
Two-factor authentication for Apple ID - stephenr
https://support.apple.com/en-us/HT204915
======
thesimon
Would be nice if they could use RFC 6238 TFA as well, it is a bit more
convenient if you only have your Android device with you.

Edit: Reason for that being that I prefer having all TFA codes in my Google
Auth app/Authy with requires no internet connection. Using SMS/text or other
devices is a bit inconvenient when traveling and using a local SIM.

~~~
dantiberian
I'm not sure if you need to be online to generate these codes. On OS X, it's
possible to go to System Preferences > iCloud > Account Details > Security >
Get A Verification Code, which returns you a 6 digit verification code that
looks like a TFA code.

~~~
stephenr
You certainly don't - I just tested it with my phone in Airplane mode and it
worked fine.

Edit: to clarify, I originally tested it on my phone, but I've since tested on
Mac and the result is the same.

If you happen to have the iCloud "Account" screen open before losing all
connectivity (i.e. it's open, then you turn off wifi/etc), the regular "Get
Verification Code" button will work.

In the more likely scenario that you just open up Settings/System Preferences
> iCloud > Account, if you're offline it will tell you that you can't see your
account details because you aren't online, but that you _can_ generate a
verification code while offline.

~~~
kobayashi
Airplane mode on a Mac? As in, you turned off Wifi and Bluetooth (and
obviously ensured that you didn't have a wired Internet connection)?

~~~
Tushon
> my phone in Airplane mode

OP was referring to Google Auth working on phone regardless of current
internet connection, the computer being disconnected in unrelated.

------
capote
Am I missing something? Why is this posted here and now?

Edit to clarify my confusion: is this new? What's the difference between this
and two factor verification (which we've had for a while)?

~~~
jlian
I believe this is a new system. It's called _two-factor_ authentication as
opposed to _two-step_ verification. To quote the FAQ:

> Is this different than Apple’s current two-step verification feature?

> Yes. Two-factor authentication is a new service built directly into iOS 9
> and OS X El Capitan. It uses different methods to trust devices and deliver
> verification codes, and offers a more streamlined user experience. The
> current two-step verification feature will continue to work separately for
> users who are already enrolled.

Since I was already using two-step verification, I had to turn it off for the
new, two-factor authentication, option to appear. I turned it on and it looks
like it's working now.

I have to agree that this was very confusing.

EDIT: looks like I can authenticate from OS X now, nice. Before I had to
always unlock my phone.

~~~
Razengan
> Since I was already using two-step verification, I had to turn it off for
> the new, two-factor authentication, option to appear.

This can be very confusing and should be made more clear in Apple's
documentation the iCloud Preferences UI on OS X.

------
willtheperson
Annnnnd I'm locked out of adding this because I couldn't answer my security
questions that I definitely never set up (I know this because I never use real
information but random words that I save in 1Password if I am forced to make
these.) So now I can't add 2 factor to a device that is and has been signed
into my iCloud account for months.

Neat.

~~~
eridius
Are you suggesting that Apple invented security questions for your account?
Because that sounds highly implausible. Are you sure you didn't set up actual
security questions so long ago that you simply don't remember doing it
anymore?

~~~
UVB-76
I think I had this happen to me as well.

Wasn't an issue until I wanted to change my Apple ID password, for which the
security questions are required.

Phoned Apple Support, and they took me through a dazzling array of security
steps, involving my Mac, iPhone, payment methods, and the Apple ID website,
before they allowed me to create new questions.

------
stephenr
This has apparently now been enabled for all iCloud users (previously it was
not available to all users).

It appears that anyone using the older 2 step verification will need to
disable that before you're able to enable the newer system.

~~~
chmars
Is there an easy way to switch to the new system? In order to disable the old
2-step verification, I have to set up new security questions, quite a hassle!

~~~
stephenr
I asked the @AppleSupport twitter account the same thing. You have to disable
the old and enable the new - there is no automatic way to jump from one
straight to the other.

On the plus side, I _believe_ the security questions become irrelevant again
once you've setup the new 2FA.

------
demarq
I hope this is more reliable than the previous system. I signed up for two
step authentication... worked only once! The rest of the times the text
message just never came through. I double checked my phone number, I even
looked at their status page. nothing :(

just my experience.

------
brobinson
I enabled 2FA, logged out of iCloud on my iPhone, then logged back in. It
asked me for the "password" on my Macbook Pro. What? How would Apple have
access to a user password on my MBP? I have multiple users on my MBP... what
would happen if I were logged into the same iCloud account with two different
users?

~~~
UVB-76
Surely it's referring to the temporary pass code which is generated and
presented to the relevant user on your Mac?

~~~
brobinson
Out of curiosity, I tried (and then immediately changed) my main user account
password, and it successfully authorized my iCloud login on my phone. I am
really curious what's going on here. I expected it to ask for a numeric code
like you mentioned, but it just gave me a plain UITextField to enter the
password for $my_macbooks_hostname

I do not have keychain syncing enabled in iCloud, just contacts/calendars.

------
frenchpress
Other than being more streamlined and offering offline access to codes, is
there any additional benefit in terms of security for updating from the two-
step method to two-factor?

