Apple has done a great job walking users through this process.
Setting up "trusted devices" (iPhone, iPad, etc.) works really well: Apple already knows which devices you own, so all you have to do is select the device and you get an instant push notification to unlock to see the verification code.
Apple gives you a backup recovery code with very clear instructions to print/write it somewhere safe. They require you to re-enter it as part of the setup process to make sure you got it right.
When you need a code, you pick the device you want it sent to and Apple pushes it out instantly via some feature baked into iOS. You can also set up any phone to have a code delivered via SMS, but presumably this is less secure because it could be read even if your phone is locked.
Overall this is a great experience for the user -- much more friendly than Google Authenticator.
In fact I wish this process was open a la Google Authenticator so that other applications could use it (this will happen when hell freezes over).
Why do you find this more friendly than Google Authenticator? Just because it pushes rather than requiring the user to open an app? Can you still manually get a code, in case you lack network (& don't want to break out the backup code)?
What if you're actually logging in with the iDevice, does it just automatically allow it without asking?
Argh! Incredibly annoying edge case! I'm in Poland, but have all my language settings set to English, and the only country codes for receiving SMSs are those of English-speaking countries!
Can't see any easy way to change my language on the page. How annoying!
It's annoying, but isn't an edge case. Lots of people use US stores (because it has more content) and gift cards.
And, as it's stated in the FAQ [1], SMS option is only available in those countries at the moment, regardless of where you're located. When it becomes available in Poland, they'll text you and you can activate it. But until then, you can safely use 2FA without an SMS backup (as I did).
Yeah, they havent done a good job of localising this. In Australia it asks for an 'area code' as well has my phone number for my mobile phone. How can a MOBILE phone have an area code (in Australia, area codes are per state).
Now, I know that technically the area code for ALL mobile phone numbers is 04, so I split that up. Nope, SMS never arrives.
Next I removed the leading zero from the area code so it would be formatted as +61 4 xxxx xxxx.
Those who are familiar with Telcos and the way phone numbers work internationally would eventually stumble onto the right solution. Still pretty shocking though.
Really happy to finally have this option, but disappointing that there isn't (yet) a way to generate codes from your trusted device as with Google Authenticator. Hopefully it's on the way.
In case anyone else changed their password to something absurdly long only to run into the same trouble I did:
Apple passwords have a max length of 32 characters.
Unfortunately, the change password page doesn't enforce this limit and will blissfully let you think you've changed your password to something that has 50 characters, but actually only stores 32.
Later, when you use a Password Manager that saved the full 50 characters, suddenly your password doesn't work.
Some Apple pages' login password fields cut off automatically at 32, which lets the pasted password work (as you can't paste more than 32), but this is not the case within iTunes itself or on the iPhone.
Solution: Apple needs to limit the new password entry fields on the My Apple ID -> Password and Security page to 32 characters. Or, alternatively, accept and store longer passwords. (as 32 characters is a bit tight if you're using a passphrase)
What on earth is Apple doing here. The steps I went through so far:
1) I had to switch my password to something more "secure". That means adding a capital letter and a number. I am sick and tired of companies forcing me to use non-memorable passwords that have less entropy than if I had come up with something memorable, personal and long by myself.
2) "You must wait 3 days to enable two-step verification.
This waiting period helps ensure that no one other than the owner of this Apple ID can set up two-step verification. A notification email will be sent to all addresses we have on file. Thank you for your patience."
Regardless of the reasoning for having this in place, all it does is make for a more difficult user experience. Currently when I signed into my Apple ID today, Apple didn't have this process in place and assumed that it was me signing in. So by asking me to change my password when I want to enable this feature it should probably be assumed that I am the account holder. If I was in fact an attacker, changing the password on my account, what if I was on holiday for a week? What if that email hit my spam folder? What if I just didn't notice the email because I am one of the many millions of people who fight inbox zero daily?
EDIT: Furthermore, this has now broken my iMessage and Facetime, with Apple not sending a new activation to my device so I can use these services.
"Initially, two-step verification is being offered in the U.S., UK, Australia, Ireland, and New Zealand. Additional countries will be added over time."
Not in Germany yet.
