How to enable two-step verification for your Apple ID

How to enable two-step verification for your Apple ID

Most people use their Apple ID account not only for iCloud data, but to purchase content from iTunes and the App Store. That means that anyone who gets ahold of your account or manages to change your password could have access to your personal information and credit card information. If you want to increase the security of your Apple ID, you can use two-step verification to add a second layer of protection. That, it requires something you know (your password) and something you have (the security token sent to you) to access your account information and make changes.

What does two-step verification protect?

Currently two-step verification is required for the following activities:

  • Sign in to My Apple ID to manage your account
  • Make an iTunes, App Store, or iBooks Store purchase from a new device
  • Get Apple ID related support from Apple

Apple has tested two-step verification on other parts of the iCloud service, and hopefully they'll roll it out across all services quickly and completely in the near future.

What if I have multiple Apple ID's?

If you have multiple Apple IDs, for example, if you have a separate iCloud login from your iTunes login, you can still set up two-step verification for both. You can do this by verifying an SMS-only device on the second ID. As always, you can use your recovery key if it is every unavailable or simply fails.

How to secure your iCloud account with two-step verification

In order to enable two-step verification, you must have a current password that meets Apple's minimum standards of 8 characters complete with at least 1 number and 1 capital letter. If you have to change your current password in order to meet this standard, you'll have a short waiting period before you can enable two-step verification.

  1. Go to appleid.apple.com from the browser on your Mac or PC.
  2. Sign in to the Apple ID you'd like to enable two-step verification for.
  3. Click on Password & Security in the left hand navigation.
  4. Answer the secret questions you've previously set up and click on Continue — if you don't remember them, you can reset them if you have a backup email on file.
  5. Click on Get Started... under the Two-Step Verification section.
  6. As long as you have a device linked to your iCloud account on hand, click Continue on the next screen.
  7. Read the next two screens about two-step verification.
  8. Once you understand what they're describing, click Get Started on the second screen.
  9. Add your current phone number to start the verification process.
  10. Check your phone for a text message and then enter the 4-digit verification code.
  11. After your phone number is verified, a list of connected devices you can verify should appear.
  12. Click on Verify next to the devices you'd like to trust in case you need to use them for two-step verification in the future.
  13. Once you're done verifying all your devices, click Continue.
  14. The next page gives you your Recovery Key which you'll need to either print out or write down. Do that now.
  15. Once you've gotten the code written down or printed, click Continue and then verify it by typing it out on the next screen. You won't be able to continue until you confirm you know the code.
  16. Click Confirm in order to continue.
  17. Click the checkbox to confirm you understand what you'll need in order to complete two-step verification should you forget your password.
  18. Click Enable two-step Verification.
  19. You'll receive a confirmation that two-step verification has been enabled. Click Done.

That's it! Two-step verification will now replace security questions. Remember that in order to regain access to your iCloud account, you'll need any TWO of the following:

  • Your Apple ID password
  • A trusted device
  • Your recovery key

If you don't have two of the listed above, you'd need to create a new Apple ID.

Note: Originally published, March 2013. Updated, September 2014.

Allyson Kazmucha

Help and how to editor for iMore. I can take apart an iPhone in less than 6 minutes. I also like coffee and Harry Potter more than anyone really should.

More Posts

 

0
loading...
0
loading...
305
loading...
0
loading...

← Previously

Yes, there really are people sitting in line to get the unannounced iPhone 6

Next up →

Jony Ive reportedly thinks that, post-iWatch, Switzerland is @%$%!

Reader comments

How to enable two-step verification for your Apple ID

75 Comments

Full set-up allowed only if your current AppleID password meets requirements of at least 8 characters - one of which has to be a number, and another a capital letter... if you change your password meet that standard, you will have a waiting period before you can complete the set-up process.

No, it can't. However, as noted in the article you linked, it isn't used to protect some information (photos, most relevantly). This is one of those tough real world choices. Do you want to have to verify every photo that is uploaded to iCloud? Probably not. How about if you take a photo and it uploads a batch? Maybe. Have you ever pulled out your iPhone to show someone a picture really quickly? Imagine you had to provide a verification key to do that.

The fact is that for most of us, our photos are mundane and having them be stolen would be unimportant aside from the feeling of violation. Holiday pics, baby pics... as long as they're not deleted, mostly we wouldn't care. For most people it would be MUCH worse to have your credit card information stolen... and that IS protected by TFA.

