How to enable Apple's secure two-step verification for your iCloud & iTunes accounts

Posted:
in iPhone edited September 2014
Last week's celebrity photo leaks were a stark reminder of what can happen to internet users that fail to follow basic security precautions, like enabling two-factor authentication when it's available. With Apple's own security practices under the microscope, AppleInsider shows you how to enable Cupertino's own implementation.




First, you'll need to login to Apple's web-based Apple ID management system at https://appleid.apple.com/account/home -- just click "Manage your Apple ID," then enter your credentials.

For many, this will be the first time you've actually heard of this portal. It's worth checking out; if you've previously found that updating billing or contact information on your iOS device is a chore, you can do it more easily here.

Once you've logged in, choose "Password and Security" from the navigation options on the left -- you'll be asked to verify your security questions -- then scroll down to the "Two-Step Verification" section. Click the blue "Get Started" link, then peruse the informational screens that follow -- if you still want to proceed, click "Continue."




Apple will send an SMS containing a verification code to the mobile number you've assigned to your Apple ID. It's important to note that if your number is out of date and needs to be changed, you'll have to wait three days after doing so to complete two-step setup -- this is a security measure that prevents malicious actors from immediately locking you out of your own account if it's compromised before two-step verification is enabled.

After you've received the SMS and entered the verification code, you'll then be able to designate as a trusted device any iPad, iPhone, or iPod touch on which you've used your Apple ID to enable Find my iPhone. These are the only devices you'll be able to receive future one-time codes on --?they're sent as a special push notification from Apple, unless you choose to allow codes to be sent via SMS.







Finally, Apple will generate a unique recovery key that can be used to access your account if you forget your password or don't have access to your trusted devices. This is a last resort; Apple recommends that you print or write down the recovery key and store it in a safe place -- in your home safe, for instance, or a safety deposit box.

This is important: if you forget your password, lose your recovery key, and don't have access to your trusted devices, you will not be able to login to your Apple ID, and Apple will not be able to help.




Once that's complete, you're finished. You'll be asked for a code the next time you try to login on the web, and Apple will be rolling out two-step verification for more actions --?like restoring backups to a new device --?in the near future.
«134

Comments

  • Reply 1 of 68
    The page on the site that says "your password is too easy...change it" has flawed logic. My old password did have three repeating characters. It was pre-populated in the "old password" field, and then of course there are two new fields for new password entry. I entered strong passwords, there, then hit submit, and it appears the site is applying the "new password" logic to the "old password" field, telling me I cannot have three characters in a row (in my old password).

    Come on guys... this is sloppy... unless I'm missing something. I submitted the feedback to Apple.
  • Reply 2 of 68
    john.bjohn.b Posts: 2,740member
    The problem with "security questions" is that someone who knows even a little bit about you probably knows your pet's name or birthdate or favorite sports team from your Facebook profile. Not to mention, you probably answered the same questions with the same answers for other accounts. It really doesn't matter how many [URL=http://xkcd.com/936/]bits of entropy[/URL] your password has if someone can reset it by looking up your Mom's maiden name or Dad's middle name on Ancestry.com...
  • Reply 3 of 68
    nagrommenagromme Posts: 2,834member
    Furthermore, what has Apple done to protect all those celebrities whose photos were stolen from Google/Android? The theft wasn't specific to iOS. Apple once again leaves Android users out in the cold when it comes to security!
  • Reply 4 of 68
    Quote:

    Originally Posted by nagromme View Post



    Furthermore, what has Apple done to protect all those celebrities whose photos were stolen from Google/Android? The theft wasn't specific to iOS. Apple once again leaves Android users out in the cold when it comes to security!

    That is too funny!!!

  • Reply 5 of 68
    Quote:

    Originally Posted by John.B View Post



    The problem with "security questions" is that someone who knows even a little bit about you probably knows your pet's name or birthdate or favorite sports team from your Facebook profile. Not to mention, you probably answered the same questions with the same answers for other accounts. It really doesn't matter how many bits of entropy your password has if someone can reset it by looking up your Mom's maiden name or Dad's middle name on Ancestry.com...

     

    Indeed.

     

    The answer to your conundrum is to let people choose their own question and answer. Just don't choose 'What is the meaning of life?' as everyone knows the answer to that.

  • Reply 6 of 68
    Why do people think that your answer to a security question has to have anything to do with the question?

    Q: "Where do you want to live when you retire?"

    A: "In the same grave as Dracula." or
    A: "Secretariat was the best horse to ever win the Triple Crown." or
    A: "Anything."

    Just be sure to write the answer down to remember it.
  • Reply 7 of 68
    onhkaonhka Posts: 1,025member
    Quote:
    Originally Posted by John.B View Post



    The problem with "security questions" is that someone who knows even a little bit about you probably knows your pet's name or birthdate or favorite sports team from your Facebook profile. Not to mention, you probably answered the same questions with the same answers for other accounts. It really doesn't matter how many bits of entropy your password has if someone can reset it by looking up your Mom's maiden name or Dad's middle name on Ancestry.com...

     

    Then don't put in your pet's name or birthdate or favorite sports team.

     

    Easiest thing to do is enter ALL of the security questions on ALL the sites with the SAME answer. Something that you would know; something simple, like the first person you kissed, shagged or dumped. Doubt that anyone would try that for your pet's name, your birthday, your favourite sports team, etc. Unless you are a kiss-n-tell and you have posted it on your Facebook profile.

