Strange Apple ID Sign-In Locations
The first step in Apple’s 2FA is a location alert that appears on every computer and iOS you own logged into the same Apple ID account. The notion is that you should validate that the location is correct before you proceed to get the code. Clicking Don’t Allow terminates the login attempt.
[…]
The location can also be imprecise. My wife routinely is told she’s logging in from about 30 miles south, although on the same home network, it’s more accurate for me. If we both had this issue, I’d expect that the IP address of our network was misplaced in whatever geo-identification system Apple relied on to match IPs with a rough place on the globe.
I’m not near London; I’m about 100 miles away.
[…]
I don’t use a VPN, which would certainly affect this, and I find it surprising that the Apple devices that already know my exact location can’t pass this info on to Apple’s authentication servers. Because if I look on Apple Maps on the same iPad, it pinpoints me, exactly where I am.
This is particularly troubling because two factor authentication is promoted as being a more secure login option. If a typical user were to set that up and then be shown a map of a login attempt from miles away, they may be concerned, and reasonably so.
Update (2017-10-13): Michael Kummer:
What puzzled me was that according to whatsmyip.org, the geolocation of my IP is Atlanta, GA. So why would Apple show a different location? As it turned out, there are various geo-location databases, and each shows slightly different information. Separate databases map my IP address to the following locations:
- Richardson, TX (IP2Location)
- Atlanta, GA (EurekAPI)
- Wallingford, CT (DB-IP)
That explains why I see strange location information when signing in from a new device or browser. Evidently, Apple uses the DB-IP database, instead of EurekAPI to query IP geolocation information. Interestingly enough, Apple Maps knows my correct location as you can see in the screenshot below.
9 Comments RSS · Twitter
The location can’t be provided by the device - if it would, it could be faked by the attacker. It must be determined server side, hence the limited accuracy.
I’m in Melbourne, Australia and the sign-in location is always shown as either Tasmania or Sydney. That’s 500 miles away.
@Anonymous Do you mean if the device is jailbroken? Couldn’t it be faked server-side, too, e.g. with a VPN?
I'm in Connecticut, but when on my home network my location is typically given as Providence, RI. I think it's something to do with Cox's network configuration and Apple somehow failing to use my iPhone location with the iPhone's presence on the same wifi network to get a better location.
The same location gets used for things like the Home Depot website.
What gets me about Apple 2FA is that I'll get the 2FA authorization stuff on the same machine I'm using that incurred the 2FA check. Say I go to log into the Apple developer site on my laptop. I'll get the location validation panel on the laptop, and then I'll get the 2FA code on the laptop, which I can type in on the laptop and get into the developer site.
Seems... broken... to be able to get the code on the same machine.
When I login to icloud.com on my laptop, the 2FA alert window pops up in the center of my screen, covering the 2FA input field on the iCloud website which is centered in the browser window. The lack of coordination between the design of the 2FA alert and 2FA input makes for a totally baffling experience. There's seemingly nowhere to enter the 2FA passcode, unless you know to drag the 2FA alert window out of the way.
Bugs me every time.
Did you enable GPS? If yes, Apple will use the location for verification.
If no GPS or telco station found, Apple will use the IP address for geolocation. It might be using Maxmind or IP2Location because this two companies are the leading geolocation providers since early of 2000.
I doubt that Apple is using Maxmind or IP2Location. Both of these services have my IP adress correctly geotagged to my home town. Maxmind even gets the postal code correct. At the same time, Apple is only showing me the capital of Sweden, 40 miles away. So if Apple are using any of those then they must be offsetting the location by purpose and that would not make any sense.
[…] Previously: Strange Apple ID Sign-In Locations. […]
I've seen this too and it's very annoying and confusing.
- The location is off by a huge margin, 40 miles or so. A different town in a different part of the country. I know that my IP adress is correctly geo-tagged in my town in every database I've seen, so why can't Apple get it right?
- The timing is not immediately. Sometimes it's minutes, sometimes even hours.
I call myself a power user with good technical knowledge but sometimes even I can't know for sure that it's my login attempt if neither the timing nor the location is correct. This must be very confusion for ordinary users.
Apple could solve this easily if they just provided two key elements of information that they already have:
- The exakt timestamp.
- The IP address.
If they provided this information then I could quickly determine if it was me or someone else. It wouldn't matter if the prompt is delayed by several minutes or more, and it wouldn't matter if the location on the map is off, since I know what IP address I'm using.
I don't know why Apple can't present such basic information. I've logged into appleid.apple.com and icloud.com searching for some kind of detailed log of every login attempt, but I can only see the currently logged in devices and no IP address.
I tried to discuss this at MacRumors forums but there where people actually defending the current behaviour from Apple… 🙄