Apple adds two-factor authentication to Apple ID

Optional second factor of verification is available to Apple ID users.

The Cupertino giant has joined the list of companies embracing two factor authentication, enabling the option for Apple ID users to have a verification code sent to an authorised device when signing in.

Image: Screenshot by Chris Duckett/ZDNet

Once enabled, a 4-digit code is sent via SMS, or the Find My iPhone app when a user successfully signs in with their Apple ID username and password on the My Apple ID website, or when making an iTunes, App Store, or iBookstore purchase from a new device. Users are given a 14-digit recovery code to use if they ever forget their password or lose access to their authorised devices.

Making use of Apple's two-factor authentication will nullify the need for any security questions that are currently used by Apple when verifying identity in cases such as resetting of an Apple ID password.

Apple noted that users are responsible for remembering their password, keeping authorised devices physically secure, and keeping the recovery key safe.

The company said that, "if you lose access to two of these three items at the same time, you could be locked out of your Apple ID account permanently". A support note advises that permanent loss of two of these items will result in the user needing to create a new Apple ID.

As long as users are able to remember their password, they will have the ability to generate a new recovery key from the My Apple ID website.

Two-factor authentication has gained support from a number of vendors recently, with Dropbox supporting it and Google already making extensive use of it, while Twitter has been in the market looking for an engineer with "multifactor authentication" skills . It hasn't all been clear sailing though, with Google needing to patch an oversight in its implementation last month.

The use of an extra factor of authentication is not without its detractors. OneID founder Steve Kirsch claimed last month that the technology does not improve user experience, and is under-utilised to the point of barely making a difference. Kirsch pointed out that attacks on vendor's core infrastructure, such as the attack Twitter suffered in February , bypassed and thus negated all the user-based factors of authentication.