Two-Factor Authentication

Jump to How Tos Articles

'Two-Factor Authentication' How Tos

How to Secure Your Apple ID Using Two-Factor Authentication

Apple introduced two-factor authentication (2FA) in 2015 to provide an enhanced level of security when accessing Apple ID accounts. With 2FA enabled, you'll be the only person who can access your account, regardless of whether someone learns your password – as the result of a hack or a phishing scam, for example – so it's well worth taking the time to enable the feature. In this article, we'll show you how. How Two-Factor Authentication Works 2FA offers hardened security during login attempts by requesting that the user provides an extra piece of information only they would know. With 2FA enabled on your Apple ID account, the next time you try to log in you will be automatically sent a six-digit verification code to all the Apple devices you have registered to that Apple ID. If you try to access the account from an unknown device or on the web, 2FA also displays a map on all registered devices with an approximate location of where the Apple ID login attempt occurred. In basic terms, this is an improved version of Apple's older two-step verification method, which prompted users to send a four-digit code to a registered SMS-capable device. Apple automatically upgraded most two-step verification users to 2FA as of iOS 11 and macOS High Sierra, but if you're still on two-step verification for some reason, follow the steps below to manually upgrade to 2FA. How to Turn Off Two-Step Verification Open a browser and go to Enter your Apple ID and password in the login fields. In the Security section of your account page, click the Edit

'Two-Factor Authentication' Articles

YubiKey Gains iOS SDK to Enable Secure 2FA Logins in Select Apps Using NFC

Yubico is a company that sells the "YubiKey," a small piece of hardware that protects access to computers and online accounts by providing strong two-factor authentication in lieu of receiving a text message code on a smartphone or other 2FA steps. With the NFC-equipped YubiKey NEO, Android users have been able to authenticate their log-ins with a tap, and this week Yubico announced that ability has launched for iPhone users as well (via The Next Web). With the launch of the YubiKit 1.0.0 iOS SDK, the company is allowing developers to add support for the YubiKey NEO into their iOS apps, starting with sole support from LastPass. Once set up with a LastPass account, the YubiKey NEO generates a one-time password, and when the user gets to the 2FA log-in screen, they simply tap the NEO near the back of the iPhone to authenticate. It has been possible for developers to integrate with YubiKey NEO since iOS 11 launched in September, but the debut of the SDK should lead to wider adoption since it will be far easier for developers to introduce support for the device's NFC abilities. The NEO does not require a battery to function, nor does it need network connectivity, and Yubico says that it is "four times faster" than typing a traditional one-time passcode. In addition to NFC, the device has a dongle for USB-A connectivity so it can double as an authenticator on laptop and desktop computers, and Yubico says that it's crush resistant and waterproof. The YubiKey NEO is supported on iPhone 7 devices and newer, and for LastPass the feature is supported under the

Developer Demonstrates iOS Phishing Attack That Uses Apple-Style Password Request

Developer Felix Krause today shared a proof of concept phishing attack that's gaining some traction as it clearly demonstrates how app developers can use Apple-style popups to gain access to an iPhone user's Apple ID and password. As Krause explains, iPhone and iPad users are accustomed to official Apple requests for their Apple ID and password for making purchases and accessing iCloud, even when not in the App Store or iTunes app. Using a UIAlertController that emulates the design of the system request for a password, developers can create an identical interface as a phishing tool that can fool many iOS users.Showing a dialog that looks just like a system popup is super easy, there is no magic or secret code involved, it's literally the examples provided in the Apple docs, with a custom text. I decided not to open source the actual popup code, however, note that it's less than 30 lines of code and every iOS engineer will be able to quickly build their own phishing code.Though some of the system alerts would require a developer to have a user's Apple ID email address, there are also popup alerts that do not require an email and can recover a password. The phishing method that Krause describes is not new, and Apple vets apps that are accepted to the App Store, but it's worth highlighting for iOS users who may not be aware that such a phishing attempt is possible. As Krause says, users can protect themselves by being wary of these popup dialogues. If one pops up, press the Home button to close the app. If the popup goes away, it's tied to the app and is a

Apple Migrating iOS 11 and macOS High Sierra Users With Two-Step Verification to Two-Factor Authentication

