Would be nice if they could use RFC 6238 TFA as well, it is a bit more convenient if you only have your Android device with you.
Edit: Reason for that being that I prefer having all TFA codes in my Google Auth app/Authy with requires no internet connection. Using SMS/text or other devices is a bit inconvenient when traveling and using a local SIM.
I'm not sure if you need to be online to generate these codes. On OS X, it's possible to go to System Preferences > iCloud > Account Details > Security > Get A Verification Code, which returns you a 6 digit verification code that looks like a TFA code.
You certainly don't - I just tested it with my phone in Airplane mode and it worked fine.
Edit: to clarify, I originally tested it on my phone, but I've since tested on Mac and the result is the same.
If you happen to have the iCloud "Account" screen open before losing all connectivity (i.e. it's open, then you turn off wifi/etc), the regular "Get Verification Code" button will work.
In the more likely scenario that you just open up Settings/System Preferences > iCloud > Account, if you're offline it will tell you that you can't see your account details because you aren't online, but that you can generate a verification code while offline.
Very helpful to know! I've always wondered why Apple didn't have a method of code delivery independent of SMS. Even Facebook's app has a code generator. Apparently I just didn't know that it did.
There's a larger reason for not using this and using a community standard (SAML2 is all over the academic community, with a few million active users, tried and true -- JSON Web Tokens/WS-Fed/etc all work too) - standardization and interoperability. Authy/OneLogin/Anyone-who-supports-SAML2/WS-Federation is doing the Right Thing(tm) [1] by supporting standards and breaking out of the walled garden. It's time to stop leaving our authentication to corporations. I would have sounded like a tinfoil hatter, but Snowden et al have vindicated me so I'll continue to vocally extol alternative methods and the re-decentralization of the internet. Crypto's our last defense against malice and incompetence.
That RSA handshake saying "hey, it's me-- check the Web of Trust & the fingerprint of this public key I gave to you in person")/identity verification(there's a reason why you not only encrypt but sign your data with PGP) is especially now important to run on your own server & effectively trivialto set up with Docker (which I'd bet at least 70 percent of the readers here use.) To add SSO support for SAML2 (or JWT, or whatever you want-- passport.js supports it all) so others can use their own IdP's to authenticate in via WS-Federation is now trivial.
One day there's going to be some catastrophic data leak of the magnitude of the Philippines leak, of the social importance of the Panama Papers, and of the shock value of the Ashley Madison leak and we'll only have ourselves to blame for making our fun toy web-apps auth against only FB and Google.
[1] This has been a "solved" (mathematically + progmatically via PGP 2.0 for ~25 years with Zimmerman's implementation of the Web of Trust). Who remembers key-signing parties?! Haha. If you lose your key, you call up your buddy Bob who has an authentication claim with the sole ability to talk to the Identification Provider, Alice (whom you and Bob both trust to run your SSO) and your certificate is immediately revoked, so even if your private key and passphrase and device are all lost, no new data the second your key's state moves to 'compromised'. Alice can pull the plug on her RasPi's IdP, killing the whole and I might sound like a tin-foil hatter but re-decentralization for the internet has never been more important. She can pull the plug on it or have a cron-dead-mans-switch that discharges ESD to the volatile RAMdisk and kills the power, at worst she'll get an obstruction of justice charge. Multi-national corporations will comply court-orders if their in-house counsel says the demand isn't viably disputable.
The internet was rooted in academic/sharing culture, and ARPAnet was designed with decentralization as such a fundamental component that redundancies were put in place to literally route information successfully with a significant part of the nation offline as a result of nuclear war. Walled gardens like this are inherently vulnerable to government intervention. That Israeli firm compromised (as I understand it) the iPhone in the 'pwned' sense. If this is a reaction to the public distrust of iPhone as a platform, this isn't any more secure than before. Apple still has to have the initialization vector/nonce/whatever that's seeding the pseudo-random number generator.
From the BSD[2] culture we came, to there we must return.
--
[2] More so referring to the culture of EDA semi-conductor tooling & the attitude of "here, take it, use it, and enhance it, and release it back into public domain, more so than the whole BSD 'the SysV UNIX competitor' and all of the derivatives were spawned from it).
See: https://en.wikipedia.org/wiki/VLSI_Project, https://www.mosis.com/products/fab-processes (which yielded SPARC), http://wiki.geda-project.org/, etc. IBM was also was the other instrumental player in the 70s/80s to enable chip-houses to get past that proverbial wall of a few hundred k components on an IC. Rumors around the EE scene has it that low-run-custom-SoC's are the next B2B move chip houses are going to push, but we'd still be on System/36s and VAXstations if if it weren't for some associate professor in his 30s and a few 25 year old PhD candidates who pushed out the chiptooling that's still in use today (MAGIC, SPICE, and all the subsequent derivatives).
You'll probably be interested in Let's Auth, a WIP spiritual successor to Persona meant to take 3rd party auth back from the grips of twitter/facebook exactly for the reasons you mention.
Not exactly a shining example of proper authentication. I don't particularly like being forced to use a mobile phone for government authentication (because of the text message token requirement).
