Two-factor authentication provides an extra layer of security for your online accounts. Many online services are offering two-factor authentication, including Apple. However, Apple’s two-factor authentication needs some explaining, since it exists in two slightly different forms.
Apple has had “two-step verification” for Apple IDs for awhile, but with the release of iOS 9 and OS X El Capitan, they introduced a new method of adding extra security to your Apple ID, which they call “two-factor authentication”. It can be confusing trying to decipher the differences between these two methods. We’ll discuss the differences, why you should move to the new method if you can, and how to set up and use both methods.
The Difference Between Apple’s Two-Factor Authentication and Two-Step Verification
In 2013, Apple introduced two-step verification, which adds an extra verification step in addition to your Apple ID password. When setting up two-step verification, you register one or more trusted devices that can receive 4-digit verification codes. These codes are sent using either SMS or Find My iPhone, and you are required to provide at least one SMS-capable phone number. From then on, any time you sign in to the Apple ID website, sign into iCloud, or make a purchase in iTunes, iBooks, or the App Store from a new device, Apple will send you a 4-digit code within a push notification, SMS message, or phone call to one of your trusted devices. You’ll then enter that code on the new device you’re trying to use to verify your identity.
When you set up two-step verification, you are provided a Recovery Key you can use to gain access to your Apple account if you forgot your Apple ID password or you lost the trusted device or phone number associated with your Apple ID.
Apple’s new two-factor authentication, first released in 2015, is an improved security method built directly into iOS 9 and OS X El Capitan. You must have at least one device running iOS 9 or OS X El Capitan to use it. On the surface, it looks very similar to two-step verification: when you attempt to use your Apple account on a new device, you’ll have to approve it from a trusted device using a 4-digit code.
Here’s the difference: the old two-step verification simply displays a dialog box indicating someone requested the 4-digit code displayed on the dialog box. With the new two-factor authentication method, your trusted device must be running iOS 9 or OS X El Capitan, and it adds an extra step before presenting the verification code. A dialog box displays first, listing the approximate location (based on the IP address the device is currently using) of the request and a small map. This sign-in request must be approved before the verification code is presented. If you don’t recognize the location and you didn’t request the sign-in, you can block the request at this point.
That extra step provides a bit more security than the two-step verification, and the new method is also quicker and easier to set up. You can set it up directly on any iOS 9 or OS X El Capitan device. However, unlike two-step authentication, you won’t be provided with a Recovery Key in case you forget your password. But, you can regain access to your Apple ID with account recovery.
NOTE: You may also see mentions online about app-specific passwords being removed from two-factor authentication. However, when I logged into my Apple ID after setting up two-factor authentication (not two-step verification), and clicked “Edit” in the Security section, I saw a section where I can set up app-specific passwords.
How to Set Up Two-Factor Authentication for Your Apple ID
If you’ve been using two-step verification on your Apple ID up to this point, you need to turn it off before setting up two-factor authentication. To do that, sign in to your Apple account on the Apple ID website. In the Security section, click the “Edit” link on the right. Then, click “Turn Off Two-Step Verification”. You will be asked to create new security questions and to verify your date of birth. Once this is complete, you’ll get an email confirming that two-step verification has been turned off for your Apple account.
You can turn on two-factor authentication on any device running at least iOS 9 or OS X El Capitan. We’re going to use an iPhone in our example. However, if you’re using a Mac running OS X El Capitan, go to System Preferences > iCloud > Account Details. Then, click “Security” and click “Turn on Two-Factor Authentication”. Then, follow the on-screen instructions.
On an iOS device, tap the “Settings” icon on the Home screen.
On the Settings screen, tap “iCloud”.
Tap on your account name at the top of the iCloud screen.
If you’ve changed your password, your security questions (which you have to change to turn off two-step verification), or other information in your account, you’ll probably be asked to sign into your iCloud account again. Enter your password and tap “OK”.
Tap “Password & Security” on the Apple ID screen.
On the Password & Security screen, tap “Set Up Two-Factor Authentication”.
Tap “Continue” on the Two-Factor Authentication screen.
If you have any devices still associated with your Apple ID that are not running at least iOS 9 or OS X El Capitan, you’ll see the following dialog box. You can still use an old device as long as you add a six-digit verification code to the end of your password any time you log in to that device. Tap “Turn On Anyway” to continue.
We want to take a moment to emphasize the text in the “Some of your devices are not ready” box because it will save you from a huge headache later. On your pre-iOS 9 devices you will need to tack your authentication number right onto your password. This means if your password is “Apple” and the authentication number they send you is “123456” then you verify your pre-iOS 9 devices by entering the two together as “Apple123456”–there is no separate box for your authentication number.
On the Phone Number screen, make sure the “Number” field contains a phone number that can be used to verify your identity. Under Verify Using, tap either “Text Message” or “Phone Call” to select the method by which you want to receive verification codes on non-iOS devices (if your phone number isn’t attached to an iOS device). Then, click “Next”.
You are returned to the Password & Security screen and Two-Factor Authentication should read “On”. You will also receive an email telling you that your Apple ID is now protected by two-factor authentication.
Now, the next time you log in to a device that isn’t yet a trusted device, you will receive a notification on a trusted device that your Apple ID is being used to sign in to a device (such as an iPad) near an approximate location (based on the IP address of the device being signed into).