It's kind of sad that it's taken Apple so long to do this, and they've done such a mediocre job of it. Offline verification vs. SMS, taking advantage of the secure element in 3GS+ phones, etc., and supporting credential management for third party sites, all would have made Apple superior to desktops or Android for enterprise use, or high-end consumers. But they did none of that.
Great to see this as finally an option, interesting that there is a 3 day wait to activate it though...just to be certain it is my identity that wants to add it.
"As a basic security measure, Apple does not allow two-step verification setup to proceed if any significant changes have recently been made to your account information. Significant changes can include a password reset or new security questions. This waiting period helps Apple ensure that you are the only person accessing or modifying your account. While you are in this waiting period, you can continue using your account as usual with all Apple services and stores."
I encountered the same. After struggling with the security questions I set new ones. Then, when enabled two-step auth, they tell you you'll never need the security questions again. drat
To what extend is it two factor when one of the factors is the device you are working on?
One of the biggest risks I see with iCloud is someone finding/stealing my phone, and using it to erase other devices. A code send to my phone won't prevent that.
For online services, a code to your phone makes lots of sense (something you have part). For phone services, I'm less sure.
To use the code sent to the phone, you need to know the password or the recovery key as well. That's the two factor part.
Contrast to someone getting your phone today... they can easily determine your iCloud account name in Settings, and then send a password reset for it that is delivered to the unprotected Mail app.
There's nothing either for me. And I'm in the US, in the heart of Manhattan, using my Time Warner cable.
Nothing on the linked page, nothing in my account settings... so I have no idea how this works.
EDIT: never mind, it's completely hidden behind "Password and Security" in your account, and then you have to answer your security questions to even SEE what things you can do. ARGH. It took me several tries -- security questions should NEVER be character-matched. How am I supposed to remember if I typed in "Mike" or "Michael" or "Crazy Mike" for my childhood best friend, or "Honda" or "Accord" or "Honda Accord" for my first car? (Those are obviously not my actual answers). Security questions should ONLY ever be "matched" by a human operator over the phone. And God forbid you should ever mistype your initial answers! There's ZERO warning that these will ever be used in a "password"-style sense. </rant>
I just attempted to add two-step, and Apple told me I needed a stronger password before continuing. How do they know my password strength if it is salted+hashed properly?
wonder if its got to do with credit card fraud on iTunes than any specific sensitive data concern.
Do people use iCloud a lot?
or maybe they are thinking of providing some cloud service this year which needs the added security
[+] [-] masnick|13 years ago|reply
Setting up "trusted devices" (iPhone, iPad, etc.) works really well: Apple already knows which devices you own, so all you have to do is select the device and you get an instant push notification to unlock to see the verification code.
Apple gives you a backup recovery code with very clear instructions to print/write it somewhere safe. They require you to re-enter it as part of the setup process to make sure you got it right.
When you need a code, you pick the device you want it sent to and Apple pushes it out instantly via some feature baked into iOS. You can also set up any phone to have a code delivered via SMS, but presumably this is less secure because it could be read even if your phone is locked.
Overall this is a great experience for the user -- much more friendly than Google Authenticator.
In fact I wish this process was open a la Google Authenticator so that other applications could use it (this will happen when hell freezes over).
[+] [-] natem345|13 years ago|reply
What if you're actually logging in with the iDevice, does it just automatically allow it without asking?
[+] [-] cbsmith|13 years ago|reply
[+] [-] mootothemax|13 years ago|reply
Can't see any easy way to change my language on the page. How annoying!
[+] [-] pooriaazimi|13 years ago|reply
And, as it's stated in the FAQ [1], SMS option is only available in those countries at the moment, regardless of where you're located. When it becomes available in Poland, they'll text you and you can activate it. But until then, you can safely use 2FA without an SMS backup (as I did).
[1]: http://support.apple.com/kb/HT5570
[+] [-] madeofpalk|13 years ago|reply
Now, I know that technically the area code for ALL mobile phone numbers is 04, so I split that up. Nope, SMS never arrives. Next I removed the leading zero from the area code so it would be formatted as +61 4 xxxx xxxx.
Those who are familiar with Telcos and the way phone numbers work internationally would eventually stumble onto the right solution. Still pretty shocking though.