It would be nice if we could get some decent two-factor authentication in the next iteration. I hope Idensys (DigiD's successor) will get the hardware factor right, and provide a truly cross-platform solution that does not involve mobile phone numbers.
but if you are already trying to login to Apple ID it means you already have Internet connection on your computer, what prevents you from using the same Internet connection for other devices that could get the key?
I just experienced this. I was on a public computer in a foreign country. I had my phone, but no data access in that country. I doubt it's very common though
I believe this is a new system. It's called two-factor authentication as opposed to two-step verification. To quote the FAQ:
> Is this different than Apple’s current two-step verification feature?
> Yes. Two-factor authentication is a new service built directly into iOS 9 and OS X El Capitan. It uses different methods to trust devices and deliver verification codes, and offers a more streamlined user experience. The current two-step verification feature will continue to work separately for users who are already enrolled.
Since I was already using two-step verification, I had to turn it off for the new, two-factor authentication, option to appear. I turned it on and it looks like it's working now.
I have to agree that this was very confusing.
EDIT: looks like I can authenticate from OS X now, nice. Before I had to always unlock my phone.
Thank you for this clarification. I just recently noticed and enabled two step authentication, and would have assumed I was already using the new auth without your post.
Here is how I understand it, there are two methods:
1. Two-Step verification
2. Two-Factor authentication
1 is the old method. 2 is new.
With method 1 you can add devices manually as 'trusted'. Auth is a simple 4 digit code and contains no interesting info.
With method 2 devices are automatically added if they are supported and you sign in. You cannot add devices via your account info manually. Codes are 6 digit and auth dialog includes a map with approximate location of login attempt.
The new method also seems to be a more 'native' and better experience.
Obviously, method 2 is preferred due to the 6-digit code and more info about the potential attacker (or trustee for those who do such things).
Are the codes 6 digit? Do they actually show a map? I just set this up, and logged into icloud.com from a fresh Chrome session (having set it up on Firefox and not wanting to futz with sessions there), and I've only had to use 4 digit codes, and no such map. But I've only tried authenticating on websites (I don't have other Apple devices to test with).
Also, I did have to add at least my iPhone manually at first.
It seems like you might have it backwards?
EDIT: My bad. I tried to set up 2FA, by following the "Manage your Account" link from the 2FA info page, but actually set up the old 2SV, with no 2FA options in sight... This is a grungier experience than I would (naively) expect from Apple, as a new Apple customer. Turns out you must set this up on a device, not through the website! They detail this halfway down the page in the "turn on" instructions.
I didn't activate two-step verification cause the process was a little bit of a hassle (I'm lazy). But when upgrading to last iOS update I was prompted to activate two-step authentication and I was a really smooth process. Already experienced the 6 digit & map over last weeks so I didn't figured out at all this was new.
I guess they first roll-out the feature on people like me who didn't activate old method. If everything goes fine I guess they will prompt everyone to switch to the new method on the next update.
> Yes. Two-factor authentication is a new service built directly into iOS 9 and OS X El Capitan. It uses different methods to trust devices and deliver verification codes, and offers a more streamlined user experience. The current two-step verification feature will continue to work separately for users who are already enrolled.
I believe you are confused because Apple previously offered "Two-Step Verification", and this is "Two-Factor Authentication".
I myself am finding it difficult to find a clearly written explanation of the difference.
EDIT: What I have discovered:
It's now a 6 digit code (previously 4); and gives you more location based information with a map showing where the login is occurring from.
You can also now "reject" the request, which will then open a prompt to ask if you'd like to change your password.
Another new "feature" is that in order to support older devices that do not have Two-Factor Authentication built in, you can generate a verification code from a trusted device, and append that code to the end of your password.
Annnnnd I'm locked out of adding this because I couldn't answer my security questions that I definitely never set up (I know this because I never use real information but random words that I save in 1Password if I am forced to make these.) So now I can't add 2 factor to a device that is and has been signed into my iCloud account for months.
Delays like this (the old 2-step verification had a 2-3 day delay when first enabled) are to prevent someone else logging into your account (without any form of 2fa), and then enabling the 2fa system, thereby locking you out of your own account.
Are you sharing your apple id? Because a similar scenario happened where my sister called me and said she was (after calling me for some payment verification details) prompted to enter new answers to security questions ... After having shared my password for years for AppStore access.
Had she simply not informed me I might have been in your exact same situation.
Off-topic but I'm curious: How do you and your sister handle sharing iMessage? I can imagine the confusion if my sis and I were getting the same messages from each other's acquaintances.
me and my best friend share my apple id and password for use with the app store. we definitely don't get each other's iMessages. she uses her own apple id and password when logging in to that.
fyi for you and other commenters, there is no need to do this anymore - you can have separate accounts and create an iCloud Family instead, purchases + payment info get shared and nothing else.
That doesn't work if the other person uses an AppStore in a different country.
You can add the other person to the 'Family' but you can not share purchases. (Very annoying...)
Are you suggesting that Apple invented security questions for your account? Because that sounds highly implausible. Are you sure you didn't set up actual security questions so long ago that you simply don't remember doing it anymore?
Wasn't an issue until I wanted to change my Apple ID password, for which the security questions are required.
Phoned Apple Support, and they took me through a dazzling array of security steps, involving my Mac, iPhone, payment methods, and the Apple ID website, before they allowed me to create new questions.
Happened with very old accounts to me as well, where no security questions even had to be entered at the time. The solution was to call Apple Support - they could do it over the phone - I think I had to verify some account details like street address, etc.
Is there an easy way to switch to the new system? In order to disable the old 2-step verification, I have to set up new security questions, quite a hassle!
I asked the @AppleSupport twitter account the same thing. You have to disable the old and enable the new - there is no automatic way to jump from one straight to the other.
On the plus side, I believe the security questions become irrelevant again once you've setup the new 2FA.
I hope this is more reliable than the previous system. I signed up for two step authentication... worked only once! The rest of the times the text message just never came through. I double checked my phone number, I even looked at their status page. nothing :(
I enabled 2FA, logged out of iCloud on my iPhone, then logged back in. It asked me for the "password" on my Macbook Pro. What? How would Apple have access to a user password on my MBP? I have multiple users on my MBP... what would happen if I were logged into the same iCloud account with two different users?
Out of curiosity, I tried (and then immediately changed) my main user account password, and it successfully authorized my iCloud login on my phone. I am really curious what's going on here. I expected it to ask for a numeric code like you mentioned, but it just gave me a plain UITextField to enter the password for $my_macbooks_hostname
I do not have keychain syncing enabled in iCloud, just contacts/calendars.
Other than being more streamlined and offering offline access to codes, is there any additional benefit in terms of security for updating from the two-step method to two-factor?
I much prefer having the recovery key that is provided with two-step; I don't see that the two-factor method offers a recovery key.
Having any security feature associated with either my landline or mobile phone makes me feel uncomfortable for multiple reasons, some that have already been articulated by others here plus some more I can't really put my finger on, except to say that both landline and mobile phones seem inherently untrustworthy to me.
I recommend adding as many of your devices as trusted devices as well as other phone numbers in case you need to recover the account. Apple can not really assist in that when Two Factor is enabled.
That's no longer the case. With this new Two Factor authentication there are no security questions, no recovery key, and Apple can recover your account if you lose all of your trusted devices and forget your password.
Devices are automatically trusted the first time you login and enter a verification code.
When anyone tries to login to your account on the web or from an untrusted device, all of your trusted devices notify you with location of the login attempt. It's a pretty good setup.
Find my iPhone, Apple Pay, and Apple Watch settings are available without Two Factor authentication. Links are available on the Two Factor verification screen.
Is it live? I checked both of my up-to-date macbook air and iphone, and there is no mention of this new "Two-factor authentication" in the settings. In fact, there is the "two-step verification" turned on already in the settings, which I assume is the old way.
Call me an idiot, but how do I turn off two-step authentication in order to turn on two-factor authentication? Neither my iPhone nor my Mac allow me to turn it off. Where
Just tried to enable this from my MBP, got a message saying it's not available for my apple ID at this time. So I guess the rollout's not complete yet.
Yeah the old system was a real pain to use. This one is much better, it just asks you to pick a device to get a code from, it'll pop up and you type the 4 digit code in.
why has this not been released for more sites, devices, and other stuff? what is keeping company's from adding similar features to protect there customers any ideas?
Two factor auth is available for many sites, the only unique part (to the user, I'm not certain of the actual OTP generation process) is the prompting on devices with a area map shown.
PSA you can lose your Apple account this way. If a password reset is needed or the account get lock, you have to have your recovery key. No recovery key, no more account. Print it and keep it in a safe place.
You're thinking of two-step verification [1]. I believe getting rid of the recovery key is part of the "more streamlined user experience" offered by two-factor authentication.
I can find no mention of a recovery key for Apple's Two Factor Authentication (which is different than Two-Factor Verification). Where does one find this?
The old system pushed 4-digit OTP's from Apple to a trusted device of your choice using the Find-My-(iPhone|iPad|Mac) system or an SMS. Only iOS devices could be registered as "trusted" for this system.
The new system shows login attempts on all trusted devices (iOS9 or OS X 10.11 devices) automatically including basic GeoIP location, and will show a six-digit OTP if you want to allow the session. It also allows trusted devices to generate verification codes (a six digit OTP) when offline, e.g. if you need to login to iCloud.com from a public computer but your phone has no data/cell service. Or if for example you have your Macbook with you, but no Wifi access, and your phone battery is flat, and you need to access your account via another computer.
> Surprised Apple would launch something like this
Why is this surprising? They've had 2-step verification available for several years, this is an improvement over that.
> Yes. Two-factor authentication is a new service built directly into iOS 9 and OS X El Capitan. It uses different methods to trust devices and deliver verification codes, and offers a more streamlined user experience.
Basically, it uses a (presumably) more secure method for handling verification. One benefit of this is OS X computers can now be trusted devices that display verification codes (Two-Step Authentication only allows iOS devices to be trusted devices)
Edit: Reason for that being that I prefer having all TFA codes in my Google Auth app/Authy with requires no internet connection. Using SMS/text or other devices is a bit inconvenient when traveling and using a local SIM.