How to Secure Your Apple ID Using Two-Factor Authentication

Apple introduced two-factor authentication (2FA) in 2015 to provide an enhanced level of security when accessing Apple ID accounts. With 2FA enabled, you'll be the only person who can access your account, regardless of whether someone learns your password – as the result of a hack or a phishing scam, for example – so it's well worth taking the time to enable the feature. In this article, we'll show you how.

How Two-Factor Authentication Works


2FA offers hardened security during login attempts by requesting that the user provides an extra piece of information only they would know.


With 2FA enabled on your Apple ID account, the next time you try to log in you will be automatically sent a six-digit verification code to all the Apple devices you have registered to that Apple ID. If you try to access the account from an unknown device or on the web, 2FA also displays a map on all registered devices with an approximate location of where the Apple ID login attempt occurred.

In basic terms, this is an improved version of Apple's older two-step verification method, which prompted users to send a four-digit code to a registered SMS-capable device. Apple automatically upgraded most two-step verification users to 2FA as of iOS 11 and macOS High Sierra, but if you're still on two-step verification for some reason, follow the steps below to manually upgrade to 2FA.

How to Turn Off Two-Step Verification



  1. Open a browser and go to appleid.apple.com

  2. Enter your Apple ID and password in the login fields.

  3. In the Security section of your account page, click the Edit button on the right.

  4. Check to make sure two-step verification is enabled rather than two-factor authentication, and click Turn off two-step verification.

How to Turn On Two-Factor Authentication in iOS


To turn on 2FA using an iPhone or iPad, it needs to be running iOS 9 or later. Note that if you're running iOS 10 or later and you have any other, older devices tied to your Apple ID that aren't compatible with 2FA, you'll receive a compatibility warning during the setup process.

On top of that, you'll also be asked to append a six-digit code to the end of your password whenever you authenticate a login on your older devices in future. You can potentially avoid this hassle by updating those devices to the latest version of iOS or macOS where possible.

With that in mind, perform the following steps on your iOS device:

  1. Open the Settings app and tap your Apple ID banner at the top of screen.

  2. Tap Password & Security.

  3. Tap Turn On Two-Factor Authentication, and then tap Continue on the next screen.

  4. Tap Turn On Anyway if you see a compatibility warning about older devices.

  5. Check your phone number is correct. (If it isn't, tap Use a Different Number at the bottom of the screen and input a new number.)

  6. Select Text message or Phone call for verification, and then tap Next.

  7. Enter your Passcode.

How to Turn On Two-Factor Authentication on a Mac


If it's a Mac you're using to enable two-factor authentication then make sure it's running OS X El Capitan or later. To turn on 2FA on Mac, follow these steps:
  1. Click the Apple () symbol in the menu bar at the top left of the desktop, and select System Preferences.

  2. Click the iCloud preferences pane.

  3. Click the Account Details button and select the Security tab.

  4. Click Turn on Two-Factor Authentication, and then click Continue in the drop-down pane.

  5. Check your phone number is correct and click Continue.

Verification Codes


With 2FA enabled, you'll be prompted to enter a new verification code every time you log in to your Apple ID account using iCloud.com or another Mac or iOS device. These codes will automatically appear on devices that are already logged into your Apple ID, but you can also request them manually using an iPhone or iPad, like so:
  1. Open the Settings app and tap on your Apple ID banner at the top of the screen.

  2. Tap Password & Security.

  3. Tap Get Verification Code.



Discuss this article in our forums

Developer Demonstrates iOS Phishing Attack That Uses Apple-Style Password Request

Developer Felix Krause today shared a proof of concept phishing attack that's gaining some traction as it clearly demonstrates how app developers can use Apple-style popups to gain access to an iPhone user's Apple ID and password.

As Krause explains, iPhone and iPad users are accustomed to official Apple requests for their Apple ID and password for making purchases and accessing iCloud, even when not in the App Store or iTunes app.


Using a UIAlertController that emulates the design of the system request for a password, developers can create an identical interface as a phishing tool that can fool many iOS users.
Showing a dialog that looks just like a system popup is super easy, there is no magic or secret code involved, it's literally the examples provided in the Apple docs, with a custom text.

I decided not to open source the actual popup code, however, note that it's less than 30 lines of code and every iOS engineer will be able to quickly build their own phishing code.
Though some of the system alerts would require a developer to have a user's Apple ID email address, there are also popup alerts that do not require an email and can recover a password.


The phishing method that Krause describes is not new, and Apple vets apps that are accepted to the App Store, but it's worth highlighting for iOS users who may not be aware that such a phishing attempt is possible.

As Krause says, users can protect themselves by being wary of these popup dialogues. If one pops up, press the Home button to close the app. If the popup goes away, it's tied to the app and is a phishing attack. If it remains, it's a system request from Apple.

Krause also recommends users dismiss popups and enter their credentials directly within the Settings app.

Krause has reported the issue to Apple and recommends a fix that would include Apple asking customers to enter their credentials into the Settings app rather than directly through a popup that can be easily mimicked. Alternatively, he suggests credential requests could include an app icon to indicate that an app is asking rather than the system.