I much prefer having the recovery key that is provided with two-step; I don't
see that the two-factor method offers a recovery key.

Having any security feature associated with either my landline or mobile phone
makes me feel uncomfortable for multiple reasons, some that have already been
articulated by others here plus some more I can't really put my finger on,
except to say that both landline and mobile phones seem inherently
untrustworthy to me.

Am I just being paranoid?

------
KiDD
I recommend adding as many of your devices as trusted devices as well as other
phone numbers in case you need to recover the account. Apple can not really
assist in that when Two Factor is enabled.

~~~
thought_alarm
That's no longer the case. With this new Two Factor authentication there are
no security questions, no recovery key, and Apple can recover your account if
you lose all of your trusted devices and forget your password.

Devices are automatically trusted the first time you login and enter a
verification code.

When anyone tries to login to your account on the web or from an untrusted
device, all of your trusted devices notify you with location of the login
attempt. It's a pretty good setup.

~~~
KiDD
It still is the case... Trust me

------
bobedybobbob
It'd be nice to see support for U2F

------
meritt
Does enabling two-factor authentication impact the ability to use "Find My
iPhone" (when presumably the phone itself is your second factor)?

~~~
thought_alarm
Find my iPhone, Apple Pay, and Apple Watch settings are available without Two
Factor authentication. Links are available on the Two Factor verification
screen.

------
jxy
Is it live? I checked both of my up-to-date macbook air and iphone, and there
is no mention of this new "Two-factor authentication" in the settings. In
fact, there is the "two-step verification" turned on already in the settings,
which I assume is the old way.

Anybody seeing it in there devices?

~~~
TaqPolymerase
I had to turn two-step off in order to enable two-factor

------
CGamesPlay
Call me an idiot, but how do I turn off two-step authentication in order to
turn on two-factor authentication? Neither my iPhone nor my Mac allow me to
turn it off. Where

~~~
stephenr
I assume you mean turn of 2 step verification.

See [https://support.apple.com/en-us/HT204152](https://support.apple.com/en-
us/HT204152) and look near the bottom for "How do I turn off two-step
verification?"

------
cshenton
Just tried to enable this from my MBP, got a message saying it's not available
for my apple ID at this time. So I guess the rollout's not complete yet.

------
i386
I can't imagine the pain of having to do 2FA when iOS and MacOS ask for iCloud
passwords so frequently - the friction is atrocious.

~~~
bengale
Yeah the old system was a real pain to use. This one is much better, it just
asks you to pick a device to get a code from, it'll pop up and you type the 4
digit code in.

~~~
stephenr
You are describing apple's old (although still working if you have it enabled)
2 Step Verification.

The new 2 Factor Verification doesn't require you to pick a device, and it
doesn't use 4 digit codes.

------
ksec
I hope Apple is secretly building its TouchID to totally replace passwords.
God I dont want to remember Password anymore.

~~~
UVB-76
I hope the next Mac line-up includes Touch ID

------
gabamnml
I hate text messages. Prefer authentication can be used with 1Password or
'Google Auth App

~~~
stephenr
You would only need to use a text message if you have no access to any of your
trusted devices.

------
sam_tunder
why has this not been released for more sites, devices, and other stuff? what
is keeping company's from adding similar features to protect there customers
any ideas?

~~~
stephenr
Two factor auth is available for many sites, the only unique part (to the
user, I'm not certain of the actual OTP generation process) is the prompting
on devices with a area map shown.

~~~
sam_tunder
yeah but what I am asking is why not more sites use either of two-step
verification or two-factor authentication.

as I can not see any reason not to implement a system for it because it would
probably only help the company to get more customer.

~~~
stephenr
There is technical effort involved, which means time, which means money.

There are a _lot_ of sites that don't even use TLS, which is a lot simpler &
cheaper to implement than a secure 2FA solution.

------
briandw
PSA you can lose your Apple account this way. If a password reset is needed or
the account get lock, you have to have your recovery key. No recovery key, no
more account. Print it and keep it in a safe place.

~~~
runjake
I can find no mention of a recovery key for Apple's Two Factor Authentication
(which is different than Two-Factor Verification). Where does one find this?

~~~
thesimon
>Apple's Two Factor Authentication (which is different than Two-Factor
Verification

Two factor auth: * Six-digit code sent to your device/via text

Two factor verification: * Four-digit code sent to your device/via text

Or what exactly is the difference? Surprised Apple would launch something like
this.

~~~
stephenr
> what exactly is the difference

The old system pushed 4-digit OTP's from Apple to a trusted device of your
choice using the Find-My-(iPhone|iPad|Mac) system or an SMS. Only iOS devices
could be registered as "trusted" for this system.

The new system shows login attempts on all trusted devices (iOS9 or OS X 10.11
devices) automatically including basic GeoIP location, and will show a six-
digit OTP if you want to allow the session. It also allows trusted devices to
generate verification codes (a six digit OTP) when offline, e.g. if you need
to login to iCloud.com from a public computer but your phone has no data/cell
service. Or if for example you have your Macbook with you, but no Wifi access,
and your phone battery is flat, and you need to access your account via
another computer.

> Surprised Apple would launch something like this

Why is this surprising? They've had 2-step verification available for several
years, this is an improvement over that.

