Two-factor authentication (2FA) is a method of protecting an online account. The two factors—things that identify you—in 2FA: Something you yourself know, like a password; and something you have that can receive a token to confirm who you are, such as a smartphone.
Apple’s original two-step system relied on its Apple ID site for set up and management, and could only send codes to iOS devices and via SMS. Its update in September 2015 left two-step in place for those who continued to want to use it, but the 2FA revision was far better. Enrollment happens via iOS and macOS. Apple’s system isn’t as robust as some security experts would like, but it’s definitely better than a password-only option.
If you’re still using two-step verification (and if not, you didn’t need to read this far), Apple converts your account to 2FA with iOS 11 or High Sierra. Here’s what you need to know:
[Editor's note: This article was updated at 10 a.m. PT to include information about regenerating a Recovery Key as an option only for automatically upgraded accounts, and information about using older versions of the OS.]
Your Recovery Key is no longer needed, although you can opt into using it (see below). If you don’t opt in to retain a Recovery Key, you rely on Apple’s account-recovery process. If you forget or lose your password and all your trusted devices and phone numbers, you can contact Apple, which has an intentionally slow process you have to go through to unlock and reclaim your account by proving your identity.
You only use the Apple ID site to manage app-specific passwords for third-party calendar, contacts, and email apps. These single-use passwords let you bypass authentication, and became mandatory in June for third-party iCloud access. (If you were using any previously, Apple already stopped allowing them to work! If you wondered why, that’s the explanation.)
When you log in and Apple’s system determines you’re not on an already trusted machine or using a trusted browser, you’ll get a location popup or dialog on every computer and iOS device connected to the same iCloud account. First, you click or tap Allow on the location. Then, on that device that you approved the location, you receive a six-digit code that you can enter in the browser, app, or OS component requesting it.
If you can’t get the location and code to arrive at an Apple device, Apple offers a backup method that lets you send a text message or have an automated voice system call you with the code.
If you’re using an OS that was released before Apple’s 2FA support in 2015 or an older version of iTunes for Windows, you may have to log in to an Apple ID account by using that account’s password plus a six-digit verification code added to the password.
If you don’t receive a 2FA verification code for an older OS login or for a regular 2FA login, you can generate one instead. In iOS go to Settings > account name > Password & Security and tap Get Verification Code. In macOS, open the iCloud system presence pane, and click Account Details, Security, and Get Verification Code.
Apple will let those who went through this two-step to 2FA upgrade process use a Recovery Key, even though it’s not available to any new account users or anyone who manually switched from two-step to 2FA before now. By default, 2FA-upgraded accounts rely on the account-recovery process described above. But you can also regenerate a Recovery Key, in which case you must keep it safe and secure as a last-ditch way to recover your account. With Recovery Key re-enabled, Apple says it might not be able to help you if you forget your password or its reset by a malicious party and you lose access to all your trusted hardware.
Ask Mac 911
We’ve compiled a list of the questions we get asked most frequently along with answers and links to columns: read our super FAQ to see if your question is covered. If not, we’re always looking for new problems to solve! Email yours to firstname.lastname@example.org including screen captures as appropriate. Mac 911 can’t reply to—nor publish an answer to—every question, and we don’t provide direct troubleshooting advice.