How to implement Apple's two-factor authentication for security on Mac, iPhone, or iPad

AppleInsider

Given the news about the cost of a pilfered iCloud account, it seems only prudent for users to take precautions. A good safety measure is two-factor authentication -- AppleInsider shows you how to turn it on from your Mac or your iPhone.

Two-factor authentication does not replace your iCloud password in any way. Rather, it provides a second layer of confirmation that you are who you are, and that an attempt made to log in to your account is spotted by you prior to allowing access.

When a new device attempts to log into an iCloud account, a six-digit verification code is sent to authorized devices. Plus, the general location of the device is shown on a map -- so if you're in Boston, Mass., and a login attempt comes from Australia, you know there's a problem.

Two-factor authentication requires devices on iOS 9 or newer, and macOS El Capitan 10.11 or Sierra 10.12.

On your Mac:

• In System Preferences, open up iCloud
  
• Select Account Details
  
• Click Security
  
• Click Turn on Two-Factor Authentication

• 
• 
• 
• 
• 

Or on an iOS device:

• Open Settings
  
• Tap on your iCloud account
  
• Tap on Password and Security
  
• Tap Turn on Two-Factor Authentication

• 
• 
• 

What next?

In either case, you can add trusted devices by signing into iCloud from the device or browser. It will then pop up the dialog box we mentioned in the beginning of the procedure.

To add a device, hit Allow. The device that you've accepted the login request from will then dole out a six-digit code -- enter that in the dialog box on the device you're trying to log in from, and click Done.

The device will continue to be trusted until you erase the SSD on the Mac, or format the iPhone or iPad factory-fresh.

• 
• 
• 

blastdoor

I currently use my iCloud id/password to login to my Macs. I feel like I read somewhere that you can't do that if you turn on 2FA. Is that true? What happens if you turn on 2FA when already using iCloud id to log-in to Macs?

melgross

The problem is that it doesn't always work properly. As shown in the article, a message box to enter the code pops up on the device you want to use for the two factor. The other day, I decided to move my iPad Pro 12.9" to two factor. I went through the first steps. After a short while, my phone popped up a notification giving me a code, telling me to type that in. But my iPad showed no window to type it. Then a while later, Apple sent another code, but still, no window to type in. So, still no two factor for my iPad.

edited March 2017

mike wuerthele

melgross said:

The problem is that it doesn't always work properly. As shown in the article, a message box to enter the code pops up on the device you want to use for the two factor. The other day, I decided to move my iPad Pro 12.9" to two factor. I went through the first steps. After a short while, my phone popped up a notification giving me a code, telling me to type that in. But my iPad showed no window to type it. Then a while later, Apple sent another code, but still, no window to type in. So, still no two factor for my iPad.

This is generally resolved by a hard reboot of the iPad, and in some extreme cases a restore from backup.

baconstang

Recently I've received two phishing attempts by email.   They informed me that my AppleID had been used in Australia or France, and that I needed to change my password to "unlock" my account.  They even gave me a link with which to do it.  How nice of them.
It looked pretty close to what you get from Apple when you add a device to iCloud.

spice-boy

This is a nightmare in my case. I have a very old email address from (drum roll) iTools days. It is my first name with no numbers or anything else, not the most common name either but it only brings me grief now. Since Apple forced people to get an iCloud account my account is locked down daily, a record 4 times on one day recently by people trying to log into my account, thinking it was theirs because they apparently have no memory for such technical things. I have been on phone with Apple several times trying to figure out a way to prevent this or to disable my .me and .icould username to prevent unwanted email from those accounts. If I need to have 2 devices handy each time my iCould account gets lock for (security reasons) it would drive me nuts. No thanks Apple. 

melgross

Mike Wuerthele said:

melgross said:

The problem is that it doesn't always work properly. As shown in the article, a message box to enter the code pops up on the device you want to use for the two factor. The other day, I decided to move my iPad Pro 12.9" to two factor. I went through the first steps. After a short while, my phone popped up a notification giving me a code, telling me to type that in. But my iPad showed no window to type it. Then a while later, Apple sent another code, but still, no window to type in. So, still no two factor for my iPad.

This is generally resolved by a hard reboot of the iPad, and in some extreme cases a restore from backup.

Well, I tried the hard reboot, and that didn't work. A restore from back-up is something I didn't try. I'll try that later, though I made an encrypted back-up right before I tried this, so I can't see what might be different.

indiekiduk

The added inconvenience is ok for yourself but unbearable if you manage your parents accounts since you no longer have web access to their iCloud.

blastdoor

indiekiduk said:

The added inconvenience is ok for yourself but unbearable if you manage your parents accounts since you no longer have web access to their iCloud.

Good point. 

