Apple has a new, easier-to-use, and more robust system to protect your login if you’re running the latest major OS release and the latest iTunes on every device connected to the same iCloud account. But you may have to wait for it: the system started rolling out in testing this summer for early public beta testers and developers, and started its full rollout a few days ago with the release of El Capitan.
The new two-factor authentication (2FA) system requires that whenever you log in to a new device or browser, you have to enter not just your password but a confirmation code from another piece of equipment you’ve established is under your control. A second factor prevents someone from stealing or guessing your password and gaining access to your account, which can be done remotely or through a security breach. In addition, they have to have a token that can only be generated by or sent to equipment under your control, which means they typically need physical access to a computer, mobile device, or SIM.
The updated system is similar to Apple’s previous two-step verification option, which remains available indefinitely. The new system invites users, rather than requires a switch. The most significant change is that the new systems does away with the Recovery Key, a last-ditch way to regain your account if you’d lost or lost access to other account information.
Logging in to iCloud via iOS prompts you to enable two-factor authentication if your account has been invited to take part already.
With most companies’ products and services, 2FA comes in the form of a code that you generate from an app or receive via SMS. In less-frequent cases, such as with Twitter, you can opt to receive a confirmation code in an app that’s already been verified. Apple’s system relies on a code, but the company baked the details right into iOS 9 and El Capitan. This results in greater security and easier use: there are fewer steps and more information provided about what’s going on than with other systems.
With Apple’s help, I was able to test the new system, as even though my primary iCloud account, associated with my primary Apple ID, meets the system requirements, I haven’t hit the point in the queue where it’s available. The company notes hundreds of millions of accounts have the potential to move to this new integrated approach, and it will roll it out “gradually this fall.”
(While you may not believe it, an advantage of a fully implemented second factor—where every first use and sometimes every use requires you to enter a code—is that you can have a less-complex password. The password’s importance is reduced. But Apple hasn’t quite reached that point where all Apple ID-using sites require a second factor when it’s enabled. In fact, Apple demands a very strict password if you ever need to reset yours.)
When resetting a password with two-factor use, Apple demands you meet stringent requirements.
Getting started
Apple will offer the new 2FA in two ways: either when you log in to iCloud on a new device or to existing users through the Settings > iCloud (iOS) and the iCloud preference pane (OS X). In the latter case, you should also receive email to your Apple ID-associated email address. In iOS, open iCloud settings, tap your name, and then tap Password & Security. In OS X, in the iCloud preference pane, click Account Details, then click Security. In both cases, you should have an option to enable two-factor authentication if your account has received an invitation.
I went through setting up an account from scratch that was invited to join. After entering my iCloud user name and password, I went through the following process:
An invitation screen explains 2FA briefly. Tap Continue. Users can bypass this by tapping Don’t Use Two-Factor Authentication, which appears in smaller type at the bottom.
Enter a phone number that can receive either text messages or voice calls. In the latter case, an automated system calls and reads the numeric code to you. (In two-step verification, only text messages were available.)
On the Verification page, enter the six-digit code that you received.
During setup, you’re prompted to enter a phone number to receive a code by text or automatic voice.
You’re now set up, and the Password & Security (iOS) and Security (OS X) displays show your two-factor status, and let you create a verification code to use—that’s right, you can essentially request one instead of waiting for one to push to your trusted devices or phone.
Any device already logged in to this iCloud account should remain logged in.
Once you’ve enrolled in two-factor authentication, the iCloud preference pane shows your details and status.
Adding trusted devices and phone numbers
Next, you can add other phone numbers, iOS devices—and Macs, new with 2FA.
Phone numbers are simple, and can be added from any trusted device or from the revamped Apple ID management site. Enter the number, choose phone or voice, and enter the code you receive.
Adding a device requires a few more steps:
On a Mac or an iOS device, log in to iCloud with your account (Settings > iCloud or the iCloud preference pane).
