Apple to require two-factor authentication for developer accounts

Posted:
in General Discussion edited February 13
In a bid to secure developer accounts from nefarious actors, Apple on Wednesday said all app makers will be required to use the company's two-factor authentication protocol to protect their Apple IDs.


Apple's two-factor authentication system on iOS.


The change, which goes into effect on Feb. 27, is designed to keep developer accounts more secure by ensuring only account owners can access the sensitive information, Apple said in an email.

When the backend implementation goes live, developers who do not already have two-factor authentication enabled will be required to do so when signing in to their Apple Developer account. Enhanced security also applies to developer Certificates, Identifiers & Profiles.

Apple's letter to developers:
In an effort to keep your account more secure, two-factor authentication will be required to sign in to your Apple Developer account and Certificates, Identifiers & Profiles starting February 27, 2019. This extra layer of security for your Apple ID helps ensure that you're the only person who can access your account. If you haven't already enabled two-factor authentication for your Apple ID, please learn more and update your security settings.
The email includes links to a support page covering two-factor authentication for Apple ID, as well as a contact form directed to Apple Developer Relations.

Two-factor authentication for developers is identical to the solution rolled out for consumers operating Mac and iOS devices. After activating the feature on macOS or iOS, every Apple ID login attempt on an unregistered device requires both a password and a six-digit code generated by Apple and sent to a trusted iPhone, iPad or Mac. Apple does not require a verification code when accessing Apple ID from a trusted device, though that status will be revoked if a user signs out completely or erases the device.

While not foolproof, two-factor authentication significantly enhances account security, and in doing so reduces the chance of unwarranted access by an outside party.

Comments

  • Reply 1 of 14
    That should’ve been standard practice from the beginning.
    jbdragonrob53MisterKitracerhomie3
  • Reply 2 of 14
    That should’ve been standard practice from the beginning.
    Agree, I'm already good to go. 
  • Reply 3 of 14
    gustavgustav Posts: 823member
    That should’ve been standard practice from the beginning.
    The only issue with this is that apple's 2FA requires a device be signed into iCloud with that AppleID. Many developers have a personal AppleID and a separate one for Developer AppleID. So, you need to have a separate device with you at all times in order to sign into your Developer Apple ID.

    I wish Apple would also support TOTP as well.
    anantksundaramoseameSpamSandwich
  • Reply 4 of 14
    I do think 2-factor authentication goes a long way to offering more protection, but is really designed for individuals, not companies. For example, how does a company the size of Apple secure a "developer account" with another company? Who is the "account owner" within the context of such a large company? Which devices used for authentication belong to that owner? This is where 2-factor authentication breaks down.

    EDIT: Maybe I misunderstood slightly. This seems to be about securing the Apple IDs that belong to the designated account owner.... so it's still authenticating an individual, not a company.
    edited February 13 anantksundaram
  • Reply 5 of 14
    As the recent thread on 2FA pointed out in spades, Apple really needs to up its game on how it implements 2FA. It’s annoying, and clunky. Period.

    (If you have any questions, I invite you look at that thread from just a couple of days ago). 
  • Reply 6 of 14
    lukeilukei Posts: 332member
    As the recent thread on 2FA pointed out in spades, Apple really needs to up its game on how it implements 2FA. It’s annoying, and clunky. Period.

    (If you have any questions, I invite you look at that thread from just a couple of days ago). 
    It works fine for me. I get a 2FA request about once a month and it takes seconds to respond. All happens within the platform. 

    Compare this to Google who require a text message based code. 
    SpamSandwichwatto_cobra
  • Reply 7 of 14
    MacProMacPro Posts: 18,165member
    That should’ve been standard practice from the beginning.
    Agreed, it never occurred to me this wasn't the case, to be honest.
  • Reply 8 of 14
    lukei said:
    As the recent thread on 2FA pointed out in spades, Apple really needs to up its game on how it implements 2FA. It’s annoying, and clunky. Period.

    (If you have any questions, I invite you look at that thread from just a couple of days ago). 
    It works fine for me. I get a 2FA request about once a month and it takes seconds to respond. All happens within the platform. 

    Compare this to Google who require a text message based code. 
    Google and plenty of others. 

    It works fine for me. 
  • Reply 9 of 14
    lukei said:
    As the recent thread on 2FA pointed out in spades, Apple really needs to up its game on how it implements 2FA. It’s annoying, and clunky. Period.

    (If you have any questions, I invite you look at that thread from just a couple of days ago). 
    It works fine for me. I get a 2FA request about once a month and it takes seconds to respond. All happens within the platform. 

