Two-factor authentication (2FA) provides an effective way to deter people from hijacking an online account. With 2FA, you supplement a password with something else—typically you enter a code that’s sent via a text message. The second factor means someone has to know both your password and have access to something you own—a phone number, a phone, or a computer—and dramatically reduces your exposure when password breaches inevitably happen.
Apple added 2FA for Apple IDs a few releases ago, an upgrade from its hastily constructed two-step verification, which it created after high-publicity cracks using social engineering (i.e., guessing and phishing) of its iCloud service.
Apple’s implementation of 2FA is integrated into iOS and macOS, and I recommend that everyone enable it. However, some people may find it’s too much fuss or they have other difficulties making it work. (For Apple IDs that you don’t use with a physical device, but only for purchases, 2FA can be an honest pain, but it’s manageable.)
Until recently, you could opt to disable 2FA, although you had to go to the Apple ID website to turn it off. Apple quietly removed disabling 2FA as an option, and I’ve started to hear from people about this recently when they went to turn it off and found they could not.
It looks like Apple quietly removed that option in a later release of iOS 10 and macOS 10.12 Sierra, according to reports online. Apple’s support page for 2FA notes that within the first two weeks of enabling 2FA, you can still revert. But after that, no can do:
Certain features in the latest versions of iOS and macOS require this extra level of security, which is designed to protect your information.
I respect this move forward for security’s sake, but I also think Apple shouldn’t have taken it without a lot of disclosure, explanation, and potential grandfathering of those who had opted in. It doesn’t enumerate what features require this.
And Apple only provides the second factor via its iOS and macOS, and as a fallback via text message and automated voice message. It isn’t integrated with standard code-based second factors (called a time-based one-time password or TOTP) or any third-party system.
It seems like Apple should have made sure its second-factor system is as easy to use and widely accessible as possible before it made it irreversible. But the new limitation is in place, and if you haven’t enabled 2FA yet, you should make sure double sure it meets your needs before moving forward.
This Mac 911 article is in response to several inquiries about the topic by Macworld readers.
Ask Mac 911
We’ve compiled a list of the questions we get asked most frequently along with answers and links to columns: read our super FAQ to see if your question is covered. If not, we’re always looking for new problems to solve! Email yours to firstname.lastname@example.org including screen captures as appropriate, and whether you want your full name used. Every question won’t be answered, we don’t reply to email, and we cannot provide direct troubleshooting advice.