How to enable Apple's secure two-step verification for your iCloud & iTunes accounts
Last week's celebrity photo leaks were a stark reminder of what can happen to internet users that fail to follow basic security precautions, like enabling two-factor authentication when it's available. With Apple's own security practices under the microscope, AppleInsider shows you how to enable Cupertino's own implementation.
First, you'll need to login to Apple's web-based Apple ID management system at https://appleid.apple.com/account/home -- just click "Manage your Apple ID," then enter your credentials.
For many, this will be the first time you've actually heard of this portal. It's worth checking out; if you've previously found that updating billing or contact information on your iOS device is a chore, you can do it more easily here.
Once you've logged in, choose "Password and Security" from the navigation options on the left -- you'll be asked to verify your security questions -- then scroll down to the "Two-Step Verification" section. Click the blue "Get Started" link, then peruse the informational screens that follow -- if you still want to proceed, click "Continue."
Apple will send an SMS containing a verification code to the mobile number you've assigned to your Apple ID. It's important to note that if your number is out of date and needs to be changed, you'll have to wait three days after doing so to complete two-step setup -- this is a security measure that prevents malicious actors from immediately locking you out of your own account if it's compromised before two-step verification is enabled.
After you've received the SMS and entered the verification code, you'll then be able to designate as a trusted device any iPad, iPhone, or iPod touch on which you've used your Apple ID to enable Find my iPhone. These are the only devices you'll be able to receive future one-time codes on --?they're sent as a special push notification from Apple, unless you choose to allow codes to be sent via SMS.
Finally, Apple will generate a unique recovery key that can be used to access your account if you forget your password or don't have access to your trusted devices. This is a last resort; Apple recommends that you print or write down the recovery key and store it in a safe place -- in your home safe, for instance, or a safety deposit box.
This is important: if you forget your password, lose your recovery key, and don't have access to your trusted devices, you will not be able to login to your Apple ID, and Apple will not be able to help.
Once that's complete, you're finished. You'll be asked for a code the next time you try to login on the web, and Apple will be rolling out two-step verification for more actions --?like restoring backups to a new device --?in the near future.
First, you'll need to login to Apple's web-based Apple ID management system at https://appleid.apple.com/account/home -- just click "Manage your Apple ID," then enter your credentials.
For many, this will be the first time you've actually heard of this portal. It's worth checking out; if you've previously found that updating billing or contact information on your iOS device is a chore, you can do it more easily here.
Once you've logged in, choose "Password and Security" from the navigation options on the left -- you'll be asked to verify your security questions -- then scroll down to the "Two-Step Verification" section. Click the blue "Get Started" link, then peruse the informational screens that follow -- if you still want to proceed, click "Continue."
Apple will send an SMS containing a verification code to the mobile number you've assigned to your Apple ID. It's important to note that if your number is out of date and needs to be changed, you'll have to wait three days after doing so to complete two-step setup -- this is a security measure that prevents malicious actors from immediately locking you out of your own account if it's compromised before two-step verification is enabled.
After you've received the SMS and entered the verification code, you'll then be able to designate as a trusted device any iPad, iPhone, or iPod touch on which you've used your Apple ID to enable Find my iPhone. These are the only devices you'll be able to receive future one-time codes on --?they're sent as a special push notification from Apple, unless you choose to allow codes to be sent via SMS.
Finally, Apple will generate a unique recovery key that can be used to access your account if you forget your password or don't have access to your trusted devices. This is a last resort; Apple recommends that you print or write down the recovery key and store it in a safe place -- in your home safe, for instance, or a safety deposit box.
This is important: if you forget your password, lose your recovery key, and don't have access to your trusted devices, you will not be able to login to your Apple ID, and Apple will not be able to help.
Once that's complete, you're finished. You'll be asked for a code the next time you try to login on the web, and Apple will be rolling out two-step verification for more actions --?like restoring backups to a new device --?in the near future.
Comments
Come on guys... this is sloppy... unless I'm missing something. I submitted the feedback to Apple.
Furthermore, what has Apple done to protect all those celebrities whose photos were stolen from Google/Android? The theft wasn't specific to iOS. Apple once again leaves Android users out in the cold when it comes to security!
That is too funny!!!
The problem with "security questions" is that someone who knows even a little bit about you probably knows your pet's name or birthdate or favorite sports team from your Facebook profile. Not to mention, you probably answered the same questions with the same answers for other accounts. It really doesn't matter how many bits of entropy your password has if someone can reset it by looking up your Mom's maiden name or Dad's middle name on Ancestry.com...
Indeed.