     

    Quote:

    Originally Posted by Bluestone View Post



    Why do people think that your answer to a security question has to have anything to do with the question?



    Q: "Where do you want to live when you retire?"



    A: "In the same grave as Dracula." or

    A: "Secretariat was the best horse to ever win the Triple Crown." or

    A: "Anything."



    Just be sure to write the answer down to remember it.

      

    Q: "Where do you want to live when you retire?"

    A:  Mary Jane

     

    Q: "What city where you born in? 

    A:  Mary Jane

     

    Q: "What is your favourite brand to smoke? 

    A:  Mary Jane

  • Reply 8 of 68
    Quote:

    Originally Posted by Onhka View Post

     
    Quote:
    Originally Posted by John.B View Post



    The problem with "security questions" is that someone who knows even a little bit about you probably knows your pet's name or birthdate or favorite sports team from your Facebook profile. Not to mention, you probably answered the same questions with the same answers for other accounts. It really doesn't matter how many bits of entropy your password has if someone can reset it by looking up your Mom's maiden name or Dad's middle name on Ancestry.com...

     

    Then don't put in your pet's name or birthdate or favorite sports team.

     

    Easiest thing to do is enter ALL of the security questions with the SAME answer. Something that you would know, something simple, like the first person you kissed, shagged or dumped. Doubt that anyone would try that for your pet's name, your birthday, your favourite sports team, etc. Unless you are a kiss-n-tell and you have posted it on your Facebook profile.


     

    Apple doesn't allow that.

  • Reply 9 of 68
    Exactly what does Apple owe Android users?
  • Reply 10 of 68
    Don't forget that Apple's two-factor authentication system does not work globally, but only in few countries.
  • Reply 11 of 68
    Originally Posted by 2old4fun View Post

    Exactly what does Apple owe Android users?

     

    Apple owes them the bankruptcy of the platform so that they can be free of its evil.

  • Reply 12 of 68

    As a new fan of 1Password a lot of my security issues have improved its just a shame that it doesn't work with app Apple required passwords (iTunes store etc). May have dreamt it but I thought that was changing with iOS 8? Maybe a clever dev could tell me?

  • Reply 13 of 68
    Good article with simple instructions. Sometimes, Apple's website is not the easiest to navigate. Searching it with Google is often better.
  • Reply 14 of 68
    Quote:

    Originally Posted by Bluestone View Post



    Why do people think that your answer to a security question has to have anything to do with the question?



    Q: "Where do you want to live when you retire?"



    A: "In the same grave as Dracula." or

    A: "Secretariat was the best horse to ever win the Triple Crown." or

    A: "Anything."



    Just be sure to write the answer down to remember it.

    Exactly.

    I have always ALWAYS answered these questions with completely unrelated answers.

    The questions, in fact, do not require an "answer". They only require a "response". You can make that response anything.

  • Reply 15 of 68
    john.bjohn.b Posts: 2,740member
    Quote:

    Originally Posted by Bluestone View Post



    Why do people think that your answer to a security question has to have anything to do with the question?



    Q: "Where do you want to live when you retire?"



    A: "In the same grave as Dracula." or

    A: "Secretariat was the best horse to ever win the Triple Crown." or

    A: "Anything."

     

    Ah, but you wind up with the Liar's Conundrum:  Can you remember which lie you told to whom?

     

    Quote:

    Originally Posted by Bluestone View Post



    Just be sure to write the answer down to remember it.

     

    Which can be lost or compromised.

  • Reply 16 of 68
    john.bjohn.b Posts: 2,740member

    Quote:


    Originally Posted by 2old4fun View Post



    Exactly what does Apple owe Android users?

     

    Woosh!  Right over your head!  <img class=" src="http://forums-files.appleinsider.com/images/smilies//lol.gif" /> 

  • Reply 17 of 68
    apple ][apple ][ Posts: 9,233member

    EVERYBODY should have two step enabled, but If somebody doesn't have access to two step verification, because it's not supported where they live then:

     

    What street did you grow up on?

     

    #82hs92jd2$

     

    What elementary school did you attend?

     

    (-Ll2n6n3hs+

     

    What city was your father born in?

     

    "c?a&2n4^sas3

     

    The questions are totally irrelevant. Be smart. It's the answers that are important.

  • Reply 18 of 68
    apple ][apple ][ Posts: 9,233member
    Quote:

    Originally Posted by 2old4fun View Post



    Exactly what does Apple owe Android users?

     

    Ridicule, contempt and an asskicking.

  • Reply 19 of 68
    Quote:

    Originally Posted by Apple ][ View Post

     

    EVERYBODY should have two step enabled, 


     

    Kind of hard if you've lost a leg.

     

    I'm done.

  • Reply 20 of 68
    Quote:

    Originally Posted by John.B View Post

     

     

    Ah, but you wind up with the Liar's Conundrum:  Can you remember which lie you told to whom?

     

     

    Which can be lost or compromised.


    Roughly an infinite number of ways to avoid loss or compromise.  

     

    But what I do is have a piece of of paper with all my passwords and answers written down, and I tape that paper to a shelf above the computer.  No issues of trying to remember anything.  Security?  I have not had a stranger in my condo for years.  If somebody breaks in a steals my paper?  We haven't had a burglary in the neighborhood since I moved in 20 years ago.

     

    I believe I'm far more secure than a hollywood starlet with a cloud account.

Sign In or Register to comment.