Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

How to enable Apple's secure two-step verification for your iCloud & iTunes accounts

Last updated

Last week's celebrity photo leaks were a stark reminder of what can happen to internet users that fail to follow basic security precautions, like enabling two-factor authentication when it's available. With Apple's own security practices under the microscope, AppleInsider shows you how to enable Cupertino's own implementation.

First, you'll need to login to Apple's web-based Apple ID management system at https://appleid.apple.com/account/home — just click "Manage your Apple ID," then enter your credentials.

For many, this will be the first time you've actually heard of this portal. It's worth checking out; if you've previously found that updating billing or contact information on your iOS device is a chore, you can do it more easily here.

Once you've logged in, choose "Password and Security" from the navigation options on the left — you'll be asked to verify your security questions — then scroll down to the "Two-Step Verification" section. Click the blue "Get Started" link, then peruse the informational screens that follow — if you still want to proceed, click "Continue."

Apple will send an SMS containing a verification code to the mobile number you've assigned to your Apple ID. It's important to note that if your number is out of date and needs to be changed, you'll have to wait three days after doing so to complete two-step setup — this is a security measure that prevents malicious actors from immediately locking you out of your own account if it's compromised before two-step verification is enabled.

After you've received the SMS and entered the verification code, you'll then be able to designate as a trusted device any iPad, iPhone, or iPod touch on which you've used your Apple ID to enable Find my iPhone. These are the only devices you'll be able to receive future one-time codes on —  they're sent as a special push notification from Apple, unless you choose to allow codes to be sent via SMS.

Finally, Apple will generate a unique recovery key that can be used to access your account if you forget your password or don't have access to your trusted devices. This is a last resort; Apple recommends that you print or write down the recovery key and store it in a safe place — in your home safe, for instance, or a safety deposit box.

This is important: if you forget your password, lose your recovery key, and don't have access to your trusted devices, you will not be able to login to your Apple ID, and Apple will not be able to help.

Once that's complete, you're finished. You'll be asked for a code the next time you try to login on the web, and Apple will be rolling out two-step verification for more actions —  like restoring backups to a new device —  in the near future.



68 Comments

wendellgee28 10 Years · 6 comments

The page on the site that says "your password is too easy...change it" has flawed logic. My old password did have three repeating characters. It was pre-populated in the "old password" field, and then of course there are two new fields for new password entry. I entered strong passwords, there, then hit submit, and it appears the site is applying the "new password" logic to the "old password" field, telling me I cannot have three characters in a row (in my old password). Come on guys... this is sloppy... unless I'm missing something. I submitted the feedback to Apple.

john.b 16 Years · 2733 comments

The problem with "security questions" is that someone who knows even a little bit about you probably knows your pet's name or birthdate or favorite sports team from your Facebook profile. Not to mention, you probably answered the same questions with the same answers for other accounts. It really doesn't matter how many [URL=http://xkcd.com/936/]bits of entropy[/URL] your password has if someone can reset it by looking up your Mom's maiden name or Dad's middle name on Ancestry.com...

nagromme 22 Years · 2831 comments

Furthermore, what has Apple done to protect all those celebrities whose photos were stolen from Google/Android? The theft wasn't specific to iOS. Apple once again leaves Android users out in the cold when it comes to security!

hammeroftruth 16 Years · 1356 comments

Quote:
Originally Posted by nagromme 

Furthermore, what has Apple done to protect all those celebrities whose photos were stolen from Google/Android? The theft wasn't specific to iOS. Apple once again leaves Android users out in the cold when it comes to security!

That is too funny!!!

benjamin frost 11 Years · 7198 comments

Quote:
Originally Posted by John.B 

The problem with "security questions" is that someone who knows even a little bit about you probably knows your pet's name or birthdate or favorite sports team from your Facebook profile. Not to mention, you probably answered the same questions with the same answers for other accounts. It really doesn't matter how many bits of entropy your password has if someone can reset it by looking up your Mom's maiden name or Dad's middle name on Ancestry.com...

 

Indeed.

 

The answer to your conundrum is to let people choose their own question and answer. Just don't choose 'What is the meaning of life?' as everyone knows the answer to that.