[+] [-] pxlt|13 years ago|reply
[+] [-] dominik|13 years ago|reply
Apple passwords have a max length of 32 characters.
Unfortunately, the change password page doesn't enforce this limit and will blissfully let you think you've changed your password to something that has 50 characters, but actually only stores 32.
Later, when you use a Password Manager that saved the full 50 characters, suddenly your password doesn't work.
Some Apple pages' login password fields cut off automatically at 32, which lets the pasted password work (as you can't paste more than 32), but this is not the case within iTunes itself or on the iPhone.
Solution: Apple needs to limit the new password entry fields on the My Apple ID -> Password and Security page to 32 characters. Or, alternatively, accept and store longer passwords. (as 32 characters is a bit tight if you're using a passphrase)
[+] [-] deanclatworthy|13 years ago|reply
1) I had to switch my password to something more "secure". That means adding a capital letter and a number. I am sick and tired of companies forcing me to use non-memorable passwords that have less entropy than if I had come up with something memorable, personal and long by myself.
2) "You must wait 3 days to enable two-step verification. This waiting period helps ensure that no one other than the owner of this Apple ID can set up two-step verification. A notification email will be sent to all addresses we have on file. Thank you for your patience."
Regardless of the reasoning for having this in place, all it does is make for a more difficult user experience. Currently when I signed into my Apple ID today, Apple didn't have this process in place and assumed that it was me signing in. So by asking me to change my password when I want to enable this feature it should probably be assumed that I am the account holder. If I was in fact an attacker, changing the password on my account, what if I was on holiday for a week? What if that email hit my spam folder? What if I just didn't notice the email because I am one of the many millions of people who fight inbox zero daily?
EDIT: Furthermore, this has now broken my iMessage and Facetime, with Apple not sending a new activation to my device so I can use these services.
[+] [-] thomaslutz|13 years ago|reply
[+] [-] rdl|13 years ago|reply
[+] [-] selectout|13 years ago|reply
[+] [-] tylerhall|13 years ago|reply
From http://support.apple.com/kb/HT5570
"As a basic security measure, Apple does not allow two-step verification setup to proceed if any significant changes have recently been made to your account information. Significant changes can include a password reset or new security questions. This waiting period helps Apple ensure that you are the only person accessing or modifying your account. While you are in this waiting period, you can continue using your account as usual with all Apple services and stores."
[+] [-] k-mcgrady|13 years ago|reply
[+] [-] clauretano|13 years ago|reply
[+] [-] PanMan|13 years ago|reply
[+] [-] smackfu|13 years ago|reply
Contrast to someone getting your phone today... they can easily determine your iCloud account name in Settings, and then send a password reset for it that is delivered to the unprotected Mail app.
So for most people, it's certainly more secure.
[+] [-] masnick|13 years ago|reply
[+] [-] squeed|13 years ago|reply
[+] [-] sandstrom|13 years ago|reply
[+] [-] crazygringo|13 years ago|reply
Nothing on the linked page, nothing in my account settings... so I have no idea how this works.
EDIT: never mind, it's completely hidden behind "Password and Security" in your account, and then you have to answer your security questions to even SEE what things you can do. ARGH. It took me several tries -- security questions should NEVER be character-matched. How am I supposed to remember if I typed in "Mike" or "Michael" or "Crazy Mike" for my childhood best friend, or "Honda" or "Accord" or "Honda Accord" for my first car? (Those are obviously not my actual answers). Security questions should ONLY ever be "matched" by a human operator over the phone. And God forbid you should ever mistype your initial answers! There's ZERO warning that these will ever be used in a "password"-style sense. </rant>
[+] [-] kmfrk|13 years ago|reply
~ http://9to5mac.com/2013/03/21/apple-beefs-up-icloud-apple-id...
[+] [-] TomatoTomato|13 years ago|reply
[+] [-] dbpatterson|13 years ago|reply
[+] [-] chrisbolt|13 years ago|reply
[+] [-] smackfu|13 years ago|reply
[+] [-] anizan|13 years ago|reply
[+] [-] hsjsjzjzjz|13 years ago|reply
[deleted]