    Compare this to Google who require a text message based code. 
    Google do not require a SMS code. You can (and should) turn off SMS and use the 6 digits generated by the paired Google Authenticator app, Authy, 1Password, or any of the many other 2FA compatible apps that Google's 2FA works with. SMS for 2FA is dangerous.
    sarthos
  • Reply 10 of 14
    blah64blah64 Posts: 917member
    vmarks said:
    lukei said:
    As the recent thread on 2FA pointed out in spades, Apple really needs to up its game on how it implements 2FA. It’s annoying, and clunky. Period.

    (If you have any questions, I invite you look at that thread from just a couple of days ago). 
    It works fine for me. I get a 2FA request about once a month and it takes seconds to respond. All happens within the platform. 

    Compare this to Google who require a text message based code. 
    Google do not require a SMS code. You can (and should) turn off SMS and use the 6 digits generated by the paired Google Authenticator app, Authy, 1Password, or any of the many other 2FA compatible apps that Google's 2FA works with. SMS for 2FA is dangerous.
    Thanks for saying this, it's a really important point that most people don't think about or don't understand.  Let me reiterate and highlight what you said:

    SMS for 2FA is dangerous.

    2FA is a good concept, but not over SMS, which is completely insecure and monitored by many.  Frankly, in some ways it's worse than nothing at all because it lulls people into trusting an insecure security method.

    Separately, I need to look into the details of this further, but while I totally support the option of 2FA, making it a hard requirement seems onerous.  I manage my data security (and data privacy) very, very carefully.  I do NOT use iCloud, nor do I use SMS, nor do I allow any kind of push services to any of my devices, whether from Apple or anyone else.  I do iOS and macOS development for private apps that do not need to be in the app store.  I took a quick glance at the support page, and it looks like they support iPodTouch as a trusted device, which sounds like a good starting point because it means they don't require SMS.  But my dev work is 98% offline, and my devices never touch Apple's servers unless running through a VPN, with a different location/IP nearly every time.  This requirement sounds troubling.

    I'll be researching over the weekend, but thought I'd throw this out there in the meantime.  Any tips/info before that would be great.
  • Reply 11 of 14
    gatorguygatorguy Posts: 20,444member
    lukei said:
    As the recent thread on 2FA pointed out in spades, Apple really needs to up its game on how it implements 2FA. It’s annoying, and clunky. Period.

    (If you have any questions, I invite you look at that thread from just a couple of days ago). 
    It works fine for me. I get a 2FA request about once a month and it takes seconds to respond. All happens within the platform. 

    Compare this to Google who require a text message based code. 
    No they don't. I use a hardware key for instance. Some folks are happy with a screen pop-up asking if it's "you" signing in on another device. There's other methods such as Google Authenticator. There's no text-message requirement.

    You've confused it with being an OPTION and because of the possibility, rare as it might be, of man-in-the-middle interception it's not the best way even if convenient for a lot of folks. 
    edited February 15
  • Reply 12 of 14
    equippedcodingequippedcoding Posts: 1unconfirmed, member
    THIS IS STUPID!!! Hopefully we as developers understand security and know how to implement and protect our usernames and passwords from our end. To have to have that second device on hand every time I want to sign into my developer account seems problematic, frustrating, annoying and everything else. You security hawks can say all you want about security but WE ARE DEVELOPERS WE KNOW the platform should not be requiring this. This is the same as when they require for us to use HTTPS for making request, infuriating! I'm the developer Its my program there not going to hack in to my app then some how hack into apple. Developers need to learn security measures, platforms don't need to lock you out because of some idea that there protecting us, YOUR NOT!
  • Reply 13 of 14
    Let’s be honest it was a tad bit for security measures but it was more along the lines of stopping the 3rd party App Stores from being utilized, as they have revoked most of the developer profiles lol
  • Reply 14 of 14
    nhtnht Posts: 4,429member
    THIS IS STUPID!!! Hopefully we as developers understand security and know how to implement and protect our usernames and passwords from our end. To have to have that second device on hand every time I want to sign into my developer account seems problematic, frustrating, annoying and everything else. You security hawks can say all you want about security but WE ARE DEVELOPERS WE KNOW the platform should not be requiring this. This is the same as when they require for us to use HTTPS for making request, infuriating! I'm the developer Its my program there not going to hack in to my app then some how hack into apple. Developers need to learn security measures, platforms don't need to lock you out because of some idea that there protecting us, YOUR NOT!
    Sorry, known too many developers to buy this nonsense.
Sign In or Register to comment.