Enabling a verification code for your account logins can be a powerful deterrent to account hijacks. Second-factor authentication (2FA) requires that someone not just know your account name or email address and password—both of which are vulnerable from billions of leaked accounts over the last few years—but also have access to a code that’s texted to you or generated by an app.
Apple built its own 2FA system for Apple IDs and related purposes and largely ignored support for other systems for quite a while. Then a couple of releases ago across iOS, iPadOS, and macOS, Messages started to recognize 2FA code arriving as a text message and offered to autofill them via the QuickType bar in iOS/iPadOS and via a drop-down auto-fill prompt in Safari for macOS.
In iOS 15/iPadOS 15 and Safari 15 for macOS, Apple took a big leap forward: it added direct support for time-based one-time passwords (TOTPs), a kind of verification code that Google first popularized and that’s widely used now. I’ve long recommended the free Authy app to handle TOTPs because Authy is much more flexible than Google Authenticator and sync securely among your devices. 1Password and other password managers also added TOTP support.
However, it’s a treat to rely on Apple’s built-in support via its Password features. If you’ve enabled iCloud Keychain, your verification codes also securely sync across all your linked devices. (Monterey elevates Passwords to first-class status as a System Preferences pane alongside Safari > Preferences > Passwords; that latter method is the only way to access Passwords in previous macOS releases.)
When you enroll at a site with 2FA, it typically provides you a pump-priming secret. That’s often delivered as both as a string of text and as a QR Code. The secret is kept by the site and stored in your TOTP manager. When you log in, the site performs a time-based algorithm against the shared secret that your TOTP manager does as well. You provide the result, and the site matches it against its calculation. The two will match only if both parties have the same secret.
In Safari on any Apple platform, you tap-and-hold or Control-click the QR Code, and you can opt to add it as a verification code. Then you’re prompted to select or search for an existing password entry to match it against. (If you don’t have an entry, you’ll need to create one first.)
In the future, whenever you visit a site that requires the code, Safari will provide it through QuickType or as a drop-down auto-fill prompt just as with a password.
If you’re already using a TOTP for an account, you may need to do one of the following:
- Unenroll from 2FA and re-enroll to regenerate the secret. Some sites will never display the secret after first enrolling.
- Provide the current code and additional verification information to display the TOTP. At that point, you can use the QR Code selection method above to add it to Passwords.
Ask Mac 911
We’ve compiled a list of the questions we get asked most frequently, along with answers and links to columns: read our super FAQ to see if your question is covered. If not, we’re always looking for new problems to solve! Email yours to email@example.com, including screen captures as appropriate and whether you want your full name used. Not every question will be answered, we don’t reply to email, and we cannot provide direct troubleshooting advice.