Apple recently emailed Apple ID users with two-step verification enabled to inform them that, upon installing iOS 11 or macOS High Sierra, they will be automatically updated to its newer two-factor authentication method. Apple introduced two-factor authentication in 2015 as an improved version of its two-step verification method for securing an Apple ID account with both a password and a secondary form of verification. Two-factor authentication requires an Apple device with iOS 9, OS X El Capitan, watchOS 2, any tvOS version, or later. The two security methods are similar in many ways, but two-factor authentication automatically sends a six-digit verification code to all trusted devices registered to a given Apple ID, whereas two-step verification manually prompts users to send a four-digit code to any SMS-capable trusted device registered. Two-factor authentication also displays a map on all trusted devices with an approximate location of where an Apple ID sign-in attempt occurred when a user is trying to access the account from an unknown device or on the web. Apple's two-factor authentication method disables the Recovery Key by default, since offline verification codes can be generated on trusted devices in the Settings app. On iOS, users can still enable the Recovery Key as a backup method in Settings > Apple ID > Password & Security > Recovery Key. The full text of the email is copied below:If you install the iOS 11 or macOS High Sierra public betas this summer and meet the basic requirements, your Apple ID will be automatically updated to use

Apple Updates iTunes Remote App With Two-Factor Authentication for Home Sharing

Apple today updated its iTunes Remote app, which is designed to allow users to control their iTunes libraries from anywhere in the home. The new update adds support for Apple's Two-Factor Authentication system, adding an extra layer of security when signing in for Home Sharing purposes. Using Home Sharing will now require a verified device or a verified phone number that can receive a Two-Factor Authentication code, preventing an unauthorized user from accessing a home library with just a password. For those unfamiliar with Two-Factor Authentication, it is an opt-in system that's designed to increase the security of Apple ID accounts. It asks users to provide a verified code when signing in to new devices, when using iCloud, and when using services like iMessage and FaceTime. Apple's iTunes Remote app was last updated in September of 2016, adding iOS 10 compatibility and minor performance and stability improvements. The app lets users browse their iTunes libraries and send music to AirPlay speakers. The iTunes Remote app can be downloaded from the App Store for free. [Direct Link]

New U.S. Guidelines Could Halt Use of SMS for Two-Factor Authentication

The US National Institute for Standards and Technology has released a new draft of its Digital Authentication Guideline, which sets the rules that all authentication software eventually follows. In the document, NIST deprecates the implementation of SMS as a method with which users validate a second level of security on various accounts, "no longer" allowing its use in future guidelines as it is considered not secure enough (via TechCrunch). Two-factor authentication via SMS (left) and an alternative trusted iOS device (right) Setting up two-factor authentication through text messages is one of the most popular ways users add another layer of security onto an account, on top of a basic password, including those for Apple's own software, like Apple ID and iCloud. Other than SMS, Apple allows users to implement two-factor authentication through a simple push notification sent to another "trusted device," or a phone call. If the out of band verification is to be made using a SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service. It then sends the SMS message to the pre-registered telephone number. Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB using SMS is deprecated, and will no longer be allowed in future releases of this guidance. The new guidelines also make a point for companies to ensure that two-factor

iCloud for Windows 5 Adds iCloud Photo Library and Two-Factor Authentication

Apple has released iCloud for Windows 5 with support for iCloud Photo Library and two-factor authentication for Apple ID accounts. Windows users were previously limited to accessing iCloud Photo Library through the web interface. Apple recommends that iCloud for Windows users have Windows 7, 8 or 10 installed. For email, the software currently supports Outlook 2007 through Outlook 2013, while Outlook 2016 users can access iCloud Mail, Contacts, and Calendars on iCloud Photo Library on your Windows PC to download all of the photos and videos from your Apple devices to your computer, or upload your Windows Pictures library to iCloud. And when you turn on iCloud Photo Sharing, you can share your captured memories with just the people you choose.Apple has published a support document for setting up and using iCloud Photo Library on Windows.

Apple Introduces Revamped Two-Factor Authentication for iOS 9 and OS X El Capitan

With the third betas of iOS 9 and OS X 10.11 El Capitan, Apple is introducing a revamped two-factor authentication system, according to both the beta release notes and a detailed support FAQ that outlines the changes. The new two-factor authentication system is different from Apple's existing two-step verification system, using "different methods" to trust devices and deliver verification codes. Apple also says it includes a "more streamlined user experience." Based on the support document, the new two-factor authentication system works similarly to the existing two-step verification system. Any device that you sign into using two-factor authentication in iOS 9 or El Capitan becomes a trusted device that can be used to verify identify when signing into other devices or services linked to an Apple ID. Apple recommends that iOS 9 and OS X El Capitan beta testers using the new two-factor authentication system update all of their devices to iOS 9 or El Capitan for "the best experience." As outlined in the release notes, customers who use two-factor authentication with older devices may be required to put a six-digit verification code at the end of a password instead of using a dedicated verification field.If you enable two-factor authentication, iTunes purchases on Mac and Windows will require you to append a 6-digit code to the end of your password on every purchase. The 6-digit code will automatically be sent to your iOS 9 or OS X El Capitan devices.Older devices are also not able to receive two-factor authentication codes when used with devices running iOS 9 and