Two-Factor Authentication

Jump to How Tos Articles

'Two-Factor Authentication' How Tos

How to Set Up Two-Factor Authentication for Multiple Apple IDs on One Device

As of February 27, 2019, Apple is requiring that all Developer accounts with an Account Holder role be secured with two-factor authentication in order to ensure that only the account owner is able to sign into the account. Two-factor authentication involves a pop-up code being generated on trusted devices linked to an Apple ID any time a login attempt is made unless you've logged with that same browser within the past 30 days and selected the option to trust it. That verification code from the trusted device must then be entered for the login to be approved. The requirement has caused some confusion among developers who have multiple Apple IDs, particularly those who use a dedicated Apple ID for their Developer account that is separate from their primary iCloud account used on their devices. Apple has posted a developer support document that outlines a few ways to enable two-factor authentication on a non-primary Apple ID, but Apple's suggestion for iOS involves signing out of your primary iCloud account. That can be a hassle as your phone unsyncs and tries to delete content associated with that account, so it's better to use other methods if you can. Turning on two-factor authentication for an alternate Apple ID and getting it to work properly with trusted iOS devices without signing out of your primary Apple ID requires a few steps, but once they're done the feature should work seamlessly. Activating Two-Factor Authentication on an Alternate Apple ID For this portion of the process, you'll need access to a Mac where you have permissions to create new

How to Secure Your Apple ID Using Two-Factor Authentication

Apple introduced two-factor authentication (2FA) in 2015 to provide an enhanced level of security when accessing Apple ID accounts. With 2FA enabled, you'll be the only person who can access your account, regardless of whether someone learns your password – as the result of a hack or a phishing scam, for example – so it's well worth taking the time to enable the feature. In this article, we'll show you how. How Two-Factor Authentication Works 2FA offers hardened security during login attempts by requesting that the user provides an extra piece of information only they would know. With 2FA enabled on your Apple ID account, the next time you try to log in you will be automatically sent a six-digit verification code to all the Apple devices you have registered to that Apple ID. If you try to access the account from an unknown device or on the web, 2FA also displays a map on all registered devices with an approximate location of where the Apple ID login attempt occurred. In basic terms, this is an improved version of Apple's older two-step verification method, which prompted users to send a four-digit code to a registered SMS-capable device. Apple automatically upgraded most two-step verification users to 2FA as of iOS 11 and macOS High Sierra, but if you're still on two-step verification for some reason, follow the steps below to manually upgrade to 2FA. How to Turn Off Two-Step Verification Open a browser and go to appleid.apple.com Enter your Apple ID and password in the login fields. In the Security section of your account page, click the Edit

'Two-Factor Authentication' Articles

Apple Watch Can Display Apple ID Verification Codes Starting in watchOS 6

Starting in watchOS 6, the Apple Watch has become a trusted device for Apple ID authentication purposes. When you or someone else signs in to your Apple ID on a new device or browser, the Apple Watch will automatically alert you, complete with an approximate location of the person. If the sign-in attempt is allowed, a six-digit verification code will then appear to be entered on the new device or browser. Something I haven’t seen before watchOS 6: the Apple Watch can now receive and display Apple ID Verification Codes as a trusted device for 2-factor authentication. pic.twitter.com/Oin8AbYEDc— Jeremy Horwitz (@horwitz) June 10, 2019 This functionality has been available on iPhones and iPads since iOS 9, and on Macs since OS X El Capitan, for Apple ID accounts with two-factor authentication enabled. Now, users simply have one more option in the Apple

Apple Sued Over Not Letting Customers Disable Two-Factor Authentication After Two Weeks

New York resident Jay Brodsky has filed a frivolous class action lawsuit against Apple, alleging that the company's so-called "coercive" policy of not letting customers disable two-factor authentication beyond a two-week grace period is both inconvenient and violates a variety of California laws. The complaint alleges that Brodsky "and millions of similarly situated consumers across the nation have been and continue to suffer harm" and "economic losses" as a result of Apple's "interference with the use of their personal devices and waste of their personal time in using additional time for simple logging in." In a support document, Apple says it prevents customers from turning off two-factor authentication after two weeks because "certain features in the latest versions of iOS and macOS require this extra level of security":If you already use two-factor authentication, you can no longer turn it off. Certain features in the latest versions of iOS and macOS require this extra level of security, which is designed to protect your information. If you recently updated your account, you can unenroll for two weeks. Just open your enrollment confirmation email and click the link to return to your previous security settings. Keep in mind, this makes your account less secure and means that you can't use features that require higher security.The complaint is riddled with questionable allegations, however, including that Apple released a software update around September 2015 that enabled two-factor authentication on Brodsky's Apple ID without his knowledge or consent. Apple in

