Lately there has been a lot of talk about Two-Factor Authentication. Elections have been influenced, personal photos have been leaked, and hackers gained access to personal data about millions of federal employees. Many of these attacks could have been prevented or mitigated had they been using this additional level of security. As our lives are becoming more digital and more networked hackers are finding our online accounts more desireable. We know we are supposed to enable Two-Factor Authentication, but what does that mean and how does it work?
I’ll be discussing Apple’s implementation of Two-Factor Authentication which has the basic principals of other system, but the details are different. I highly recommend enabling it on Facebook and on your email accounts as well. Even if you don’t think you have anything sensitive in your email, a hacker can utilize email access to reset passwords for your other accounts by requesting password resets. The same as you do when you legitimately forget a password.
This may sound daunting, but once you get through this your iCloud account will be extremely secure. Just go through it slowly and carefully consider the different information that each screen is requesting. The set up is the difficult part. But once it is set up it works smoothly.
What is Two-Factor Authentication?
Normally when you log into a website you provide two pieces of information: your username and your password. If you enable Two-Factor Authentication you provide those two parts as you always did, but then you also have to provide a temporary code that a device gives you. To make it easier this extra step is normally only required when connecting to a new device for the first time, so unless you erase your iPhone or get a new Mac you’ll rarely need the extra code apart from this initial setup process. Don’t bother writing this code down because it changes every time you request it.
How to turn on Two-Factor Authentication
Two-Factor Authentication can be enabled and seamlessly used from any device running at least OS X 10.11 El Capitan or iOS 9. Older devices can still log in, though they cannot receive these special security codes. If you upgraded to macOS Sierra or iOS 10 there is a good chance that you already have Two-Factor Authentication enabled.
When you follow through the prompts to enable Two-Factor be sure to read the instructions carefully. There may be times where you will be asked for the passcode you use to unlock your iPhone or where you will be asked for the password to your computer, even on devices that don’t normally use them.
If you get prompted for your security questions but don’t remember them just request to reset them. Once you turn on Two-Factor Authentication the security questions will be removed.
On iPhone or iPad (if you have an iPhone it’s better to start there)
- Open Settings ⚙️
- Tap your account at the top (iOS 10.3 or higher) or tap iCloud (10.2.1 or lower)
- Tap Password & Security
- From there set up Two-Factor Authentication and follow the prompts
On Mac
- Click the Apple menu
- Click System Preferences
- Click iCloud
- Click Account Details
- Switch to the Security tab
- Click the button to enable Two-Factor Authentication and follow the prompts
“Trust” other devices to receive codes
To enable other devices to work with Two-Factor Authentication you will need to visit the Security page in the above instructions on each device. Mac, iPhone, iPad, iPod Touch. You don’t need to do anything on the security page but by loading the security page you are connecting that device into the list of “Trusted Devices”
Create a backup method
It’s always advisable to create a backup method to gain access to your account in case you lose access to multiple devices or you change your phone number and you forget to alert Apple first. I’ve even seen cases where you only have one trusted device (your iPhone) and if you reset your iPhone you can’t get your code because your iPhone is not yet active. You can add multiple phone lines. I recommend adding at least one other such as your landline or the phone number of a trusted friend or relative.
- Get near the phone you will add since you will receive a phone call or text
- Go to the same security screen in your iCloud account that you used to enable it in the first place.
- Click the plus + button (Mac) or tap the Edit button and then tap “Add a Trusted Phone Number”
- Enter the requested information and choose whether you want to verify using a text message (for cell phones) or a phone call (for landlines)
- Answer the phone or read the text message; if you don’t receive something within a minute check that you entered the phone number correctly and that you didn’t choose to have a text sent to your landline.
- Enter the number in the text message or the number read to you by the computer over the phone
Test it out
The easiest way to test out if you have all of your devices connected properly:
- Visit icloud.com on a web browser (on any computer, could even be a Windows computer)
- Enter your iCloud/Apple ID username and password and press Return
- You will be prompted to enter a six digit code. Make sure that all of your devices had a message popping up saying that a new device is requesting access. If any of them do not receive the message within a couple of minutes:
- go back to the section above about “Trust” other devices to receive codes and try again on that device
- make sure your device is fully updated, since iOS 9 or 10.11 El Capitan are required to receive codes
- Tap “Allow” on one of the devices and enter the given code in the website prompt
Using your backup numbers
If at some point you are unable to access any of your authenticated devices you can request to use an alternate method we set up above. Below the box where you type the code in should be a link for “Didn’t get a verification code?” Click that and you can choose what phone number to send your code to. They will either send a text message or call the number and read a code to you audibly.
Two-Step Verification
If you have “Two-Step Verification” enabled that is Apple’s older enhanced security. I recommend you disable Two-Step Verification and then enable Two-Factor Authentication. You will be asked to create those annoying “security questions” but don’t worry, when you enable the new generation Two-Factor Authentication, those questions will be removed again.
Logging in to pre 10.11 and iOS 9 devices
OS X 10.11 and iOS 9 and later are able to seamlessly receive and use these codes, but if you are logging into older devices you may run into trouble if you aren’t paying close attention. When you log into an older devices… say a computer running Yosemite, an iPhone running iOS 8, or a third-generation Apple TV you will receive an error that your password is incorrect even though you know it isn’t. But look at one of your trusted devices. You’ll get one of those six digit codes though the instructions ask you to append that six digit code to the end of your password. So if your regular password is Supersecret123, and the code is 392749, you would then enter your password again as Supersecret123392749.
If you get an unexpected notice that a new device is connecting to your account
First, don’t panic. This means that your increased security is working. If it truly is a hacking attempt you should click “Don’t Allow”, which prompts you to change your password. You should also change your password anywhere else that you use the same password, since now it is known to hackers that this is one of the passwords you use.
But before you go changing your password consider a few things:
- Did you share your password with anyone else who may legitimately need access to your iCloud account? Family member? Assistant?
- Do you have a forgotten device lying around that is randomly trying to connect? An old iPod Touch? An Apple TV in the kids’ room? A Windows computer at work?
Further reading
- Apple’s support article on Two-Factor Authentication: https://support.apple.com/en-us/HT204915
- Database of all major websites that support Two-Factor or Two-Step Authentication: https://twofactorauth.org