Apple + How To

Protecting the data in your accounts is essential, and no account is more important to users of Apple devices than their Apple ID account. This account covers many features, from email to calendars, from online storage to online purchases. We have long recommended the use of two-factor authentication whenever possible, and these days it is almost essential that you set this up for your Apple ID.

In this article, I’m going to explain how Apple’s two-factor authentication (2FA) works, how to set it up, and how to prepare for situations where you may not be able to get 2FA codes.

What is two-factor authentication?

Two-factor authentication, or 2FA, is a way of protecting accounts that require both something you know – your user name and password – and something you have, which could be another device that can receive one-time password (OTP), or a dongle that generates these codes.

For some time Apple used two-step verification, a slightly simpler system, to protect Apple ID accounts, but the company has moved to their own 2FA system. Apple’s implementation of 2FA leverages the Apple chain of trust, using one Apple device to authenticate a new device or new sign-in to an Apple service in a web browser.

Once you are authenticated on a device, that device is added to your trusted devices, and that device can receive OTP codes when you want to sign in on another device. Even if you only have one Apple device, you need to set up 2FA to ensure that you can get codes.

It’s worth noting that more and more Apple services require that you use 2FA. For many years, it was optional, and technically it still is, but you’ll be limited in your use of Apple products and services. For example, you cannot use AirTags without 2FA; you can’t sync an iCloud Keychain if 2FA isn’t set up; you can’t manage your home in the Home app on all your devices if you haven’t enabled 2FA; and if you have an Apple developer account, you must use 2FA. This Reddit thread lists many of the Apple features and services that require 2FA.

How Apple’s 2FA works

Once 2FA is enabled and you attempt to sign into a new Apple device, or an Apple website, such as the Apple online store, or the site where you manage your Apple ID – appleid.apple.com – you need to enter an OTP. When 2FA is enabled, your trusted devices will display a dialog informing you that someone is trying to sign into your account, and showing the location of that person. If you don’t recognize the sign-in attempt – if it’s not you – click or tap Don’t Allow; if you are trying to sign in, click Allow, and you’ll then see a six-digit code that you enter in the app you’re using.

There’s a bit of a problem with the location in the screenshot above; I’m not in Northern Ireland, I’m in Warwickishire, England, and this might give you pause. Unfortunately, this sort of location divergence depends on your network operator. For some reason, my fiber broadband is showing as connected to another location in the UK. This might be even more problematic if you use Apple’s new iCloud Private Relay, which is designed to hide your precise location, or if you use a VPN, where you could appear to be in a different country. As long as you get a dialog right when you are signing into a device or service, you have no choice but to trust it, unless the location is very far from where you are.

Here’s the dialog on my iPhone presenting the six-digit OTP that I enter in my browser:

Once you’ve signed into a device and provided a 2FA code, you won’t be asked again unless you sign out from the site, erase the device, or change your password. When you sign into a website, you can choose to trust the browser so you won’t need to enter a OTP again in the future with that browser, but don’t do this in a web browser on a public computer, or even a friend’s computer.

Apple’s chain of trust

Once you’ve authenticated on one Apple device, you can use this device to authenticate on others, as well as sign into Apple services on the web. This is Apple’s chain of trust. Your authentication has a snowball effect, and the more Apple devices you own, the more powerful this chain is. Each of your Apple devices can authenticate you for other Apple devices and services, but if you only have one Apple device, this can be more problematic.

Below, I’ll explain how to set up trusted phone numbers to got OTP codes if you just have one Apple device.

Turning on two-factor authentication

On an iOS or iPadOS device, go to Settings, tap your name, then tap Password & Security. Tap Turn On Two-Factor Authentication and follow the instructions. On a Mac, go to System Preferences, then click your name, then click Password & Security, then, next to Two-Factor Authentication, click Turn On. You can also do this on Apple’s website at appleid.apple.com.

If you’ve been using Apple’s older two-step verification system, then you can upgrade to two-factor authentication. You’ll need to go to appleid.apple.com, sign in, answer your security questions, then follow the prompt to upgrade your account security. You’ll be asked to enter a phone number to receive an OTP to verify your identity, then you enter that code to complete the upgrade.

2FA doesn’t use security questions, like the older two-step verification, or some other websites. It only depends on your Apple devices and OTP codes they receive.

Getting verification codes

While you usually get verification codes automatically, as described above, you can also generate them from your Apple devices, if, for some reason, you’re not receiving them on a device. On an iPhone or iPad, go to Settings, tap your name, then tap Password & Security. Scroll down to the bottom of the screen and tap Get Verification code. On the Mac, you can do this in System Preferences > Apple ID > Password & Security.

Setting up trusted phone numbers

If you only have one Apple device, how can you get OTP codes to authenticate on an Apple website? You’ll need to set up one or more trusted phone numbers: your own phone number, to start with, but it’s also a good idea to set up others, such as your home phone, if you have a landline, or numbers of family members or close friends. These phone numbers can help you get OTP codes if you have, for example, lost your iPhone when on a business trip or on vacation, and need to sign into the Apple website, or set up a new phone.

See How to Set iCloud Account Recovery Contacts, Legacy Contacts, and Trusted Phone Numbers to learn how to set up trusted phone numbers.

What if you forget your Apple ID password?

Your Apple ID password is important, and it shouldn’t be too simple, but it should be memorable. If you forget it, because of Apple’s chain of trust, you can reset it on one of your Apple devices. On iOS or iPad OS, go to Settings, tap your name, then tap Password & Security. Tap Change Password and enter a new password.

On a Mac, go to System Preferences > Password & Security, then click Change Password.

If you don’t have access to an Apple device, you can change your Apple ID password at iforgot.apple.com.

You can also set up a recovery contact for your Apple ID account; this is a person who can help you get back into your account if you’ve forgotten your password. See See How to Set iCloud Account Recovery Contacts, Legacy Contacts, and Trusted Phone Numbers to learn how to set up recovery contacts.

Apple’s two-factor authentication may seem complex, but once you’ve set it up, you’ll realize how sophisticated it is, and how well it protects your vital personal data.

How can I learn more?

Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.

You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels:       

About Kirk McElhearn