All About Apple ID Two-Factor Authentication
[Editor's note: This was originally posted on tekserve.com, but I thought it was useful enough to post here too.]
Apple recently enabled a new security feature for Apple ID accounts called “Two-Step Verification.” This is a form of multi-factor authentication that can help keep your account more secure. I am a huge fan of multi-factor authentication and have enabled it on almost every account that offers it. This post will explain just what the technology is, why it’s helpful, and how to use Apple’s implementation specifically.
What Is Multi-Factor Authentication?
In order to log in to an online service, such as my email, I need to authenticate with the server. When I go to Gmail, for example, Google does not intrinsically know that it’s me trying to connect. I need to first provide the server with proof that I’m the owner of the account before being allowed access to my data. My password is one possible “factor” for authentication. It proves to Google’s server that it is indeed me, and not someone else, who is trying to access my data, and allows me in to see it.
There are three possible types of factors:
Something You Know
An example of this would be a password. It is something that you – and only you – know (at least in theory). This is by far the most common form of authentication. It is also the most abused, and in many ways the easiest to crack, as it can be done remotely. Many (probably most) internet users are using weak passwords that can be easily broken, and even strong passwords may be leaked from other sources.
Something You Have
This form of authentication requires some kind of physical thing, such as a key generator, card, or, nowadays, your smartphone. Unlike a password, this factor relies on something tangible, presumably that you, and only you, would posses. There are a number of providers of this kind of authentication, and most of the newer ones are apps for smartphones (or even the SMS text messaging capabilities they have).
Something You Are
This form of authentication relies on biometrics, such as fingerprint or retinal scanners. This is the most difficult of the three factors to get around, but it is also the least common for standard consumer electronics.
When multi-factor authentication is enabled on an account, all factors must be satisfied in order to log in. The idea is that even if your password were exposed, you would still be protected, since the person attempting to log in would lack access to the other factor. There is no overlap between these factors (when it is done right, at least). The second two cannot be guessed.
In order for an authentication system to be multi-factor, it must use at least two of the above factors. Many websites are now claiming “two-factor” authentication by requiring both a password and answers to security questions. This, however, is not true multi-factor authentication, as both types of information are “something you know.”
Why Is It Helpful?
Because passwords are insecure. Most users, unfortunately, have terrible passwords. The most common password is very often “password” (we wish we were kidding!). It is trivial for someone who wishes to break into an account to crack – or just plain guess – these passwords. Even if you use good, strong passwords, you may still be in danger when password databases from other sites are exposed (and that has been happening with an alarming frequency).
Additionally, most websites offer password reset options in case a user has forgotten their password. While helpful to the users for whom this has happened, this feature opens the door to social engineering. This is a non-technical vulnerability where someone claims to be you, and convinces the company’s customer service to change the password for them.
The truth is that passwords are a weak method of authentication on their own, but there are no viable alternatives that are within reach at this time. Adding an additional factor helps lock down your accounts further.
How Does Apple’s System Work?
Apple took a somewhat different approach to multi-factor authentication. Rather than require the second factor for every login (which is how Google’s two-factor authentication works), you only need to provide the second factor if you’re doing one of the following:
- Managing your Apple ID (such as changing the password or your address)
- Make a purchase from the iTunes Store, iBookstore, or App Store from a new device
- Getting Apple ID support from Apple customer service
Otherwise, just your password will be enough – but this protects the more sensitive aspects of your account.
That third point is crucial. Once this is turned on, Apple representatives can no longer reset your Apple ID password, no matter what. So keep in mind this very, very, VERY important point:
Apple cannot reset your password once this is enabled. If you forget your password and do not have your recovery key and an approved device, your account will be permanently locked. Period. The end.
In other words, you must be responsible for your password. If you forget it, and don’t have the other information from your multi-factor authentication setup, you will lose access to your account – likely permanently. In all honesty, I think this is a good thing, but I want to be sure you understand this before you turn it on. The responsibility is all yours from here forward.
What Do I Need to Use This?
The second factor in Apple’s system is (unsurprisingly) an iPhone, iPad, or iPod touch. This makes sense, as one of these is probably already attached to your account. If you use Find My iPhone, then that device is already ready to go. Alternatively (and in addition), you may use an SMS text message to authenticate.
Once enabled, to make a substantial change to your Apple ID, you need two things: (1) your password and (2) a temporary code sent to your device. Both are required to log in; neither will work on its own. A recovery key is created during setup that can be substituted for one of the above factors.
How Do I Turn This On?
The steps to enable two-factor authentication for your Apple ID are as follows.
Note: If you make a change to your account (such as changing the password), you must wait three days to enable two-factor authentication.
Step One: Log into http://appleid.apple.com, then select Password and Security. Answer the security questions if asked, then click/tap on Get Started under Two Step Verification.
Step Two: Apple explains what will change on your account.
Step Three: They make it very clear what you will need in order to make changes to your account. Emphasis on the first point: you must always have two out of the three in order to make a change.
Step Four: You need to add at least one trusted device that will receive the codes you’ll need to log in. Any iOS device attached to Find My iPhone will be displayed here. You will also be asked to add an SMS number to receive a text message code, in the event you cannot receive the app notification.
Step Five: The code comes through as a push notification to your device. It will not display on the lock screen if you have a passcode. I have no issue showing you mine because the next time I use it, it will be a different code. This one will no longer function. Enter it on the website to continue.
Step Six: You will be shown a recovery key that can be used with your password in the event that none of your devices are available. You are encouraged to print a copy and keep it in a safe place. (Side note: I also added the key to my 1Password database.) Do not store it in plain text on your computer, it will defeat the point. Since this code does not change, I have blacked it out in the example above.
Step Seven: Just to prove that you really did listen to them, Apple makes you type out the recovery code on the next screen (and they don’t let you copy and paste it, either!).
Step Eight: For one final time, you are warned what this means for your account, and what responsibility you are taking on. If you lose track of more than one of the factors, you will be locked out of your account. Neither Apple nor Tekserve can get you back in.
And that’s it – you’re all done! Enjoy the enhanced security of your account.
Where Can I Get More Information About This?
More documentation is available from Apple via this article: http://support.apple.com/kb/HT5570
What Other Accounts and Web Services Support Multi-Factor Authentication?
A non-exhaustive list (with links to the instructions) includes: