Why you need to enable two-step verification on your Apple ID right now

Why you need to enable two-step verification on your Apple ID right now

Summary: Because you don't want to get hacked. That's why.

SHARE:
TOPICS: Apple, iOS, iPhone, iPad, Security
16

If you're an iPhone or iPad user (and who isn't?), you probably use iCloud. If you use iCloud, you probably (and should!) use Find My iPhone. If you use iCloud, you probably also use it to sync your email, calendars, contacts, and photos between devices. Maybe even Documents and Data too.

Why you need to enable two-step verification for your Apple ID right now. Jason O'Grady
(Image: Screenshot by Jason D O'Grady/ZDNet)

If you use iCloud for any (or all) of the features above, you need to protect your iCloud account — and the Apple ID behind it — with all the tools at your disposal. After all, you don't want someone else reading your email or browsing your contacts and photos. Just ask Wired senior writer Mat Honan, who was victimized in an epic hack enabled by compromising his Apple ID and Amazon accounts.

Obviously, you need to use strong passwords (and never recycle them on multiple sites) but this is exponentially more important for the email service that you use for password recovery. The reason is simple: If a hacker gets access to your primary email account, it's trivial for them to wrest control of your bank and financial accounts simply by clicking on the "forgot my password" link and answering the resulting emails.

If you use an Apple email account (@mac.com, @me.com, @icloud.com) as your primary email account, there's an important step you need to take to protect your account. And you should enable it right now.

It's called two-step verification (aka, multi-factor authentication).

It's a brilliantly simple security concept that requires two "factors" in authenticating your identification to an online service: 1) something you know (like a password), and 2) something you have in your possession (typically, your smartphone). When enabled, the site you're attempting to access will require your password and a one-time-use PIN that it sends to your smartphone via text or push notification.

Multi-factor authentication has recently been popularized by Google, Facebook, and Dropbox, and now Apple has jumped onboard.

It works like this:

  1. Go to the My Apple ID page

  2. Select "Manage your Apple ID" and sign in

  3. Select "Password and Security"

  4. Under Two-Step Verification, select Get Started and follow the onscreen instructions.

Improve your Apple ID password - Jason O'Grady
(Image: Screenshot by Jason D O'Grady/ZDNet)

From here, you'll be asked to strengthen your existing password, and, in an interesting extra piece of security, you'll need to wait three days before it's enabled. According to Apple, this is done to ensure that all of your registered email accounts are notified so that someone else doesn't turn on two-step on your behalf — making it even harder to recover a compromised account.

You must wait three days to enable Apple two-step verification - Jason O'Grady
(Image: Screenshot by Jason D O'Grady/ZDNet)

Luckily, Apple's implementation isn't too onerous. After enabling two-step verification for your Apple ID, you will need to enter both your password and a four-digit verification code any time you sign in to manage your Apple ID at My Apple ID or make an iTunes, App Store, or iBookstore purchase from a new device.

More information can be found in the Apple knowledgebase article: Frequently asked questions about two-step verification for Apple ID.

Do you use multi-factor verification on your Apple ID? Anywhere else?

Topics: Apple, iOS, iPhone, iPad, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

16 comments
Log in or register to join the discussion
  • The only thing bad about apple,

    I have 2 different accounts one with my icloud and the other with my itunes for music. I need to work with them to get them merged together if possible. My wife has the same thing. So If you cannot merge the 2 accounts together you have to do this for 2 different accounts. What a pain. I have a support call with apple scheduled. I will see how we do with that.
    spikey289
    • Apple Store?

      Did you go to a (physical) Apple Store? They might be able to help you there.
      Eleutherios
    • fat chate

      I had a change of name, most peple do at some point in their life don't they?
      dumb blonde
      • Fat chance!

        I had a change of name, most peple do at some point in their life don't they?

        Would Apple merge my old purchased tunes with my new tunes, like hell they would!

        Do I purchase much through iTunes, not any more, you don't really purchase anything anyway and as for lending a book or disc to a friend...

        Your dumb spell check messed up the previous reply btw...
        dumb blonde
    • Don't bother

      Apple can't (or won't) merge Apple ID accounts. It says so multiple places in their support site. You'll have to pick which Apple ID you want to protect, though basically you are forced to choose your ICloud account since that's tied to Find My Phone.

      You can protect your other accounts, but you'll need to use SMS to get the codes instead of the Find My Phone app.

      Apple's two step protection is kind of half-assed though. You need to provide a code to make purchases or change your password, but you don't need it to access your iCloud mail or even log in to iCloud. So if someone gets your username and password, they can still access your mail and data, they just can't change your password or make purchases.
      Morac
  • two step process

    what happens if your smartphone is stolen? And that is the phone that receives the text message! (if you have the two step process in place)
    vstachura
    • Well...

      ...if you're getting targeted by someone that already knows your password, and then steals your phone to get the verification code I think you just entered a Mission Impossible plotline and your problems are bigger than an iCloud account.

      If you have Find My Phone enabled one of the options is to reset the data on it. I'm pretty sure that clears out the phone connection, but if not, presumably you will have called your wireless carrier to let them know and they will take the phone offline. At least that's where I would start, but I've never done it, so I don't know if they can actually help or not.
      Roger.H
  • Google is in the state of art about two steps verification...

    ... and it does not take 3 days to activate, that´s ridiculous!
    IMO two verification steps should be a standard security process to all the cloud.
    Google TVS works pretty fine even outside US.
    mxgms
  • "If you're an iPhone or iPad user (and who isn't?)..."

    Ahhh...ME...and LOTS of people I know.
    IT_Fella
    • Same here

      I would say most people I know are NOT iphone users. I hate to make stereotypes, but people that use "i" products tend to be not so pleasant to be around, so I tend to stay away from them. Anyone that holds a tech company as more of a religion than simply a piece of hardware is not right in the head. It's like talking bad about apple is blasphemy or something. Not to mention, I like to get the best bang for my buck, so over-paying for outdated hardware is not something I do.
      SteveWojo
      • I'm not an iPhone user only because

        operating ANY smart phone in New Zealand requires me to be a billionaire. Well, that's a bit of an exaggeration. But not much!
        Laraine Anne Barker
      • Really? That's silly!

        SteveWojo: "people that use "i" products tend to be not so pleasant to be around"

        Oh, come on now! I have an iMac and an iPad. I don't worship Apple. I just happen to like these two products. I know people who use OS X and/or iOS, and people who use Android, Linux, and Windows, and as people, one group is no different than another. The real people who are unpleasant to be around are those who judge others by their race, religion, sexual orientation, language, or choice of products.

        On the topic of the article, making use of all available security options is always a good idea when it's practical for your situation. (Obviously, someone without a text-capable cell phone cannot use texting as a security factor.)
        daniel1948x
  • No cell service at home

    What are the other options?
    rfoto
    • No cell service at home but ...

      You can get an authenticator app that generates valid codes without needing a cell connection. Or you can get a local cellphone transmitter that runs off your broadband connection. Some service providers supply such items free of charge as compensation for failing to cover your home.
      JohnOfStony
  • Doesn't protect your data

    Apple's two step protection isn't implemented correctly. You need to provide a code to make purchases or change your password, but you don't need it to access your iCloud mail or even log in to iCloud. So if someone gets your username and password, they can still access your mail and data, they just can't change your password or make purchases.

    If you have one AppleId for iCloud and one for iTunes, you have to choose to protect iCloud since it uses Find My Phone, which means only password changes are protected. You can protect multiple Apple IDs, but you need to use SMS for all non-iCloud Apple IDs.
    Morac
  • If you're an iPhone or iPad user (and who isn't?)

    You must be kidding with this title, of all the people I know (and it is a large number) only two (2) YES ONLY 2 own anything with apple! And I find this so funny that this is even being discussed since anyone with apple will never tell you there is or could be any problem with ( viruses, hacking, merging accounts , icloud not working etc.; since they only will tell you NOTING WILL EVER GO BAD, and I know only too well that it is all a big lie, since my iTunes account was hacked not once, not twice but tree times, and every time I deleted the whole account waited some time and restarted a new account with a whole new name and password. And to boot my back told me this is a very well-known and big issue with apple.
    So if want to believe a company whose only interest is in your money with all your info have fun I will never own or use anything from apple now or if the future since they cannot be trusted for any help of safety of any kind!!
    bsmi021@...