3/27/13
5:00 am

MacMost Now 844: Apple ID Two-Step Verification

Apple IDs can now be made more secure by using the two-step verification process. This involves changing your Apple ID account and added secure devices, like your phone, to the process. In order to make changes to your account, like a new password, you would then need to verify your identity by using your device in conjunction with your password. This makes it much harder for someone to gain access to your account.

Video Transcript
Hi this is Gary with MacMost Now. On today's episode let's take a look at the new two-step verification process for your Apple ID.

Two-step verification is a new security measure for your Apple ID. Now Apple ID's are very important because you use them to log onto a lot of things. For instance, you can use them to log onto iTunes, you can use them to log onto the App Store, the Mac App Store, also if you are a developer your developer account, and there are all sorts of different services that Apple offers including iCloud that uses your Apple ID. So keeping it secure is very important. That means not letting anyone else guess your password or log-in or somehow be able to change your user account in any way. Two-Step verification aims to make it very secure.

A lot of other companies are already using a similar process. For instance Goggle implemented this with their whole ecco system, Gmail and every other thing as part of your Goggle account awhile ago. So it is about time that Apple got on board and offered two-step verification for those that really want to secure their account.

Previously if you wanted to change your password with your Apple ID you would log-in to your Apple ID account at Apple site and then go to Passwords and Security and you could simply click and change your password. So all you needed to do to change your password was actually your old password. So somebody who got ahold of your old password could change your account so that you couldn't have access to it anymore. Even if they didn't have your old password they could use the security questions here and try to get access to it by calling Apple and it is easy sometimes to reverse engineer these answers to figure out what they might be. As a matter of fact a lot of people have gotten their accounts broken into, celebrities for one thing, by simply figuring out what the answers to their security questions would be.

Two-step verification aims to make this more secure by getting rid of the idea of security questions and the idea that you could simply use your old password to change to a new password.

So to start the two-step verification process what you would need to do is to click the Get Started button there at the top and then you start the process. All the way through the process Apple walks you through and explains what two-step verification is and how it is used.

Here are the three basics. There are no security questions like I said before. The whole purpose is to make it harder for anybody else to get access to your account to change your password. If you do forget your password you can still reset it and I'll show you how. So this screen really sums it up.

It tells you that there are three pieces of information that you can use to get access to your account. You only need two of them. So one is your password. The other is a trusted device like say for instance your iPhone or it could be any phone with SMS capability. The third is this recovery key that you are going to get. So it is kind of a long password that it is going to randomly give to you and you can store somewhere. If you have two out of the three you can get access to your account.

If you do forget your password, as long as you have the other two you can get in and reset your password.

The third part that you may have seen there is that Apple can't help you in resetting your password after you start with two-step verification. Now this makes things incredibly more secure because it means there are less points of failure. Somebody can't call Apple and say the right things and get access to your account. They can't do it at all. As a matter of fact it is probably true that Apple doesn't even have the ability to do this. Your password is encrypted and everything is stored on the server in such a way that humans can't actually get to it. It has to be you with either that recovery key and password and then those trusted devices to be able to get to your account. So now not only will Apple not help you in recovering a lost password but they probably can't. That's what makes it secure.

The big part in setting this up is enabling one or more of your trusted devices. So this would be, for instance, your iPhone. Now the idea here is for somebody to get access to your account they need either the password or that super password, that recovery key, and one of these trusted devices.

So say you have your iPhone with you. You want to log into your account. You go to log-in. You type in your password and what is going to happen is it is going to send a code, just a four digit code, to your phone. Then you see that code appear on your screen and then you type it to log-in to your account. So this way the only way to get access to your account is to: #1 know the password and #2 actually have one of those trusted devices with you to be able to see that code and enter it in on your computer.

Here you can see the verification process. So what is going to happen is that you are going to choose one of the devices that you have set up in your iCloud account here and then you are going to get a code, a verification code, delivered to it. Then you enter it in here and that will make it verified. You can see here I verified two devices. So I verified my iPad and my iPhone. If you don't have one of those devices just anything with a SMS access will do. So for instance another brand of phone will do just fine.

Another thing you are going to get is your Recovery Key. Now this is kind of like your backup password. Remember you need two out of three things to be able to change your account. You need your password, you need the code that is going to appear on your device or you need this Recovery Key. So if you do say lose the device and you need to get access to your account or you forget your password you can then still get access to the account by using the other two. So this Recovery Key is important. You will want to print it out and put is somewhere safe. You can also, of course, store it on your computer in some sort of safe thing. I have an encrypted password keeper program and I can put it in there and it is just as safe there as it is printed out and put somewhere hidden in the house. So you just want to make sure that you have this as your backup. It is very important and it is part of any two-step verification process that you have this kind of backup Recovery Key.

So now that you have setup two-step verification you go back to this original password and security screen. You can see that the security questions are gone. You have your trusted devices listed and you can manage them and add or remove them. You can replace you lost recovery key. So you can basically generate a new one because you have access to the other two. Anytime you have access to two out of the three you can make changes to these. You can go in and just do your normal change of password there. Password and the code that will come through on your security device, your iPhone or whatever.