If you are the one signing into the device (even if you don’t recognize the location), tap “Allow” on the dialog box on the trusted device to continue logging in to the other device. However, if you do not recognize the location and you (or someone you know and trust) are not the one signing in, tap “Don’t Allow” to prevent anyone else from signing into the other device.
Once you allow the sign in, a verification code displays on the trusted device. You will use this to complete the sign in the other device.
For example, I changed my password and my security questions on my Apple account. So, I have to log in to the iTunes Store again on my iPad. On the sign in dialog box, I enter my new password and tap “OK”.
Then, I am asked for the six-digit verification code I received on my trusted device. I enter the code and I can now purchase and download apps and content from the iTunes Store. Remember, if you’re signing into a device running an older version of iOS than iOS 9, you need to enter your password and code together in the same password box–e.g. password “Apple” and code “123456” become “Apple123456”.
Once you’ve signed in to a device using a verification code, you won’t be asked for a code again on that device unless you sign out of your Apple account completely, erase the device and set it up as a new device, or need to change your password for security reasons.
You’ll go through a similar process the first time you sign into your iCloud account from a new browser.
How to Set Up Two-Step Verification for Your Apple ID
If you don’t have any devices running iOS 9 or OS X El Capitan but you want to protect the iOS devices you do have with extra security, you can set up the old two-step verification method. It’s still available and will be for the foreseeable future (as of the publication of this article). Even though it’s not quite as secure as the new two-factor authentication method, it’s still a very important piece of added security that you should have.
To set up two-step verification for your Apple ID, open your favorite browser, go to https://appleid.apple.com, and log in to your Apple account. In the Security section, click the “Get Started” link.
A dialog box displays asking you to answer two of the security questions you set up for your account. If you don’t remember your answers, click the “Reset your security questions” link. Otherwise, enter your answers and click the “Continue” link that becomes available.
If you reset your security questions, you must wait before you can enable two-step verification. You’ll receive an email at all the email addresses associated with your account telling you the date and time after which you can set up two-step verification.
You’ll also see a message in the Security section of your Apple account.
Once you’re able to set up two-step verification, log in to your Apple account and click “Get Started” in the Security section. The following screen displays. Click “Continue”.
On the “Add a trusted phone number” screen, enter the phone number you want to use to get a verification code each time you sign in to your account. Then, click “Continue”.
You’ll receive a verification code in a text message at the phone number you specified. Enter that code on the Verify Phone Number screen and click “Verify”.
Now, you can set up and verify any iOS devices you want to use as trusted devices. Trusted devices are any iOS devices on which you can receive verification codes when you sign into your Apple account. Any iOS devices you want to use as trusted devices must have Find My iPhone set up on them. So, if you don’t see the device you want to use on the list, you’ll need to set up Find My iPhone on that device. Once you’ve set up Find My iPhone on your trusted devices, click “Refresh Devices” so you see the devices in the list.
To verify a trusted device, click the “Verify” link to the right of that device’s name.
A Verification Code displays on your device. Enter that code in the browser, just like you did for your trusted phone number. Tap “OK” on the Verification Code dialog box on your device to close it.
Verify each device you want to use as a trusted device in the same way, then click “Continue”.
Your Recovery Key displays. You’ll need this key to be able to log into your Apple account if you ever forget your password or lose your trusted devices. Store your Recovery Key somewhere secure, such as in a password manager, and then click “Continue”. If you can’t log in to your Apple account and you don’t have your trusted devices, you will have to create a new Apple ID and forego the old one. Apple takes security very seriously, so, be sure you keep your Recovery Key safe.
Enter your Recovery Key on the Confirm Recovery Key screen and click “Confirm”.
You’re almost done. On the Enable Two-Step Verification screen, check the “I understand the conditions above” check box and then click “Enable Two-Step Verification”.
Two-step verification is now enabled. Click “Done”.
Note that you might not see your trusted devices in the Security section immediately.
Refresh the web page and you should see the devices you set up as trusted devices.
In the Devices section, you can get information about each trusted device by clicking on the link for the device.
The model, version, serial number, and the IMEI (International Mobile Station Equipment Identity) displays. If you no longer want this device to be a trusted device (maybe you don’t have the device anymore), click the “Remove” link (“Remove iPhone” in our example below).
Now that two-step verification is enabled, the next time you sign into iCloud, or other Apple services, you’ll have to verify your identity.
For example, when I log into my iCloud account, a popup dialog box displays asking me to verify my identity, so I click “Verify”.
Then, I choose a trusted device to which a verification code will be sent. If you’re using a computer you can trust (that no one else has access to), and you often use this browser, you can turn on the “Remember This Browser” option so you won’t be asked to verify your identity the next time you log in. Then, I click “Next”.
The Verify Your Identity screen displays. I want to use my iPhone to receive the verification code, so I click on “Lori’s iPhone” in the list.
I receive a verification code on my iPhone and enter that code on the Enter Verification Code screen. I don’t need to press Enter, because the code is checked automatically once I’ve entered it. If the code I entered is valid, I will have full access to my iCloud account.
If you need to sign in to your account using any apps that don’t natively support two-step verification, you can generate app-specific passwords for those apps.
We recommend you use the two-factor authentication method if your devices meet the minimum requirements. However, if you can’t use that method, two-step verification is a viable option. Either method will provide the extra security your Apple account should have.