Apple Migrating iOS 11 and macOS High Sierra Users With Two-Step Verification to Two-Factor Authentication

Apple recently emailed Apple ID users with two-step verification enabled to inform them that, upon installing iOS 11 or macOS High Sierra, they will be automatically updated to its newer two-factor authentication method.


Apple introduced two-factor authentication in 2015 as an improved version of its two-step verification method for securing an Apple ID account with both a password and a secondary form of verification. Two-factor authentication requires an Apple device with iOS 9, OS X El Capitan, watchOS 2, any tvOS version, or later.

The two security methods are similar in many ways, but two-factor authentication automatically sends a six-digit verification code to all trusted devices registered to a given Apple ID, whereas two-step verification manually prompts users to send a four-digit code to any SMS-capable trusted device registered.

Two-factor authentication also displays a map on all trusted devices with an approximate location of where an Apple ID sign-in attempt occurred when a user is trying to access the account from an unknown device or on the web.


Apple's two-factor authentication method disables the Recovery Key by default, since offline verification codes can be generated on trusted devices in the Settings app. On iOS, users can still enable the Recovery Key as a backup method in Settings > Apple ID > Password & Security > Recovery Key.

The full text of the email is copied below:
If you install the iOS 11 or macOS High Sierra public betas this summer and meet the basic requirements, your Apple ID will be automatically updated to use two-factor authentication. This is our most advanced, easy-to-use account security, and it's required to use some of the latest features of iOS, macOS, and iCloud.

Once updated, you'll get the same extra layer of security you enjoy with two-step verification today, but with an even better user experience. Verification codes will be displayed on your trusted devices automatically whenever you sign in, and you will no longer need to keep a printed recovery key to make sure you can reset a forgotten password.
iOS 11 and macOS High Sierra public betas will be available in late June through the Apple Beta Software Program. The software updates will be available for all eligible iOS devices and Macs in the fall.

Related Roundups: iOS 11, macOS High Sierra


Top Rated Comments

(View all)
Avatar
9 months ago

So... does that mean that those of us who use our Apple IDs with devices that remain on older OS versions will no longer be able to authenticate on those older devices if we upgrade any of the others?

I have an iPad 1 and an Apple TV 3, In order to authenticate Apple will send you the 4-digit access code, you will then need to type your usual password followed by the 4 numbers. Easy (:
Rating: 4 Votes
Avatar
9 months ago

I got that email last week and it was not at all clear what they were saying or what the difference is between the two methods. Very un-Apple.

This article makes it clear. I hope it's based on an updated form of the mail.

They only sent the one email. I received it too, and did some research into it. Glad it helps!
Rating: 4 Votes
Avatar
9 months ago

So... does that mean that those of us who use our Apple IDs with devices that remain on older OS versions will no longer be able to authenticate on those older devices if we upgrade any of the others?

There's a workaround for older devices. The instructions to authenticate are slightly different. Just pay attention at the prompt and make sure to understand it and then follow the instructions.
Rating: 3 Votes
Avatar
9 months ago
I got that email last week and it was not at all clear what they were saying or what the difference is between the two methods. Very un-Apple.

This article makes it clear. I hope it's based on an updated form of the mail.
Rating: 3 Votes
Avatar
9 months ago
The location aspect is not very accurate. Everytime I login Apple thinks I'm London when I'm actually 200 miles away from London. Maybe it's the only UK city they know.
Rating: 3 Votes
Avatar
9 months ago

You obviously didn't read my message. Land line? I already said I travel full time and don't have regular access to a sim. And "What does a SIM card have to do with this?" Obviously you didn't read the article either.

it doesn't use SMS like the old system, that's the point. You obviously don't know how this works.

If you read the article, you would have read this:

The two security methods are similar in many ways, but two-factor authentication automatically sends a six-digit verification code to all trusted devices registered to a given Apple ID, whereas two-step verification manually prompts users to send a four-digit code to any SMS-capable trusted device registered.

see, so SMS on the new system.


Many security authorities are coming out with advisories saying SMS is not a secure mechanism and recommending not to use it for two factor. Which it isn't... any security professional will tell you the same. It's just so easily flawed.

again, it doesn't use SMS, and you don't even need an internet for it to work. SMS is only a back up, that's it.


NIST just a few months ago declared the age of two factor with SMS as over and started putting pressure on regulatories to remove or discourage it - and here we have Apple classing it as a more secure feature. Lol. They really keep doing everything to prove they've lost touch lately.

you're right, again doesn't use SMS. But even if you use SMS, you rather use nothing than SMS?


Lastly, yes it's a migration to the new system but it also says 2fa is required to use many features of iCloud, so... we don't know what those are but I assume account administration and Apple Pay and what else? Is it really excusable to be locked out of a product you own and features it should be able to do because you don't happen to have a SIM card, or more likely, don't want your identity verification mechanism to be at the hands of some random phone company?

Apple isn't forcing you to do this. I think if you don't use the extra security that Apple offers, if anything happens to that persons Apple ID, they (the Apple ID holder) are held 100% liable for any changes and any issues.

2FA is needed for home kit, and to log into a Mac using an Apple Watch. I think that's it. So if you don't use that stuff, then don't use it at all. Again, an iPod touch does not have a SIM card. My iPad and MacBook doesn't have a SIM card either and I get the 6 digit code sent to them, again you didn't read the article. I just popped my SIM card out of my iPhone, logged into iCloud .com, and still got the 2nd factor sent to me over wifi.

Again, there is an option to get the 2nd factor without cell or internet on any trusted device. Settings > Apple ID > password and security > get a verification code and its right there.


So... enough said.



I seriously don't know what the big issue is. Do you log into iCloud all the time? I do maybe once a week, and it's not an issue. The only time you need the 2nd factor is when you get a new device or log into iCloud.com (and you can have the computer remember you if you want).
Rating: 2 Votes
Avatar
9 months ago
I'm not in the dev beta but I experienced some serious two factor bugs this weekend on multiple devices and multiple Apple IDs. It was frustrating
Rating: 2 Votes
Avatar
9 months ago
This over authentication trend is tiresome. What is worse is when they assume that you have a cellphone. Not everyone has a cellphone and not everyone who has a cellphone has cell service at home. There are large swaths and many pockets of the USA without cell service. The US Social Security office now requires you to have a cellphone to do this sort of authentication where they text a code to your phone that you are then supposed to enter on your computer at their web site. There is no other way. I talked with their 'customer' service and they said that they're getting a lot of complaints about this and will fix it 'soon' but that was last year.
Rating: 2 Votes
Avatar
9 months ago
I applaud Apple for implementing two-factor auth, but I wish they would use TOTP ('https://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm') like all my other accounts (Microsoft, Google, Dropbox, and my employer). One program (Authy is my chosen app) rules them all.
Rating: 2 Votes
Avatar
9 months ago
[USER=1019123]@rob_saunders[/USER] Apple doesn't use SMS to xfer 2fa codes. It uses your iCloud account to xfer codes to devices connected to your iCloud account.
Rating: 2 Votes
[ Read All Comments ]