Got a tip for us? Share it...

New in OS X: Get MacRumors Push Notifications on your Mac

Resubscribe Now Close

Apple Increases Account Security With Optional Two-Step Verification System for Apple IDs

Apple has implemented a new two-step verification system for Apple IDs (via 9to5Mac), adding an additional layer of protection for Apple accounts with an extra security code and a "trusted" device.
Two-step verification will require you to verify your identity using one of your devices before you can make changes to your account or make an iTunes or App Store purchase from a new device. You will also get a Recovery Key for safekeeping which you can use to access your account if you ever forget your password or lose your device.
Once enabled, the new system replaces the standard security questions that are asked before users make purchases on a new device and password resets can only be done from the designated iPhone or iPad.

twostepverification
As the recovery key is used in place of security questions, keeping it secure is of the utmost importance. A lost or forgotten key can be recovered with a trusted device and a password, just as a password can be recovered with a trusted device and a recovery key.

The verification system will request a password that has one letter, one number, one capital letter, and at least eight characters. If such a password is not already in use, users will need to wait three days to fully enable two-step verification. Users with an already compliant password can move on immediately to the next step.

A security code will be sent through SMS or using the Find My iPhone app, and during setup, users can choose a single trusted device. To begin the process, users can visit the Apple ID website to implement two-step verification.

Top Rated Comments

(View all)

19 months ago

Can apple make it anymore annoying...geeez


Perhaps you missed the part that it's optional?

:rolleyes:
Rating: 19 Votes
19 months ago

1234.....how did Apple know my security code!!???


John Appleseed? Is that really you?
Rating: 17 Votes
19 months ago
1234.....how did Apple know my security code!!???
Rating: 15 Votes
19 months ago

Can apple make it anymore annoying...geeez


Seriously? Google introduces (http://www.google.com/search?q=google+introduces+two+step+verification&hl=en&biw=1727&bih=1304&sa=X&ei=j2RLUd_cIauu2gXGuYHABQ&ved=0CB0QpwUoBg&source=lnt&tbs=cdr%3A1%2Ccd_min%3A2%2F1%2F2011%2Ccd_max%3A3%2F1%2F2011&tbm=#hl=en&tbs=cdr:1%2Ccd_min%3A2%2F1%2F2011%2Ccd_max%3A3%2F1%2F2011&sclient=psy-ab&q=google+two+step+verification&oq=google+two+step+verification&gs_l=serp.3...4165.4165.0.4334.1.1.0.0.0.0.0.0..0.0...0.0...1c.1.7.psy-ab.QFMX0pozUkw&pbx=1&bav=on.2,or.r_qf.&bvm=bv.44158598,d.b2I&fp=5055737f513ba032&biw=1727&bih=1304) two-step verification and everyone goes gaga.

Apple introduces two-step verification and people complain.

Really sick of the anti-Apple everything happening these days. Sheesh.
Rating: 15 Votes
19 months ago

1234.....how did Apple know my security code!!???


That's the kind of code only an idiot would have on his luggage... http://www.youtube.com/watch?v=a6iW-8xPw3k :D
Rating: 8 Votes
19 months ago
Lot of confusion about Google Authenticator in this thread. It doesn't store anything on Google's servers, it gives you one time codes. You need this code AND your account password to login. Just read the Wikipedia article about it.

It works with other services like Dropbox, Lastpass, Amazon Web Services and Facebook because it is based on some standard method of creating codes. You don't even have to use the official Google Authenticator app, there are several others like Authenticator for Windows Phone and a version for so called Java dumb phones.

Someone asked about Facebook and Google Authenticator. They are telling you to use their own code generator but they are really just using the same method as Google and Dropbox. Just click the help button when you are setting it up and look for a 16 digit code (or something), this you type in Google Authenticator and it will give you one time codes back. I can confirm this is working. Also, nothing stops you from using several devices with Google Authenticator (or third-party alternatives) as long as you set them up at the same time.

You should of course have auto lock enabled on your phone if you are using a phone application like Google Authenticator to create codes. And it is still a good idea, even with 2 step activated, to use a password manager to create passwords for most accounts and Diceware for accounts where you have to remember the password.


Too bad Apple did not choose to support Google Authenticator.
Rating: 4 Votes
19 months ago

(This is yet another of my crazy extrapolations, but here goes...)

Maybe the "trusted device" concept, as Apple has currently implemented it, is merely setting the stage for biometric user identification in future iPhones and iPads. Tighter security is always more inconvenient for users. Adding the trusted device verification code is a huge improvement in security, but it's an extra hoop for users to jump through. For now.

But if and when Apple adds thumbprint scanners to iOS devices, the two-step verification hassle almost totally disappears. Any iOS device on which you swipe your thumb (and maybe other digits, just in case you need to wear a band-aid on your thumb) will become a "trusted device." You might have to enter your Apple ID password and verify it with the 4-digit challenge code sent to that device. But just once.

The biometrics would guarantee that it really is you trying to log in to your iCloud / iTunes account. Especially if the thumbprint sensor detects the density and/or other "liveness indicator" of your digit, to foil amputated thumb login attempts. The good news: your iCloud / iTunes account stays safe. The bad news: you're missing a thumb.

OK, yeah. The amputated thumb thing wouldn't be good. So maybe Apple could just use the FaceTime camera instead of a thumbprint reader. Apple has the software chops to do it, and they could leverage their years of experience with face recognition in iPhoto. Let's not forget that Apple acquired Polar Rose, and their face recognition technology and expertise, in 2010. Face recognition could be a key feature in Apple mobile and legacy computing devices in the future. Not to mention a key feature in Apple's television solution. But I digress.

And how would this biometrics benefit Apple? Well, the vast increase in ease-of-use would be a big draw. Only the latest iOS devices would have the thumbprint sensor. Or only iOS 7+ devices would have the face recognition biometrics feature (which means, of course, only the iPhone 6 and other next-gen iOS devices.) The biometric login system would be the next generation of iOS devices' "killer feature." I'd love it. Especially if Apple enforces the two-step login every time for all older devices.


Great idea, except for the part where numerous studies have found biometric scanners can get outsmarted by gummy bears. I'm not sure where the technology stands today, but gummy bears...

Gummy bears! :eek:
Rating: 4 Votes
19 months ago



Is it safe :D ? (The movie "Marathon Man")
Rating: 4 Votes
19 months ago

Enabled.

Noticed that they're keen to ensure you know that if something goes wrong it's your fault and Apple can't help you. It reminded me around 4 times during the process that if I lose the recovery key and forget my password / lose access to my trusted device then Apple can't help at all.

Covering their butts from a legal standpoint if someone alleges that Apple is to blame if account access is lost, I'm guessing.


Pretty sure that's to keep social engineering at a minimum. Since, ya know, that's the whole point.
Rating: 4 Votes
19 months ago
As much as two-step authentic verification is annoying, I will turn it on, as I have for my other services.
Rating: 4 Votes

[ Read All Comments ]