With iOS 9 and OS X El Capitan, Apple added two-factor authentication to iCloud. There has been two-step verification for iCloud for a while but the improved two-factor set-up is better.
Using multiple factors is by far the best way to keep important accounts, like iCloud, secure. In this tutorial I’ll show you what two-factor authentication is and how to enable it on your Apple devices.
Two-Factor Authentication Explained
In security, there are three methods of authentication: something you know, something you have and something you are. For example, something you know is normally a password, something you have could be a key or card, and something you are is typically biometric data like a fingerprint.
Single-factor authentication uses only one security method. Most online accounts just require a password. The problem with single-factor authentication is that one thing needs to be compromised for someone to gain unauthorised access. If you get someone’s email login details, you can log in as if you are them.
Two-factor authentication is significantly more secure because it uses two different forms of authentication. You need to control both factors to gain access.
Online, this is normally something you know (a password) and something you have (a pre-authorised device). When you log in with the password, a single-use code is sent to the pre-authorised device. You have to enter the single-use code as well to log in. If you try to enter the password without the code, you won’t be able to.
Two-factor authentication is very effective at stopping many of the most popular vectors of attack. Phishing and social engineering hacks can normally only get the thing you know, they can’t get the physical thing you have or the biometric thing you are; stealing your phone or finger requires a lot more effort. While you won’t be safe from all hacking attempts, you’d need to be deliberately target by very determined hackers to have your accounts compromised. It’s happened in the past but most people don’t need to worry.
Note: For the security nerds out there, using a password and a pre-authorised device that receives a code is technically multiple implementations of single-factor because the code becomes an additional something you know once it’s generated. Most people, including Apple, use two-factor authentication to describe this situation anyway.
How Two-Factor Authentication Works With iCloud
Apple’s implementation of two-factor authentication uses your iCloud password and trusted devices that you’ve already connected to your iCloud account. When you try to log in to iCloud on a new device (or with a new browser) a push notification gets sent to a trusted device.
The push notification shows the approximate location where the log in attempt is occurring and gives you the option to accept or block the log in. If you accept, a six digit code is generated which you have to enter on the new device. Once you’ve done that, it will connect to your iCloud account.
How to Enable Two-Factor Authentication in iCloud
You can enable two-factor authentication on
- any Mac running OS X El Capitan
- any iPhone running iOS 9, or
- online through the Apple ID management page
If you’re already using two-step verification you’ll need to disable it first.
When you enable two-factor authentication you’re required to provide a trusted phone number. You’ll need to confirm this to finish the set up process. It can be used as an additional trusted device for when you don’t have internet access.
On a Mac, navigate to the iCloud Preference Pane in System Preferences. Select Account Details, Security and turn on Two-Factor Authentication.
On an iPhone, open the Settings app and select iCloud. Tap on your Apple ID and then Password & Security. Turn on Two-Factor Authentication.
Once you finish the setup process, your iCloud account will be much more secure. Any device connected to your iCloud account will stay that way unless you change your password or wipe the device and set it up as a new one.
Broken Apps and App-Specific Passwords
When I set up two-factor authentication for my iCloud account, Fantastical 2—which uses my iCloud calendar to sync events—stopped working. It kept prompting me to enter my iCloud password.
This is because two-factor authentication blocks it from logging in using the iCloud password I had previously been using.
To get it to work again, I generated an app-specific password through iCloud and used that to log in. Any app that uses your iCloud email, calendar or contact book may need you to do the same.
So far, Fantastical 2 is the only app I use that has been affected but I’ve no idea of other apps that you might encounter requiring this.
To generate an app-specific password, log in to the iCloud management website. You’ll need to use both factors.
- Under Security click Edit. The App-Specific Password section will appear
- Click Generate Password… and enter a descriptive label such as Fantastical
- Select Create and then write down the randomly generated password
Navigate back to the app that required the iCloud password and use the new app-specific password to log in. It will now work as before.
Enabling two-factor authentication for your iCloud account is an important step in protecting it. If you’re just using a password—especially if it’s a bad one—it’s all too easy for people to break into your account.
By adding a second factor, you make it significantly more secure. If you haven’t already implemented it, you should do it immediately.