I think I'll be staying away from 2FA for a while... it still seems half baked. 

edred

blastdoor said:

I currently use my iCloud id/password to login to my Macs. I feel like I read somewhere that you can't do that if you turn on 2FA. Is that true? What happens if you turn on 2FA when already using iCloud id to log-in to Macs?

I use iCloud pass to login to my macs with 2FA turned on and have had no problems so far.

maestro64

When I set this up Apple game me the Hash Hex number to which they said to keep in a safe place since it would be required to recover my account if anything ever happen like I could not remember my pass word or I was locked out of my account. This was part of the Two-Factor Authentication process when I set it up. Has anyone else done this. I know recently I had an issue and had to use the hex number to get things working again.

bostonbri

This is a little different in ios 10.3 beta.    You need to go to Settings, click on your name on the top of screen, Password & Security.  There you can establish 2 factor authentication and also change password plus get a verification code to sign in on another device or at icloud.com

marvin

Sooner or later companies are going to have to move beyond password schemes entirely. They are the weakness that's causing the ever more complex login setups, it's just passwords upon passwords and security questions. This has already been solved with servers using encryption keys. You don't need to remember anything or type anything. You setup an encryption key pair automatically and keep the private key. Then the server can use challenge-response authentication automatically to establish the connection. The only issue to deal with is storing the private keys and syncing them between devices but this is trivial for Apple and they can be secured behind touch id and/or the secure enclave and have an API that has no read access to the keys but can only send messages to a system that decodes data.

This eliminates the possibility of people reusing passwords or having common password schemes across different services. It is already compatible with online login systems. It eliminates the possibility of anyone stealing passwords through a security breach because there would only be public keys on the server, which can't be used to compromise anything on their own.

In the event that someone needs to access a service where they don't have the keys on the system like at work when logging into Facebook but don't want the keys stored there, a smartphone can authenticate the login and generate a time-limited code. This can be a 4 character code because when it's tied to the account id and the time limit, it's not going to be compromised. On Macs, they can can even do handoff-style logins so you don't have to type anything but this particular system can work cross-platform too.

Microsoft uses it for Azure but they can use it for everything like email, Skype etc. The big tech companies use this themselves to securely login to things I don't know why they don't at least experiment with it for everyday logins.

spice-boy

I'll wait for "Three-Factor Authentication" or perhaps "Four-Factor Authentication"

mike wuerthele

maestro64 said:

When I set this up Apple game me the Hash Hex number to which they said to keep in a safe place since it would be required to recover my account if anything ever happen like I could not remember my pass word or I was locked out of my account. This was part of the Two-Factor Authentication process when I set it up. Has anyone else done this. I know recently I had an issue and had to use the hex number to get things working again.

That's not 2FA. That's two-factor verification, and has been deprecated. You can still do it, but Apple recommends turning it off, and shifting to TFA.

mike wuerthele

spice-boy said:

I'll wait for "Three-Factor Authentication" or perhaps "Four-Factor Authentication"

That'll be fun.

strangedays

spice-boy said:

I'll wait for "Three-Factor Authentication" or perhaps "Four-Factor Authentication"

leehamm

spice-boy said:

 If I need to have 2 devices handy each time my iCould account gets lock for (security reasons) it would drive me nuts. No thanks Apple. 

Ha, yes, because sometimes the answer is iCouldn't...

georgebmac

blastdoor said:

indiekiduk said:

The added inconvenience is ok for yourself but unbearable if you manage your parents accounts since you no longer have web access to their iCloud.

Good point. 

I think I'll be staying away from 2FA for a while... it still seems half baked. 

No, it's not half baked...  It prohibits people from logging into an account from a non-authorized device.  The fact that the account is your parent's is not relevant.  2FA doesn't care -- and neither should it care...

macplusplus

melgross said:

The problem is that it doesn't always work properly. As shown in the article, a message box to enter the code pops up on the device you want to use for the two factor. The other day, I decided to move my iPad Pro 12.9" to two factor. I went through the first steps. After a short while, my phone popped up a notification giving me a code, telling me to type that in. But my iPad showed no window to type it. Then a while later, Apple sent another code, but still, no window to type in. So, still no two factor for my iPad.

That window appears immediately after you enter your password in any iCloud login window. In order to enter the 2FA code sent by Apple you must have initiated a login process on the iPad.

sidrictheviking

Tip of the day: whenever I help friends set this up I recommend adding at least one extra trusted number - especially if they only have one iDevice (I have three trusted numbers on my own iPhone and iPad). It saves a lot of headaches if their iPhone/iPad is lost/stolen/unusable or whatever. Recovering access to their account/iCloud backup when they get their new device is painless. Trust me, it’s worth it for the minute or so it takes to set up. 😎🇮🇪☘️