Apple to require two-factor authentication for developer accounts

AppleInsider

In a bid to secure developer accounts from nefarious actors, Apple on Wednesday said all app makers will be required to use the company's two-factor authentication protocol to protect their Apple IDs.

Apple's two-factor authentication system on iOS.

The change, which goes into effect on Feb. 27, is designed to keep developer accounts more secure by ensuring only account owners can access the sensitive information, Apple said in an email.

When the backend implementation goes live, developers who do not already have two-factor authentication enabled will be required to do so when signing in to their Apple Developer account. Enhanced security also applies to developer Certificates, Identifiers & Profiles.

Apple's letter to developers:

In an effort to keep your account more secure, two-factor authentication will be required to sign in to your Apple Developer account and Certificates, Identifiers & Profiles starting February 27, 2019. This extra layer of security for your Apple ID helps ensure that you're the only person who can access your account. If you haven't already enabled two-factor authentication for your Apple ID, please learn more and update your security settings.

The email includes links to a support page covering two-factor authentication for Apple ID, as well as a contact form directed to Apple Developer Relations.

Two-factor authentication for developers is identical to the solution rolled out for consumers operating Mac and iOS devices. After activating the feature on macOS or iOS, every Apple ID login attempt on an unregistered device requires both a password and a six-digit code generated by Apple and sent to a trusted iPhone, iPad or Mac. Apple does not require a verification code when accessing Apple ID from a trusted device, though that status will be revoked if a user signs out completely or erases the device.

While not foolproof, two-factor authentication significantly enhances account security, and in doing so reduces the chance of unwarranted access by an outside party.

spamsandwich

That should’ve been standard practice from the beginning.

felix01

SpamSandwich said:

That should’ve been standard practice from the beginning.

Agree, I'm already good to go. 

gustav

SpamSandwich said:

That should’ve been standard practice from the beginning.

The only issue with this is that apple's 2FA requires a device be signed into iCloud with that AppleID. Many developers have a personal AppleID and a separate one for Developer AppleID. So, you need to have a separate device with you at all times in order to sign into your Developer Apple ID.

I wish Apple would also support TOTP as well.

coolfactor

I do think 2-factor authentication goes a long way to offering more protection, but is really designed for individuals, not companies. For example, how does a company the size of Apple secure a "developer account" with another company? Who is the "account owner" within the context of such a large company? Which devices used for authentication belong to that owner? This is where 2-factor authentication breaks down.

EDIT: Maybe I misunderstood slightly. This seems to be about securing the Apple IDs that belong to the designated account owner.... so it's still authenticating an individual, not a company.

edited February 2019

anantksundaram

As the recent thread on 2FA pointed out in spades, Apple really needs to up its game on how it implements 2FA. It’s annoying, and clunky. Period.

(If you have any questions, I invite you look at that thread from just a couple of days ago). 

lukei

anantksundaram said:

As the recent thread on 2FA pointed out in spades, Apple really needs to up its game on how it implements 2FA. It’s annoying, and clunky. Period.

(If you have any questions, I invite you look at that thread from just a couple of days ago). 

It works fine for me. I get a 2FA request about once a month and it takes seconds to respond. All happens within the platform. 

Compare this to Google who require a text message based code. 

macpro

SpamSandwich said:

That should’ve been standard practice from the beginning.

Agreed, it never occurred to me this wasn't the case, to be honest.

anantksundaram

lukei said:

anantksundaram said:

As the recent thread on 2FA pointed out in spades, Apple really needs to up its game on how it implements 2FA. It’s annoying, and clunky. Period.

(If you have any questions, I invite you look at that thread from just a couple of days ago). 

It works fine for me. I get a 2FA request about once a month and it takes seconds to respond. All happens within the platform. 

Compare this to Google who require a text message based code. 

Google and plenty of others. 

It works fine for me. 

vmarks

lukei said:

anantksundaram said:

As the recent thread on 2FA pointed out in spades, Apple really needs to up its game on how it implements 2FA. It’s annoying, and clunky. Period.

(If you have any questions, I invite you look at that thread from just a couple of days ago). 

It works fine for me. I get a 2FA request about once a month and it takes seconds to respond. All happens within the platform. 

Compare this to Google who require a text message based code. 

Google do not require a SMS code. You can (and should) turn off SMS and use the 6 digits generated by the paired Google Authenticator app, Authy, 1Password, or any of the many other 2FA compatible apps that Google's 2FA works with. SMS for 2FA is dangerous.

blah64

vmarks said:

lukei said:

anantksundaram said:

As the recent thread on 2FA pointed out in spades, Apple really needs to up its game on how it implements 2FA. It’s annoying, and clunky. Period.

(If you have any questions, I invite you look at that thread from just a couple of days ago). 

It works fine for me. I get a 2FA request about once a month and it takes seconds to respond. All happens within the platform. 

Compare this to Google who require a text message based code. 

Google do not require a SMS code. You can (and should) turn off SMS and use the 6 digits generated by the paired Google Authenticator app, Authy, 1Password, or any of the many other 2FA compatible apps that Google's 2FA works with. SMS for 2FA is dangerous.

