Does iCloud Two-factor authentication send a code to the same device as a log in request?
Solution 1:
This is how it works and isn't a bug. It's two-factor authentication, not prevention.
Yes, it's being sent to that device but, as you mentioned, it's also being sent to all other devices signed-in with the same Apple ID. This is meant to notify the user that a sign-in is being attempted.
To use your example, if you're trying to log into a Mac that means you're not currently logged-in. In that case, the Mac will not get the code because it's only sent to devices that are logged-in with that ID. Your Mac is not logged-in at that point.
You can prevent this in two ways:
- mark the browser/device as always trusted (which makes you less secure - the log in request won’t then broadcast to all your other devices)
- remove that device from your trusted list - all sign in requests will require a different device to receive your 6 digit pin (further locking down that one device - at the expense of not being able to use it as an approved for your iCloud)
If you're already logged-in to your Mac and now you want to add a new device to iCloud, your Mac will get the code because it's a device logged-in with your Apple ID and you've previously 'trusted' that Mac. So now, the code is alerting all your devices that a login attempt is currently being made.
This Apple 2FA page can provide additional info.
Solution 2:
It's not a bug.
There is a misconception in your question that leads you to believe that this is bug: You write that the 6-digit code is being sent to the device that you're trying to log in from. This is not the case.
The 6-digit codes are not sent to your trusted device (unless you have specifically requested for the 6-digit code to be sent by SMS text message). The 6-digit code is already there, in the sense that it is actually calculated on the device.
The only thing sent to your trusted device is a notification that someone is trying to login and an approximate geographical origin of that request.
Usually you login from a trusted device such as for example logging in on the "Apple Store" app on a trusted iPhone. In this case, the 6-digit code is not requested. It is automatically calculated on the trusted iPhone and sent along with your password to the server for authentication.
The situation you're describing happens if you use a Mac that you have added as a trusted device (the computer itself) - and then try to login to an Apple service via a browser that is not trusted.
A browser, such as for example Google Chrome, does not "know" that your computer is trusted, and does not have access to the data necessary to calculate the 6-digit code itself - the browser itself needs to be trusted for that to happen. Were the browser trusted, you would not see a request for you to enter a 6-digit code, it would be automatically transmitted.
In your case with an untrusted browser, you enter your password and a notification is sent to all your trusted devices. This includes your Mac (on an operating system level - not browser level). You then get a popup with the 6-digit code that is calculated on your device. You can enter this in the browser and optionally choose to trust the browser, so you do not have to do this again.
The reason why this is not a bug is that 2-factor authentication in this case means that the user authenticates by "something you know" and "something you have". In this case the "something you know" is the password and the "something you have" is the special trust-data that makes it possible to calculate the 6-digit code.
The user that is logged on to the Mac in this particular case obviously has both, and as such it is perfectly valid to authenticate them.
Had an attacker tried to login to the web site with your password that they had stolen, they would have been stopped from authenticating because they do not know your 6-digit code.
Had an attacker tried to login to the web site from your own computer having stolen your Apple-ID password - without being logged in as your user on the computer - they would have been stopped from authenticating because they do not know your 6-digit code. It is not sent to the computer, so they cannot just "snoop" it from network traffic.
Had an attacker tried to login to the web site from your own computer having stolen your Apple-ID password - and they're already logged in with your user account on the computer - then this won't stop them. They already have access to the trusted data and they know your password. Even if the notification was not sent to this device, but only to your other devices, it wouldn't have helped anything - the attacker could just generate the 6-digit code themselves on the computer. The good thing though is that you get a warning on your other trusted devices that someone is trying to log in.
To conclude: This is not a bug - it doesn't reduce security. This is how 2FA systems are generally designed.