Balancing security and ease of use isn't trivially easy and it varies from person to person. My photos? Meh, I don't care much if they're stolen. A celebrity who's sent racy pics to his or her lover? They have a much different perspective. But then... if they don't use a strong password what are the odds that they'd use TFA?

i dont suppose you read the 2nd paragraph of the (wired) link that was in the bbc article as well did you??? (it has to be used in combination with something else)

Im not even going to address the point that you raise about having to validate every single photo because you've missed it, in that I like so many other people were expecting photos and everything else to be accessed via 1 secure password on my devices, which i think is the idea behind icloud!!!

anyway apparently its been patched up

Did you read the BBC article?

""It doesn't require two-factor authentication when you just want to access the photo roll, or if you want to restore the back-up," he said."

iCloud IS protected by a secure password. You're signed into iCloud on any device that lets you access iCloud. It doesn't ask you each time you access it because that would be cumbersome - see the point you ignored. My photos upload as I take them because my iPhone is signed into iCloud. Apple assumes that the person using a device is the person who SHOULD be using it so they don't ask you to sign in each time you access iCloud or every X hours etc.

What you're not getting is that adding security comes at the price of convenience, i.e. it's a tradeoff.

It's amusing that you ignored my point about being asked about each photo upload and then said you expected it to ask when you're signed to sign into iCloud. Your device is always signed in (unless you sign out after the first signing). TFA would ask you to a) sign in and then b) confirm via SMS that you're really authorized. That's what TFA is at it's most stringent - a second credential you need to provide on each interaction. You can relax this (ask for the second credential every X days or Y signing) but that means you're ... making a trade off. Hmm....

OMG 1. you have just completely missed the point of what the bbc story was about in that everybody including me thought everything was protected... because apple didn't mention it in the original posting

"But Mr Hypponen said that by focusing on protecting payments and IDs, Apple might have misjudged what customers care about.

"For many users they would rather have their credit card numbers stolen than their private photos," he said.

'Chinks in armour'

Other security experts said Apple's advice about two-step verification was possibly misleading".

2. iCloud WAS COMPROMISED which wired explained through using this in combination with brute force which the bbc article linked to... Rene in the imore show just said the same damn thing

so when you said iCloud wasn't compromised... it was... what don't you get???????????

3. and to address your silly little point about uploading every single photo, nobody expects to do that, apple knows that, but we do expect anything and everything to be protected via a wait for it... a password

do me a favour read the article and try and understand that apple didn't mention it because it wasn't protected!!!!!!!!!!! and by not mentioning it, we all thought it was protected - we were all mislead!!!!!!!!!!!!

anyway the damn thing is fixed now, debate over

Tried to do this. Unfortunately7, once I print my recovery key, which contains dashes, my Apple keyboard won't let me type those dashes when I attempt to type that recovery key to verify I've got a copy .

Part of our long standing payback plot for giving us Justin Bieber where we try to annoy you guys so much that you move to England (Queen on your money) and we can just drive up and take over Tim Hortons you've left behind and eat up your bacon. So hurry up and "Take off eh." ;)

Thanks for the tutorial! I've seen a lots of articles on the new security upgrade, but no walkthroughs. This is terrific.

I always turn on two-step verification, but this implementation isn't so great for people that have separate accounts for iTunes and iCloud. Because you can only have Find My iPhone turned on for one account per iOS device, devices can't be trusted for both accounts. Still, I'm glad they added this additional level of security.

Yes, thanks for setting up and showing this this step by step process. I'm just not sure I can do it because I have 2 IDs. One for my iTunes account and one for iCloud.

Brilliant as you are always Ally. I have been meaning to do this for a long time and keep forgetting. Just did it on my iPhone and worked like a charm. Thank you once again. One of my favorite parts of the blog side is Ally's articles on How To.

Thank you for the comprehensive how-to guide. I use 2-step verification for a few other services and it gives a a little added peace of mind.

Worked like a champ. I made sure I have a printout and a screen grab of the code.

Over here it's asking me to confirm the credit card I deleted from iTunes two months ago. I no longer have the card (or remember the number).

Does anyone know if you can have multiple accounts use the same device to verify? Meaning, say I have two APPLE ID's, and one iPhone, can I have both id's message code to same iPhone?

