Update 4/15/19: Apple says the problem isn't with iCloud's two-factor system, but rather with the way browser is treated: "The experience of receiving a code on the same device that you are using a browser on derives from the limitation that a browser must be treated as a separate device."
With an iCloud account and an Apple device, two-factor authentication is quite different than it is on any other device or account. As is the Apple way, 2FA on your iPhone or Mac is baked into the device you own, setting up a system that is theoretically as secure as a security key. Except when it’s not.
Here’s how it works. When you’re trying to log into your iCloud or Apple Music account account on your iPhone, you’ll first be prompted to enter your password. Once that is recognized, you will then be asked to input a code that has been sent to one of your trusted devices, say an iPad. You’ll get a message on your iPad informing you that someone is trying to log into your account and asking whether you want to allow it. Then you’ll receive a six-digit code that you’ll enter into the boxes on your iPhone.