YubiKey Gains iOS SDK to Enable Secure 2FA Logins in Select Apps Using NFC

Yubico is a company that sells the "YubiKey," a small piece of hardware that protects access to computers and online accounts by providing strong two-factor authentication in lieu of receiving a text message code on a smartphone or other 2FA steps. With the NFC-equipped YubiKey NEO, Android users have been able to authenticate their log-ins with a tap, and this week Yubico announced that ability has launched for iPhone users as well (via The Next Web). With the launch of the YubiKit 1.0.0 iOS SDK, the company is allowing developers to add support for the YubiKey NEO into their iOS apps, starting with sole support from LastPass. Once set up with a LastPass account, the YubiKey NEO generates a one-time password, and when the user gets to the 2FA log-in screen, they simply tap the NEO near the back of the iPhone to authenticate. It has been possible for developers to integrate with YubiKey NEO since iOS 11 launched in September, but the debut of the SDK should lead to wider adoption since it will be far easier for developers to introduce support for the device's NFC abilities. The NEO does not require a battery to function, nor does it need network connectivity, and Yubico says that it is "four times faster" than typing a traditional one-time passcode. In addition to NFC, the device has a dongle for USB-A connectivity so it can double as an authenticator on laptop and desktop computers, and Yubico says that it's crush resistant and waterproof. The YubiKey NEO is supported on iPhone 7 devices and newer, and for LastPass the feature is supported under the

Developer Demonstrates iOS Phishing Attack That Uses Apple-Style Password Request

Developer Felix Krause today shared a proof of concept phishing attack that's gaining some traction as it clearly demonstrates how app developers can use Apple-style popups to gain access to an iPhone user's Apple ID and password. As Krause explains, iPhone and iPad users are accustomed to official Apple requests for their Apple ID and password for making purchases and accessing iCloud, even when not in the App Store or iTunes app. Using a UIAlertController that emulates the design of the system request for a password, developers can create an identical interface as a phishing tool that can fool many iOS users.Showing a dialog that looks just like a system popup is super easy, there is no magic or secret code involved, it's literally the examples provided in the Apple docs, with a custom text. I decided not to open source the actual popup code, however, note that it's less than 30 lines of code and every iOS engineer will be able to quickly build their own phishing code.Though some of the system alerts would require a developer to have a user's Apple ID email address, there are also popup alerts that do not require an email and can recover a password. The phishing method that Krause describes is not new, and Apple vets apps that are accepted to the App Store, but it's worth highlighting for iOS users who may not be aware that such a phishing attempt is possible. As Krause says, users can protect themselves by being wary of these popup dialogues. If one pops up, press the Home button to close the app. If the popup goes away, it's tied to the app and is a

Apple Migrating iOS 11 and macOS High Sierra Users With Two-Step Verification to Two-Factor Authentication

Apple recently emailed Apple ID users with two-step verification enabled to inform them that, upon installing iOS 11 or macOS High Sierra, they will be automatically updated to its newer two-factor authentication method. Apple introduced two-factor authentication in 2015 as an improved version of its two-step verification method for securing an Apple ID account with both a password and a secondary form of verification. Two-factor authentication requires an Apple device with iOS 9, OS X El Capitan, watchOS 2, any tvOS version, or later. The two security methods are similar in many ways, but two-factor authentication automatically sends a six-digit verification code to all trusted devices registered to a given Apple ID, whereas two-step verification manually prompts users to send a four-digit code to any SMS-capable trusted device registered. Two-factor authentication also displays a map on all trusted devices with an approximate location of where an Apple ID sign-in attempt occurred when a user is trying to access the account from an unknown device or on the web. Apple's two-factor authentication method disables the Recovery Key by default, since offline verification codes can be generated on trusted devices in the Settings app. On iOS, users can still enable the Recovery Key as a backup method in Settings > Apple ID > Password & Security > Recovery Key. The full text of the email is copied below:If you install the iOS 11 or macOS High Sierra public betas this summer and meet the basic requirements, your Apple ID will be automatically updated to use

