Skip to main content

Security How-To: Enable two-factor authentication on iOS 9 and OS X El Capitan

Screen Shot 2016-03-22 at 4.16.41 PM

Three years ago to the day, Apple added in two-step verification to help improve user security. The verification method relied on the user having another device readily available to help authenticate a sign-in. As of today, Apple has taken that security further by now offering two-factor authentication to all users running iOS 9 and OS X El Capitan.

Both methods strive to increase a user’s foothold in security practices, but both go about doing so in very different ways. Luckily, Apple has chosen to make sure that the end user experience is phenomenal no matter what method they choose.

Getting started, or switching to the new two-factor authentication is not without it’s questions. Let’s dive in and resolve them.

Why switch to two-factor authentication?

Two-factor authentication, also known as 2FA, is a method of authentication relying on two different components. In the Apple ID example we’ll be reviewing, that would be the Apple ID’s password, and a secondary device that has already been authenticated.

This secondary device would receive a one time use code whenever a new authentication is requested.

On the surface, this seems very similar to Apple’s two-step verification that is already in place. Except, this new 2FA implementation requires that each new device attempting to authenticate with an Apple ID must be approved from another device. In Apple’s previous two-step verification, a user could simply type in the Apple ID password and be authenticated. The only area two-step verification seemed to consistently come into play for me was when signing onto the Apple ID website.

Switching to Apple’s new two-factor authentication method ensures that if an Apple ID’s credentials were ever stolen, they wouldn’t be automatically authenticated onto a new (or previously wiped) device. The new two-factor authentication presents the verification code on devices in a different manner. During the two-step verification process, a user would simply get an alert dialog indicating someone requested the verification code. With two-factor authentication, the alert dialog presents a small map of the authentication request’s approximate location for approval before showing the verification code.

Before Getting Started

Apple explains that while all iCloud users can enable two-factor authentication today, at least one of their devices needs to be running iOS 9 or OS X El Capitan.

Apple’s list of recommended system requirements are listed below:

  • iPhone, iPad, or iPod touch with iOS 9
  • Mac with OS X El Capitan and iTunes 12.3
  • Apple Watch with watchOS 2
  • Apple TV (4th generation) with tvOS
  • Windows PC with iCloud for Windows 5 and iTunes 12.3.3

Note: If at least one of your devices is meeting the recommended requirements, you may still be able to use other devices running older software in conjunction with two-factor authentication. More information can be found under “What if I use two-factor authentication on a device running older software?

Enabling Two-Factor Authentication

To enable two-factor authentication on your Apple ID account, we will have to turn off two-step verification if it is currently enabled. First head to the Apple ID website, and sign in. Once on the site, we will need to select ‘Edit’ in the ‘Security’ section so that we may disable two-step verification.

Apple ID Security ViewSelect ‘Turn Off Two-Step Verification’ under the ‘Two-Step Verification’ section. In the process of disabling it, the site will then walk you through creating three security questions for your account. While this may be annoying, it’s a necessary step in helping secure the account in case a password is forgotten.

Tip: Use a third-party password manager like 1Password on iOS or the Mac to generate three random pass-phrases as the answers to your security questions. This ensures that someone won’t be able to easily guess your password. Also, if you ever end up having to call Apple Support, you will be able to dictate your security answers easily.

Once two-step verification has been turned off, we’ll move to iOS to enable two-factor authentication. Let’s head to Settings > iCloud > and then select your Apple ID up at the top. iOS should request you to enter your iCloud password before proceeding.

Once in, select ‘Password & Security’ and then ‘Set Up Two-Factor Authentication…’ at the bottom of the view. iOS will now walk you through creating this extra layer of security. If any of your devices have not yet been updated to the latest recommended requirements, you may get a prompt like I did indicating such.

That’s it! You’ve now successfully enabled two-factor authentication on your iOS and Mac devices. Now, whenever a new device attempts to authenticate with your Apple ID, your trusted devices will be alerted with an alert dialog indicating the location the request is coming from and the verification code necessary to authenticate.

Further reading on Apple’s usage of two-factor authentication is available in the links below:

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

  1. hopefulhumanist - 8 years ago

    Thanks for posting this! I’ve been trying to make the switch for months, when they said it would roll out to users who had the latest OS updates…

    • Greg Barbosa - 8 years ago

      Glad you like it!

      • Smigit - 8 years ago

        Yeah ditto, thanks for the guide. Been waiting for ages…wasn’t aware it could be fast tracked by disabling Two Step Authentication.

      • Greg Barbosa - 8 years ago

        I spent about an hour playing with two-step and two-factor (boy was that annoying), just to double check that everything WAS different. But at the end of the day I’m glad you enjoyed it.

  2. I don’t really understand what is new – I already have 2 factor turned on, and it indicates so in iOS. Its been on for at least a year or more.

    • Smigit - 8 years ago

      Are you sure it’s Two Factor and not Two Step? From what I can see, Two Factor authentication was first announced around July 2015 (http://9to5mac.com/2015/07/08/apple-revamped-two-factor-login/) and began a staged rollout with the release of iOS 9.

      • Greg Barbosa - 8 years ago

        Smigit is correct. Two-step verification has been available for a few years now, but 2FA had a slow roll-out until Apple opened it for all just recently.