I know you can't have same email address tied to apple id.....

I read an article on the Verge that notes there's a major exploit if you neglect to use this two-step authentication service. According to the article, you can reset your password with just your Apple ID and date of birth. Can iMore verify this?

Terrifying. Thank you so much for taking time to not only make this post, but to verify that the exploit does exist. I was not really bothered to do this until I read this one comment from you. :)

That would be useful because if someone find out your info from placesnlike bugmenot.com or places that that and you change the password then they wouldnt get your password agaon i also like the fact that its not over the phone because i remember the apple hack of 2009 when he tapped into all the phones

I have no cell phone connection at my house because the mountains block any and all cell towers. Am I screwed? Google 2-step authentication works with my Wi-Fi connected iPad. How come Apple doesn't seem to allow this device?

Just one concern before I do this. After setting up the 2-step verification, will I then ALWAYS be asked to use it (even from my trusted devices) for "every" thing I do with my Apple ID? IOW, every song I buy, every app I buy for my iPad, iPhone and Mac...and especially every time I login to the Apple Discussion Communities? I understand the need for security, but I find my self using my Apple ID four or five times daily...this will really slow down my workflow.

i 'think' this is only used when you would formerly need to answer security questions (i.e. forgot password). can anyone confirm?

The tutorial has one thing wrong. I have a password that is at least 8 characters, one capital, one number and is considered by Apple to be moderate strength yet I am required to choose a new password.

I hypothetical question? I have an IPhone 5 and go to the Apple Store to by an Iphone 6. Apple sets it up and switches the number over so the old phone no longer works. How do I restore from ICloud or purchase Apps on the new phone since it is not an "approved device" and the old phone no longer works.

While two-step authentication is surely a huge plus for added security, at what expense does it come? Is it really worth sacrificing the inconvenience? I guess only time will tell...

Does anyone know why is this 2 step verification only available in some countries? Is there any legal reason for this?

I really would like to have this feature available for added security.

Glad to hear that the cumbersome "security questions" are a thing of the past. But just in case, whenever any site asks for security questions and answers, always put in fake answers. (And make sure you store them along with the password, preferably in some kind of encrypted password app.)

Honeymoon location: Mogadishu, Somalia.
Birthdate: 9/9/99
Favorite teacher: Jenna Jameson

Very detailed how to. This is why iMore is my go to site for anything Apple. I have three kids so I don't have as much time as I used to when I was single...I need fast accurate news and how-to's...iMore you just became my default homepage...

Isn't setting up the 2nd step with a mobile phone/SMS pretty much giving your account to the gov't?
Well, maybe I'm a tinfoil hatter, but I don't consider this an improvement in "security"

Ok, let me break it down..
Is SMS secure?
Can you trust your mobile carrier?
Perhaps everyone here can say yes to these questions. Pardon me then.

I went to set up TFA on my iCloud account only to find I already had. But I've never been challenged with a code when I use iCloud.com. I thought I read recently SOMEWHERE that iCloud.com TFA was rolling out, but I can't find it. But seems pretty useless until this is implemented across all iCloud access.

Like I stated in another article, two step does not always work. I just bought an app two weeks ago, and it did not require two step. I bought an app a couple of days ago, and it required two step. Both were on the iPhone. Another question, what about in app purchase? May be Apple has fixed the issue, but there are still glitches.

Sent from the iMore App

I already have two-step-verification enabled. This morning I logged into itunes and downloaded an app. I only got a mail from Apple saying that an app was downloaded from a non-trusted device and if that wasn't done by me, I should change my password. I didn't get prompted for verification code when I was downloading the app using itunes. I got prompted only when I went to appleid.apple.com and entered id / password.

I changed the answers to the security questions to passwords, but you have to race through the procedure, or else you get timed out. Pause to think for a moment about what you want to put in and you're out! The people who design these procedures must be gamers ;-). Fortunately there is no three day waiting period after being timed out while resetting security questions.
The two-step verification procedure is another matter though. I'll have to wait three days again, just because I had this manual in one window and the procedure in another and was switching back and forth with each step, losing time.

Thanks so much for this, saved me probably another 20-30 minutes of googling things. I wish apple bough you already! Apparently Apple themselves are still having issues figuring out how to document themselves.