Apple Updates iTunes Remote App With Two-Factor Authentication for Home Sharing

Apple today updated its iTunes Remote app, which is designed to allow users to control their iTunes libraries from anywhere in the home. The new update adds support for Apple's Two-Factor Authentication system, adding an extra layer of security when signing in for Home Sharing purposes. Using Home Sharing will now require a verified device or a verified phone number that can receive a Two-Factor Authentication code, preventing an unauthorized user from accessing a home library with just a password. For those unfamiliar with Two-Factor Authentication, it is an opt-in system that's designed to increase the security of Apple ID accounts. It asks users to provide a verified code when signing in to new devices, when using iCloud, and when using services like iMessage and FaceTime. Apple's iTunes Remote app was last updated in September of 2016, adding iOS 10 compatibility and minor performance and stability improvements. The app lets users browse their iTunes libraries and send music to AirPlay speakers. The iTunes Remote app can be downloaded from the App Store for free. [Direct Link]

New U.S. Guidelines Could Halt Use of SMS for Two-Factor Authentication

The US National Institute for Standards and Technology has released a new draft of its Digital Authentication Guideline, which sets the rules that all authentication software eventually follows. In the document, NIST deprecates the implementation of SMS as a method with which users validate a second level of security on various accounts, "no longer" allowing its use in future guidelines as it is considered not secure enough (via TechCrunch). Two-factor authentication via SMS (left) and an alternative trusted iOS device (right) Setting up two-factor authentication through text messages is one of the most popular ways users add another layer of security onto an account, on top of a basic password, including those for Apple's own software, like Apple ID and iCloud. Other than SMS, Apple allows users to implement two-factor authentication through a simple push notification sent to another "trusted device," or a phone call. If the out of band verification is to be made using a SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service. It then sends the SMS message to the pre-registered telephone number. Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB using SMS is deprecated, and will no longer be allowed in future releases of this guidance. The new guidelines also make a point for companies to ensure that two-factor

iCloud for Windows 5 Adds iCloud Photo Library and Two-Factor Authentication

Apple has released iCloud for Windows 5 with support for iCloud Photo Library and two-factor authentication for Apple ID accounts. Windows users were previously limited to accessing iCloud Photo Library through the web interface. Apple recommends that iCloud for Windows users have Windows 7, 8 or 10 installed. For email, the software currently supports Outlook 2007 through Outlook 2013, while Outlook 2016 users can access iCloud Mail, Contacts, and Calendars on iCloud.com.Use iCloud Photo Library on your Windows PC to download all of the photos and videos from your Apple devices to your computer, or upload your Windows Pictures library to iCloud. And when you turn on iCloud Photo Sharing, you can share your captured memories with just the people you choose.Apple has published a support document for setting up and using iCloud Photo Library on Windows.

Apple Introduces Revamped Two-Factor Authentication for iOS 9 and OS X El Capitan

With the third betas of iOS 9 and OS X 10.11 El Capitan, Apple is introducing a revamped two-factor authentication system, according to both the beta release notes and a detailed support FAQ that outlines the changes. The new two-factor authentication system is different from Apple's existing two-step verification system, using "different methods" to trust devices and deliver verification codes. Apple also says it includes a "more streamlined user experience." Based on the support document, the new two-factor authentication system works similarly to the existing two-step verification system. Any device that you sign into using two-factor authentication in iOS 9 or El Capitan becomes a trusted device that can be used to verify identify when signing into other devices or services linked to an Apple ID. Apple recommends that iOS 9 and OS X El Capitan beta testers using the new two-factor authentication system update all of their devices to iOS 9 or El Capitan for "the best experience." As outlined in the release notes, customers who use two-factor authentication with older devices may be required to put a six-digit verification code at the end of a password instead of using a dedicated verification field.If you enable two-factor authentication, iTunes purchases on Mac and Windows will require you to append a 6-digit code to the end of your password on every purchase. The 6-digit code will automatically be sent to your iOS 9 or OS X El Capitan devices.Older devices are also not able to receive two-factor authentication codes when used with devices running iOS 9 and