If you upgrade to two-factor authentication, you can’t log in to your Mac with an iCloud password
Apple slipped in a change in April 2016 that’s affecting people who change the protection on their Apple ID accounts.
A few releases of what was then called Mac OS X, Apple added an option that seemed a convenient way to reduce the number of passwords you had to remember. While setting up a system (or later via the Users & Groups system preference pane), you could opt to use the password for your iCloud account to “login and unlock” your Mac.
The ostensible idea was to make it easier for regular human beings who didn’t want to maintain multiple strong passwords to protect their stuff to use a single one in two related locations. While it increases the risk to re-use passwords, this seemed like a reasonable tradeoff for someone who picked a good password.
At some point, Apple thought the better of the option, either because of the risk or because of the integration with its newer login validation system, which I recently discussed. Starting in El Capitan 10.11.4, the option to switch to use an iCloud password for login has disappeared. It used to be available after setup when you clicked Change Password while viewing an account in the Users & Groups preference pane.
If you had the option enabled, it didn’t suddenly go away, either in El Capitan or after updating to macOS Sierra. However, once you’ve stopped using this method, you can’t re-enable it again.
My friends John and @darth (his Twitter nom de plume) both encountered this when trying to turn on the feature in watchOS 3 and Sierra that allows a Watch to unlock a Mac. This option requires using Apple’s two-factor authentication (2FA), which can only be enabled within iOS or macOS, and only if two-step verification has been turned off. I explain the differences between these two validation methods and how to accomplish this change in a recent Private I column.
(This is rather confusing, and I had exchanges with two veteran Apple gurus after the article came out because 2FA is the generic term for any second factor use, including both old and new method Apple offers! Just remember this: two-step can only be turned on from the Apple ID website; two-factor can only be enabled within iOS or macOS.)
However, after John and Darth disabled two-step logins and went to enable two-factor authentication in macOS, the system prompted them to set a new password for their respective Macs. This surprised them, as they hadn’t thought of their Apple ID/iCloud login identity as something separate from their Mac login.
If you’re dying to keep a single password to use among your iCloud account and Mac, you can’t upgrade or switch to 2FA. However, while it may be inconvenient to remember two passwords is, I highly recommend using 2FA. It makes it substantially harder for your Apple ID to be compromised, even in the (hopefully) unlikely event your password is guessed or cracked.
Ask Mac 911
We’ve compiled a list of the most commonly asked questions we get, and the answers to them: read our super FAQ to see if you’re covered. If not, we’re always looking for new problems to solve! Email yours to firstname.lastname@example.org including screen captures as appropriate. Mac 911 cannot reply to email with troubleshooting advice nor can we publish answers to every question.