Thanks for saying this, it's a really important point that most people don't think about or don't understand.  Let me reiterate and highlight what you said:

SMS for 2FA is dangerous.

2FA is a good concept, but not over SMS, which is completely insecure and monitored by many.  Frankly, in some ways it's worse than nothing at all because it lulls people into trusting an insecure security method.

Separately, I need to look into the details of this further, but while I totally support the option of 2FA, making it a hard requirement seems onerous.  I manage my data security (and data privacy) very, very carefully.  I do NOT use iCloud, nor do I use SMS, nor do I allow any kind of push services to any of my devices, whether from Apple or anyone else.  I do iOS and macOS development for private apps that do not need to be in the app store.  I took a quick glance at the support page, and it looks like they support iPodTouch as a trusted device, which sounds like a good starting point because it means they don't require SMS.  But my dev work is 98% offline, and my devices never touch Apple's servers unless running through a VPN, with a different location/IP nearly every time.  This requirement sounds troubling.

I'll be researching over the weekend, but thought I'd throw this out there in the meantime.  Any tips/info before that would be great.

gatorguy

lukei said:

anantksundaram said:

As the recent thread on 2FA pointed out in spades, Apple really needs to up its game on how it implements 2FA. It’s annoying, and clunky. Period.

(If you have any questions, I invite you look at that thread from just a couple of days ago). 

It works fine for me. I get a 2FA request about once a month and it takes seconds to respond. All happens within the platform. 

Compare this to Google who require a text message based code. 

No they don't. I use a hardware key for instance. Some folks are happy with a screen pop-up asking if it's "you" signing in on another device. There's other methods such as Google Authenticator. There's no text-message requirement.

You've confused it with being an OPTION and because of the possibility, rare as it might be, of man-in-the-middle interception it's not the best way even if convenient for a lot of folks. 

edited February 2019

equippedcoding

THIS IS STUPID!!! Hopefully we as developers understand security and know how to implement and protect our usernames and passwords from our end. To have to have that second device on hand every time I want to sign into my developer account seems problematic, frustrating, annoying and everything else. You security hawks can say all you want about security but WE ARE DEVELOPERS WE KNOW the platform should not be requiring this. This is the same as when they require for us to use HTTPS for making request, infuriating! I'm the developer Its my program there not going to hack in to my app then some how hack into apple. Developers need to learn security measures, platforms don't need to lock you out because of some idea that there protecting us, YOUR NOT!

byrdmaynee

Let’s be honest it was a tad bit for security measures but it was more along the lines of stopping the 3rd party App Stores from being utilized, as they have revoked most of the developer profiles lol

nht

equippedcoding said:

THIS IS STUPID!!! Hopefully we as developers understand security and know how to implement and protect our usernames and passwords from our end. To have to have that second device on hand every time I want to sign into my developer account seems problematic, frustrating, annoying and everything else. You security hawks can say all you want about security but WE ARE DEVELOPERS WE KNOW the platform should not be requiring this. This is the same as when they require for us to use HTTPS for making request, infuriating! I'm the developer Its my program there not going to hack in to my app then some how hack into apple. Developers need to learn security measures, platforms don't need to lock you out because of some idea that there protecting us, YOUR NOT!

Sorry, known too many developers to buy this nonsense.

pauljsmith4

Right now I am completely locked our of my apple developer account.

I don't enjoy using apple products. I really dislike getting locked into a single ecoysystem. So I don't use any apple products. However my company has an app in the app store. I'm the manager for that app, and I need to be able to pay for the yearly app subscription and agree to the regular updates to the agreement. As I don't use any apple device I can't set up apple 2fa.

Why could apple not support authy like most normal companies? I've sent apple an email about this - we'll wait and see what they say.

Just another joy of using Apple.

This is so silly.

As this is Apple I'll probably be told to buy some Apple device to actually log into my developer account. So ridiculous.

mike wuerthele

pauljsmith4 said:

Right now I am completely locked our of my apple developer account.

I don't enjoy using apple products. I really dislike getting locked into a single ecoysystem. So I don't use any apple products. However my company has an app in the app store. I'm the manager for that app, and I need to be able to pay for the yearly app subscription and agree to the regular updates to the agreement. As I don't use any apple device I can't set up apple 2fa.

Why could apple not support authy like most normal companies? I've sent apple an email about this - we'll wait and see what they say.

Just another joy of using Apple.

This is so silly.

As this is Apple I'll probably be told to buy some Apple device to actually log into my developer account. So ridiculous.

The linked page in this article discusses "trusted phone numbers" that don't require an Apple device.

pauljsmith4

Yeah - but you still need to set up 2fa with a trusted device in the first case!

Anyway - Apple replied and are happy for me to stay on the less secure 2 step verification (sms) as I have no apple device.

I'd prefer authy over this - as sms is not secure - but i'll take it.

reeldeal

I would agree that Apple has our "interests" in mind were it not for the fact that they REQUIRE an APPLE device to do the 2 step auth. That's total B.S. I make design apps, and developing in Apple is a total nightmare. I lay off the developing to others and I keep an old iPod touch just to test. This is nothing more than yet ANOTHER way to force us to use their devices. I do not accept, at all, that this couldn't have been implemented to allow any device to manage the 2 step. FU APPLE!