  3. William - 8 years ago

    Note the security question answers can’t be more than 32 characters long (and it doesn’t tell you this until after you’ve entered DOB and backup email address.) Also my Mac Mini, since I (finally) installed El Capitan this morning, seems to think I’m several hundred miles from where I am, despite iPhone with GPS being on same wireless network.

  4. Cool, thanks for sharing. I already had it enabled, but like the new version with the map better.

  5. raist3001 - 8 years ago

    I don’t see set up two factor authentication under password and security. I am running 9.3 on my 6+

  6. Alan Aurmont - 8 years ago

    Question:

    How come when I try to sign in to my Apple ID on my iPad, I get sign-in notification only on my iPhone, but not on my Mac?

    • Greg Barbosa - 8 years ago

      I noticed this behavior too once. I configured 2FA, and then signed out and back into my iPad. But the iPad only started receiving the sign-in notification after a few hours. I hope the Mac will as well.

      • Alan Aurmont - 8 years ago

        Thanks, Greg. To start receiving notifications on Mac (if you don’t already), simply go to System Preferences on Mac, then access iCloud, then Account Details, re-enter iCloud password if requested. That’s it. Simply quit System Preferences, and you should start receiving notifications now.

    • crichton007 - 8 years ago

      It sounds like you need to define your Mac as a trusted device. I had the same issue when I got my new iPhone until I went to the Apple ID website and defined my iPhone as a trusted device.

  7. The only think I also needed to do was turn iCloud off and then on because my notes and messages stopped syncing with my mac.

    • When you signed out of iCloud on your iPhone did it warn you that “all photos in iCloud Library will be removed from this phone”? I’m having the same problem where as though my iMessages don’t sync with my Mac anymore.

      • Greg Barbosa - 8 years ago

        I did get that message, yes. As far as iMessage not syncing with the Mac, I made sure to sign out of everywhere at the same time, and then resign into everything after.

        After about a day or two everything was syncing like normal again.

  8. Note, you have to go through the last step where you sign in/go to the iCloud setting on every device you want two-factor authentication enabled. On an Apple Watch the only way to sign out is by singing out completely out of iCloud on the connected iPhone and only then you can sign in again via the Watch App on your iPhone.

    https://support.apple.com/en-us/HT205520

    • Jason Robinson - 8 years ago

      Markus, can you personally confirm that it’s possible to use the Watch as a trusted device for two-factor authentication? I haven’t seen this explicitly stated online anywhere else, and I don’t want to go through the hassle of disconnecting/reconnecting my phone from iCloud if not… (Thanks!)

      • Conor (@conorgriffin) - 7 years ago

        Anyone know if this is the case? Can the watch be a trusted device?

  9. Morac - 8 years ago

    “In Apple’s previous two-step verification, a user could simply type in the Apple ID password and be authenticated.”

    No, that’s wrong. With two-step verification, logging in on an unrecognized device (iOS, Mac, PC, web site, etc), would result in it asking for a 4 digit code which could either be sent to a “known” iOS device or to a registered SMS number. Basically there was little different between 2-step and 2-factor other than the later is built into iOS 9, uses a 6 digit code and gives the location of the request, while the former uses the “Find My Phone” interface, uses a 4 digit code and doesn’t give the location.

    2-step is just as effective at protecting devices as 2-factor (maybe more so since there is no way to recover the account without the recovery code). When I restored one of my iOS devices, i was forced to authenticate it with the 4 digit 2-step code before I could log in. The same thing happened when I tried to log into iCloud for Windows and iTunes on a new Windows PC.

    Unfortunately some people are stuck with 2-step because 2-factor only works with the Apple Id logged into iCloud. People who log into secondary iCloud accounts or use a different Apple ID for iTunes and iCloud, can’t enable 2-factor authentication for those Apple IDs.

    • Greg Barbosa - 8 years ago

      Morac, I answered that very point in the sentence following the one you quoted. “The only area two-step verification seemed to consistently come into play for me was when signing onto the Apple ID website.”

      Two-step verification’s decision of what was unrecognized and what was recognized is different than 2FA. When having two-step enabled on my devices, I could remove and re-add the iCloud accounts and never be asked to go through the verification process again. 2FA now kicks in regardless if that device had been previously used or not. That’s one of the reasons why I clarified it coming “into play for me”.

      I explained the difference between two-step and two-factor’s UI in my review wise as well. “…your trusted devices will be alerted with an alert dialog indicating the location the request is coming from and the verification code necessary to authenticate.”

  10. saklad5 - 8 years ago

    I don’t really want to use two-factor authentication, since it would prevent me from using iCloud.com if my phone ran out of power. It would be great if the requirement could be waived when devices vanish off Find My iPhone.

  11. Komrad - 8 years ago

    I hate this feature. I’m trying to multi-task and get stopped every few minutes by an app that needs me to stop what I am doing to generate an app-specify password for it. No. Just plain no.

    • Greg Barbosa - 8 years ago

      I have not seen this issue anywhere at all. Not sure why you are.

  12. Awesome. Thanks. Never would have been able to figure this out with Apple’s cryptic messages on the system settings (just said to enable 2 factor – no hint to go to iOS.

  13. John Gary Morris - 7 years ago

    Great information, I was Beginning to get frustrated.