As extra protection from attacks like this, Apple customers should enable two-factor authentication as it prevents attackers from being able to log into an Apple ID account without a code from a verified device.


Discuss this article in our forums

Developer Demonstrates iOS Phishing Attack That Uses Apple-Style Password Request

Developer Felix Krause today shared a proof of concept phishing attack that's gaining some traction as it clearly demonstrates how app developers can use Apple-style popups to gain access to an iPhone user's Apple ID and password.

As Krause explains, iPhone and iPad users are accustomed to official Apple requests for their Apple ID and password for making purchases and accessing iCloud, even when not in the App Store or iTunes app.


Using a UIAlertController that emulates the design of the system request for a password, developers can create an identical interface as a phishing tool that can fool many iOS users.
Showing a dialog that looks just like a system popup is super easy, there is no magic or secret code involved, it's literally the examples provided in the Apple docs, with a custom text.

I decided not to open source the actual popup code, however, note that it's less than 30 lines of code and every iOS engineer will be able to quickly build their own phishing code.
Though some of the system alerts would require a developer to have a user's Apple ID email address, there are also popup alerts that do not require an email and can recover a password.


The phishing method that Krause describes is not new, and Apple vets apps that are accepted to the App Store, but it's worth highlighting for iOS users who may not be aware that such a phishing attempt is possible.

As Krause says, users can protect themselves by being wary of these popup dialogues. If one pops up, press the Home button to close the app. If the popup goes away, it's tied to the app and is a phishing attack. If it remains, it's a system request from Apple.

Krause also recommends users dismiss popups and enter their credentials directly within the Settings app.

Krause has reported the issue to Apple and recommends a fix that would include Apple asking customers to enter their credentials into the Settings app rather than directly through a popup that can be easily mimicked. Alternatively, he suggests credential requests could include an app icon to indicate that an app is asking rather than the system.

As extra protection from attacks like this, Apple customers should enable two-factor authentication as it prevents attackers from being able to log into an Apple ID account without a code from a verified device.


Discuss this article in our forums

Apple Migrating iOS 11 and macOS High Sierra Users With Two-Step Verification to Two-Factor Authentication

Apple recently emailed Apple ID users with two-step verification enabled to inform them that, upon installing iOS 11 or macOS High Sierra, they will be automatically updated to its newer two-factor authentication method.


Apple introduced two-factor authentication in 2015 as an improved version of its two-step verification method for securing an Apple ID account by requiring both a password and a second form of verification. Two-factor authentication requires an Apple device with iOS 9, OS X El Capitan, watchOS 2, any tvOS version, or later.

The two security methods are similar in many ways, but two-factor authentication automatically sends a six-digit verification code to all trusted devices registered to a given Apple ID, whereas two-step verification manually prompts users to send a four-digit code to any SMS-capable trusted device registered.

Two-factor authentication also displays a map on all trusted devices with an approximate location of where an Apple ID sign-in attempt occurred when a user is trying to access the account from an unknown device or on the web.


Apple's two-factor authentication method disables the Recovery Key by default, since offline verification codes can be generated on trusted devices in the Settings app. On iOS, users can still enable the Recovery Key as a backup method in Settings > Apple ID > Password & Security > Recovery Key.

The full text of the email is copied below:
If you install the iOS 11 or macOS High Sierra public betas this summer and meet the basic requirements, your Apple ID will be automatically updated to use two-factor authentication. This is our most advanced, easy-to-use account security, and it's required to use some of the latest features of iOS, macOS, and iCloud.

Once updated, you'll get the same extra layer of security you enjoy with two-step verification today, but with an even better user experience. Verification codes will be displayed on your trusted devices automatically whenever you sign in, and you will no longer need to keep a printed recovery key to make sure you can reset a forgotten password.
iOS 11 and macOS High Sierra public betas will be available in late June through the Apple Beta Software Program. The software updates will be available for all eligible iOS devices and Macs in the fall.


Discuss this article in our forums

Apple Updates iTunes Remote App With Two-Factor Authentication for Home Sharing

Apple today updated its iTunes Remote app, which is designed to allow users to control their iTunes libraries from anywhere in the home.

The new update adds support for Apple's Two-Factor Authentication system, adding an extra layer of security when signing in for Home Sharing purposes. Using Home Sharing will now require a verified device or a verified phone number that can receive a Two-Factor Authentication code, preventing an unauthorized user from accessing a home library with just a password.

For those unfamiliar with Two-Factor Authentication, it is an opt-in system that's designed to increase the security of Apple ID accounts. It asks users to provide a verified code when signing in to new devices, when using iCloud, and when using services like iMessage and FaceTime.

Apple's iTunes Remote app was last updated in September of 2016, adding iOS 10 compatibility and minor performance and stability improvements. The app lets users browse their iTunes libraries and send music to AirPlay speakers.

The iTunes Remote app can be downloaded from the App Store for free. [Direct Link]


Discuss this article in our forums