On other logged-in devices, you receive a popup dialog that shows the rough current location of the device with Don’t Allow and Allow buttons. This lets you be sure that someone isn’t logging into your account from an unknown location with your password. Tap or click Allow to continue. Tapping or clicking Don’t Allow triggers no alerts, but neither can the remote user gain access.
On the device on which you tapped or clicked Allow, a popup dialog with a six-digit code appears. Enter that on the new device, and click Done on the authorizing device to dismiss its dialog.
Any new device or browser login prompts this dialog on your connected iOS equpment and Macs.
This new devices now appears in iCloud settings, the iCloud preference pane, and the Apple ID site. From any of those locations, you can see the model name, operating system release, and serial number.
App-specific passwords
Non-Apple software couldn’t use two-step verification for iCloud email, calendar, and contact access. It’s unclear so far whether Apple will release a service interface to let third-party apps tie into the new two-factor ecosystem; Google and some other firms have.
In the meantime, as in the previous version, you can generate up to 25 “ app-specific passwords.” Use the Apple ID site to create these. These passwords can’t be used to access other sorts of features, like the Apple ID site; they’re limited in scope, although gaining access to your email could allow havoc to be wrought. (If you previously used two-step verification, upgrading to 2FA revokes all your app-specific passwords, and you will need to reset them, according to Apple.)
You use app-specific passwords to handle software that needs access to iCloud contacts, calendars, and email outside of Apple’s ecosystem.
In the Security section, click Edit at the right side.
Under App-Specific Password, click Generate Password.
Enter something memorable, like “BusyCal for Mac mini” so you’ll remember what you generated it for later.
Apple generates a 16-character password that you enter as the password for your iCloud account in the software you’re setting up.
Click Done to finish.
Clicking View History shows you all the assigned passwords. If you’re concerned about your security having been compromised, you can access the assignment history and either click a delete button to the right of a given password or click Revoke All and that wipes everything.
What if I forget, lose everything, or am locked out?
If you forget your password, you can reset it via the same system used for password-only accounts: visiting the amusingly named iForgot site. You enter your Apple ID, and then have to authenticate yourself by entering a code in order to have a password reset sent to your address.
You’re warned on your devices when you (or someone else) tries to reset the account password.
Apple adds in protections, as it now asks you to make sure you know the phone number associated with the account, which is a step beyond just having it in your possession. Once you confirm that, a code is sent to your trusted devices, which you can enter; or you can choose to send a code to an associated phone number.
In the two-step world, Apple relied on the Recovery Key as your last-ditch effort. In this new two-factor system, if you don’t have access to trusted phones and trusted devices, you have to apply to Apple to access. This is also the case if your account sees activity Apple judges as indicating its been compromised.
If you’ve lost access to trusted devices and a phone number, you can go through a new recovery process.
In the case where you’ve lost access, you’ll reach a dialog that says “Can’t use this phone number?” If you click Cancel, you can start the process again. Otherwise, click Start Account Recovery, and Apple begins an intentionally slow process that it warns may take up to a week to complete—this is to prevent someone from easily hijacking you, especially with automated responses. You’ll receive various email alerts, which will also let you know something is afoot if you didn’t initiate this. Apple will ask you a number of identifying questions, which should give you access back.
If your account is locked, Apple may require you to receive a call at one of your trusted phone numbers. The details of how this will work haven’t yet been documented or fully disclosed.
Two step, then two factors
While you wait for two-factor authentication to be made available to your account, I still highly recommend enabling two-step verification. It doesn’t prevent you from upgrading, and it offers protection beyond a simple password, even if it’s not as extensive or refined as the new system. Any bar you can set higher for potential attackers or thieves, the better off you are.
Author: Glenn Fleishman, Senior Contributor
Glenn Fleishman’s most recent books include Take Control of iOS and iPadOS Privacy and Security, Take Control of Calendar and Reminders, and Take Control of Securing Your Mac. In his spare time, he writes about printing and type history. He’s a senior contributor to Macworld, where he writes Mac 911.