I’ve just set up two-step authentication for my Apple ID and thought I’d write about the relatively simple (although long-winded) process.
Two-step authentication means that whenever making a purchase from a new device (for example, if you buy a new iPad or iPhone) then you are required to confirm with a verification code. In addition, if you want to manage your Apple ID then two-step authentication replaces security questions.
Once you receive the confirmation email that you’re Apple ID can have two-step authentication enabled (this took over a week to arrive despite it stating it takes only a couple of days, though I suspect that was in part due to the gargantuan security hole found in the password reset process), you’re able to log in to manage your Apple ID and enable two-step fully. The email doesn’t contain a link to a page that goes directly to the two-step setup (since email isn’t secure) but instead you’re directed to “Manage my Apple ID” page where you’ll need to sign in with your Apple ID to continue.
Once logged in, you repeat the process of requesting to enable two-step authentication only this time you don’t need to wait. You answer the security questions you currently have on your account (which will be the last time you do so) and then begin the process of enabling a trusted device.
Trusted devices are ones that are tied to your Apple ID / iCloud credentials and require Find My iPhone to be enabled. Not only is this so Apple knows the device is under your ownership but it’s also how the messages are sent to it. If you don’t enable Find My iPhone you can’t use two-step authentication. You are, however, presented the option to add your device to Find My iPhone and then can continue.
Whilst some might say that they don’t want Apple “knowing” their location and aren’t comfortable with their device being geolocated, I’d argue that this increases security since if you lose said device you’ll be in a much better position to track it down and hopefully be reunited with it. Find My iPhone also means it can be remote wiped so if you lose it for good then it can also be removed from Find My iPhone, thus automatically removed as a trusted device. These devices are then automatically listed as ones you can use as a trusted Apple device1.
Thankfully, you can have more than one trusted device so I’ve set up both my iPhone and iPad mini to receive verification codes. In addition, if you don’t have an Apple device capable of receiving a verification code, you can also set up a mobile phone number to act as a trusted device, receiving verification codes via SMS instead of a push notification on your device.
When confirming a trusted device, Apple sends a 4 digit number to it and you then need to enter it into the setup process. For both devices, the message was near instant. I also added my mobile number (ironically, it’s still my iPhone) and the SMS arrived within a minute. It’s worth setting this up anyway simply because if your iPhone does go astray, you can still get a new SIM from your carrier and pop it into any other phone which will then be your trusted device.
Once you’ve set up your trusted devices, you then receive a Recovery Key. This is a randomly generated 14-character code (separated by dashes) that will never be provided to you again. You must note this down and you have the option to print it. To prevent you copy/pasting it somewhere, the text field is disabled so you can’t highlight it. I entered it into 1Password (no way am I printing a copy) and even took a screenshot and threw that into 1Password as well, in case I entered it wrong.
Luckily, you have to enter the key during the next step so Apple can confirm you did note it down. Get it wrong and it will go back a step, making sure you’ve got it noted down. Make no mistake, this replaces security questions and Apple cannot reset your password if you lose your trusted device and didn’t make a note of this. At that point, you’ve only yourself to blame.
And that’s all there is to it. If you have an Apple ID then you should certainly set this up.
If you want to know more about two-step authentication then check out this Apple support article.
This is a good time to check that you don’t have any older devices listed that you might no longer have. My old iPhone 4 was still listed under Find My iPhone even though it wasn’t active. ↩