude. I feel like there was nothing on Android after that, and everyone I know switched to Find my Friends and iOS.

Google maps location sharing works cross-platform on android and iOS

Seems like that's what was just released.

The article mentions sharing accessories, but not the device. I assumed that maybe sharing the device feature already existed, but judging by GP's comment that doesn't seem to be the case.

Yeah I'm just assuming that it includes devices as well.

Android find does work without 2FA. Have tried it before

Came to the comments section to point out this ridiculous fact, which has been this way for ages (2018 at least). I'm glad it looks like there is enough momentum for them to think about fixing it now.

Tangent, but my experience with this was when I needed to upgrade my mobile plan for international service... but I had 2FA via text message enabled for the account.

And now I thought I'd try it with my device. It's on my work wifi and on mobile data. "Play a sound" works. But it still insists "Can't reach device" and won't tell me where it is. What am I missing? "Find my device" is toggled on in the settings.

Yeah, this seems like such an incredibly obvious oversight. Like... I know how it goes with fuzzy requirements, but who didn't nail down the acceptance criteria that the user should be able to trigger Find My Phone without 2FA.

Please don't. If you have 2FA, it should always be active. No exceptions.

Hackers were able to steal private photos of half of Hollywood in 2014 because someone at Apple decided that 2FA is not needed for one particular iCloud function.

So if someone steals my password, they can now find out exactly where I am? And factory reset my device now.

Perhaps some combination of no 2FA IF you are a trusted contact that I've specifically added to the account would be safer.

There are many design tradeoffs around this problem, and most of them are reasonable, except the one they chose (can't find your phone unless you have your phone). Especially since the choice of where the 2FA prompt will actually show up is out of your hands.

It's very common. I once lost a phone in an Uber car, and the only way to contact the driver was to log-in to Uber, which required SMS 2FA...