You don't have to switch to this new process. At least not right now. You can stick to the old one. If you do please make sure that your password is a strong one and make sure that your security questions are something people can't guess. I used to have the answers to my security questions to be a group of random words. Like what was your first car? It was just a bunch of random words that I picked out by opening a book and pointing to words randomly. So nobody could actually guess it and it would seem really weird if I actually ever had to answer the questions but it would have been very secure.

But switching to two-step verification makes it ultimately secure and of course someone like me who actually uses their Apple ID account for lots of different things since I'm an Apple developer and I use the account for all sorts of other things as well, I of course switched to it immediately. For typical users it may not be quite as important as long as you have a strong password and your security questions can't be guessed.

So what is the downside. Well the downside is remember Apple can't help you now recover a lost password. You've got to have two out of the three things. You've got to have your device, your password, and your Recovery Key. You've got to have two out of those three in order to go make changes. So if you think it might be difficult to actually make sure you keep all three available then perhaps this level of security isn't for you.

You should note a few things. First is that if go to set up this process and you recently made a change, like you've changed some piece of information on your account like a new password, then it is not going to allow you to set it up right away. It is going to give you a three day waiting period. Basically, this means that if somebody else tried to get into your account and set it up with two-step verification which means you will never get access to it again, then you will have some time to back out of it. In other words you will get an email saying, hey somebody is trying to do this and if not you you can then stop the process. So that is why there is a three day delay for some people. There wasn't for me since I haven't made a change in the last few weeks so I was good to go.

Another thing to note is that not all countries have this available. Right now it is available in the USA and a few other places but I am sure that soon enough it will be rolled out to everywhere that has Apple IDs.

Now Apple has a Frequently Asked Questions page that you visit here at this URL and I have no doubt that overtime they might add more questions to this as people ask more questions. But you can get a lot of answers to very specific questions here at this page. So check that out too.

So it is important to realize that this doesn't really change very much as far as you every day to day use of your Apple ID. For instance to just log into your iTunes account or buy apps in the App Store, it looks like you just use your password as normal. Apple does say that you will need two-step verification to make purchases so I am assuming some purchases, at least in the future, may require the two-step process. But for now it looks like it is basically there just to prevent somebody from getting access and making changes to your account. Which is the most important thing.

I hope you found this look at two-step verification useful. Ask any questions here in the Comments at this post at macmost.com and we can discuss two-step verification and whether or not it is a good idea for you.

Until next time this is Gary at MacMost Now.

Comments: 15 Responses to “MacMost Now 844: Apple ID Two-Step Verification”

    Randy Nacol
    3/27/13 @ 5:09 am

    This tip is one I just used, it was painless . Thanks for all your tips and tricks since being fairly new Apple Fan you’ve helped a great deal with my knowledge of this sweet Machine.

    Jim
    3/28/13 @ 9:30 am

    Finally it makes sense.

    Annie
    3/28/13 @ 9:57 am

    Will a T-Mobile prepaid phone work as the “device”? It can receive text messages but no access to the WEB.

      3/28/13 @ 11:02 am

      As long as it can receive SMS messages. You just need to be able to receive the four digit code via SMS.

    Mike
    3/28/13 @ 10:41 am

    If only we could merge more than one Apple ID during this process. Wishful thinking!

    Ron
    3/28/13 @ 6:11 pm

    Thank you … nothing I’d seen so far explained why two step verification was helpful. As usual you’ve made it very clear and easy.

    Nastradini
    3/30/13 @ 8:40 am

    Thank’s for your great tips! I would like to ask that can I do this if I have only mac and not iOS device???

      3/30/13 @ 2:50 pm

      You need some device to get your security code sent to. You could use an iPhone, iPad, or any device that gets SMS messages. Otherwise, you have no way of getting these codes and no way of using two-step.

    Douglas Mattingly
    3/30/13 @ 11:09 am

    Since I have 1Password, will the two-step password make any difference in my Apple ID security? Will the two-step process complicate the 1Password process?

      3/30/13 @ 2:48 pm

      1Password simply replaces typing the password manually. It doesn’t affect two-step verification, really. You could use it to store your backup key, though. That would be nice.

    Peter
    4/3/13 @ 6:47 pm

    If people used really good strong passwords and changed them often, none of this would be necessary.

    Mike w
    4/8/13 @ 7:51 am

    Gary, I have no device which uses SMS with my Apple ID. I have Internet access only. I use iPads and iPods, as well as MacBooks for the Apple ID. Does thismmeanni can’t use the two-step process?

      4/8/13 @ 7:56 am

      If you have an iPad and/or iPod touch, then you can use register that device for use in two-step. It doesn’t need to be SMS — SMS is just an option for people that don’t have an iOS device.

    Janice McLeod
    5/2/13 @ 10:33 am

    Would this pose problems in the future if someone replaced their SMS device, and didn’t have the foresight to make that change in their Apple account before switching their SMS device? In such a case, it would seem that if the password was forgotten or their recovery key was lost, they have suddenly lost 2 of the 3 critical pieces of info and would be faced with a permanently lost account!

      5/2/13 @ 10:59 am

      Yes, that’s right. So it is important to remember that if you lose one out of the three pieces, that you replace that piece immediately. So if you lose access to your SMS number, then you set up a new one before you lose one of the other two.

Comments Closed.