The answer to your conundrum is to let people choose their own question and answer. Just don't choose 'What is the meaning of life?' as everyone knows the answer to that.
Q: "Where do you want to live when you retire?"
A: "In the same grave as Dracula." or
A: "Secretariat was the best horse to ever win the Triple Crown." or
A: "Anything."
Just be sure to write the answer down to remember it.
The problem with "security questions" is that someone who knows even a little bit about you probably knows your pet's name or birthdate or favorite sports team from your Facebook profile. Not to mention, you probably answered the same questions with the same answers for other accounts. It really doesn't matter how many bits of entropy your password has if someone can reset it by looking up your Mom's maiden name or Dad's middle name on Ancestry.com...
Then don't put in your pet's name or birthdate or favorite sports team.
Easiest thing to do is enter ALL of the security questions on ALL the sites with the SAME answer. Something that you would know; something simple, like the first person you kissed, shagged or dumped. Doubt that anyone would try that for your pet's name, your birthday, your favourite sports team, etc. Unless you are a kiss-n-tell and you have posted it on your Facebook profile.
Why do people think that your answer to a security question has to have anything to do with the question?
Q: "Where do you want to live when you retire?"
A: "In the same grave as Dracula." or
A: "Secretariat was the best horse to ever win the Triple Crown." or
A: "Anything."
Just be sure to write the answer down to remember it.
Q: "Where do you want to live when you retire?"
A: Mary Jane
Q: "What city where you born in?
A: Mary Jane
Q: "What is your favourite brand to smoke?
A: Mary Jane
The problem with "security questions" is that someone who knows even a little bit about you probably knows your pet's name or birthdate or favorite sports team from your Facebook profile. Not to mention, you probably answered the same questions with the same answers for other accounts. It really doesn't matter how many bits of entropy your password has if someone can reset it by looking up your Mom's maiden name or Dad's middle name on Ancestry.com...
Then don't put in your pet's name or birthdate or favorite sports team.
Easiest thing to do is enter ALL of the security questions with the SAME answer. Something that you would know, something simple, like the first person you kissed, shagged or dumped. Doubt that anyone would try that for your pet's name, your birthday, your favourite sports team, etc. Unless you are a kiss-n-tell and you have posted it on your Facebook profile.
Apple doesn't allow that.
Apple owes them the bankruptcy of the platform so that they can be free of its evil.
As a new fan of 1Password a lot of my security issues have improved its just a shame that it doesn't work with app Apple required passwords (iTunes store etc). May have dreamt it but I thought that was changing with iOS 8? Maybe a clever dev could tell me?
Why do people think that your answer to a security question has to have anything to do with the question?
Q: "Where do you want to live when you retire?"
A: "In the same grave as Dracula." or
A: "Secretariat was the best horse to ever win the Triple Crown." or
A: "Anything."
Just be sure to write the answer down to remember it.
Exactly.
I have always ALWAYS answered these questions with completely unrelated answers.
The questions, in fact, do not require an "answer". They only require a "response". You can make that response anything.
Why do people think that your answer to a security question has to have anything to do with the question?
Q: "Where do you want to live when you retire?"
A: "In the same grave as Dracula." or
A: "Secretariat was the best horse to ever win the Triple Crown." or
A: "Anything."
Ah, but you wind up with the Liar's Conundrum: Can you remember which lie you told to whom?
Just be sure to write the answer down to remember it.
Which can be lost or compromised.
Quote:
Exactly what does Apple owe Android users?
Woosh! Right over your head!
" src="http://forums-files.appleinsider.com/images/smilies//lol.gif" />
EVERYBODY should have two step enabled, but If somebody doesn't have access to two step verification, because it's not supported where they live then:
What street did you grow up on?
#82hs92jd2$
What elementary school did you attend?
(-Ll2n6n3hs+
What city was your father born in?
"c?a&2n4^sas3
The questions are totally irrelevant. Be smart. It's the answers that are important.
Exactly what does Apple owe Android users?
Ridicule, contempt and an asskicking.
EVERYBODY should have two step enabled,
Kind of hard if you've lost a leg.
I'm done.
Ah, but you wind up with the Liar's Conundrum: Can you remember which lie you told to whom?
Which can be lost or compromised.
Roughly an infinite number of ways to avoid loss or compromise.
But what I do is have a piece of of paper with all my passwords and answers written down, and I tape that paper to a shelf above the computer. No issues of trying to remember anything. Security? I have not had a stranger in my condo for years. If somebody breaks in a steals my paper? We haven't had a burglary in the neighborhood since I moved in 20 years ago.
I believe I'm far more secure than a hollywood starlet with a cloud account.