Skip to main content

Two-factor authentication in iOS 9 and OS X El Capitan: What you need to know

The idea behind two-factor authentication is exactly what the name implies: Your password alone is no longer enough to access your account, you need something else as well. In the case of iOS 9 and OS X El Capitan, that something else is a 6-digit verification code transmitted directly to a device you trust and have in your physical possession. So what happens if something goes wrong and you get locked out? What happens if someone tries to hack their way in?

What is two-factor authentication and how does it work?

There are several "factors" that can be used for authentication. A password is "something you know". A fingerprint is "something you are". And a verification code is "something you have". When a system requires only one thing, like a password, it's "one factor" (or "single factor"). When a system requires a second thing, like a password and verification code, it's "two factor" (or "multi factor"). The first is more convenient, the second more secure.

Right now, to access your Apple account (iTunes and/or iCloud) from a new device or web browser, or to do certain things like change your password, all you need to enter in your email address and current password. With two factor enabled, you'll need to enter in your email address and current password, and a 6-digit verification code.

The difference between to the 6-digit verification code and something like your iPhone or iPad passcode—which also changes to 6-digits in iOS 9—is that it can't be remembered. A new sequence of numbers has to be generated and sent to you each and every time you need to enter them.

The verification code can be sent to any device that is already logged into your Apple account (and is therefore "trusted"), and also via SMS or automated voice call to the phone number you register when you set it up.

Unlike your password, however, the 6-digit verification code isn't something you can remember. It's something that will be different each and every time you need to use it, and so it's something that needs to be generated and sent to you anew each and every time you need to use it.

What happens if you can't get your verification code?

Most of the time you'll have an iPhone, iPad, Mac, or non-Apple phone you've signed into or registered with your account and you'll be able to get your verification code if and when you need it.

Also, since you only need it to add new devices (you buy a new iPad, for example), you log in from a new web browser (while on vacation and at an internet cafe, for example), if you wipe a device and need to set it back up from scratch, or if you want to change your password, you shouldn't need a verification number very often.

But if you do need it, and for some reason you can't access a trusted device or registered phone, Apple (opens in new tab) has a recovery procedure you can follow:

If you can't sign in, reset your password, or receive verification codes, you can regain access to your account by requesting account recovery. Simply provide a verified phone number where you can receive a text message or phone call regarding your account. Apple will review your case and send an automated message to the number you provided when your Apple ID is ready for recovery. This message will direct you to to complete the required steps and regain access to your account.Account recovery will take a few days—or longer—depending on what account information you are able to provide. The process is designed to get you back into your account as quickly as possible while denying access to anyone who might be pretending to be you.You can check the status of your account recovery request at any time by visiting and entering your Apple ID.

Can someone use the recovery process to socially-engineer their way into my account?

Whenever a account recovery process exists, some people—rightly—worry that it could be abused. For example, that a hacker could call up and con the person in charge of the process into giving them access by rattling off some names or numbers they found using search or social networks.

In this case, Apple specifically points out:

Apple Support can answer questions you may have about the account recovery process but cannot verify your identity or expedite the process in any way.

So, by eliminating humans from the communications chain, it looks like Apple has made it extremely difficult for a typical social engineering attack to work.

Where can I get more information on two-factor?

Apple has put up, and continues to update, a support document (opens in new tab) with all the basic information you need to know. We'll also be covering it in detail when iOS 9 and OS X El Capitan launch this fall. In the meantime, let me know if you have any questions!

Rene Ritchie
Rene Ritchie

Rene Ritchie is one of the most respected Apple analysts in the business, reaching a combined audience of over 40 million readers a month. His YouTube channel, Vector, has over 90 thousand subscribers and 14 million views and his podcasts, including Debug, have been downloaded over 20 million times. He also regularly co-hosts MacBreak Weekly for the TWiT network and co-hosted CES Live! and Talk Mobile. Based in Montreal, Rene is a former director of product marketing, web developer, and graphic designer. He's authored several books and appeared on numerous television and radio segments to discuss Apple and the technology industry. When not working, he likes to cook, grapple, and spend time with his friends and family.

  • Bring it on. I use it now with my 2 GMail accounts and I Love it.
  • It sounds good to me, but I am going to have problems trying to explain this to my wife
  • You know I witnessed something.... I was at home, and I had to restore my iPhone for some reason, I have the sans iPhone registered as my trustee Device.. And no other device.. Currently at 8.3... What I saw was that, in signing in my Apple ID process, when setting up the phone, restoring from backup etc, I saw that it required me to have 2 step verification, which I assumed would be there.. I realized, It won't be possible for me to verify, since my number is in the phone which is getting restored. So I have 2 options in the process of 2-step.. 1 was send an sms And 2nd was send a code to your phone. As a fact I knew that I can't read my messages till I've completed the setting up process. So I clicked the other option, hoping I would get a pop up... But... What I witnessed was, that, I never got a Pop up, and the process, automatically accepted my device without the code, and went on to the next process... Weird... I assumed, that since the pop up cannot come on the phone while it's being set up, the server automatically verified the device and accepted it.. Well a relief.. But I still have doubts about this... Anyone can hack into my phone this way... They know my password, and have my phone.. They start with the setting up process, and during 2-step, select the "send code to device" option, and the the software will go to the next process without a code... Help me out here.. Is my theory of the process I witnessed is correct? And if it is, can anyone who knows my password just get into my phone and restore from my backups? I haven't tried it again.. And I'm running 8.3..
  • I'm pretty sure I experienced the same thing. I recall being surprised that I never actually had to enter the verification number as well. Unfortunately I don't know any more about how the process works behind the scenes. I think it gets worse though. Even if you encrypt your own backups with a different password than your account password, I believe all they have to do is create their own backup of your phone on their own PC and restore from that! I could be wrong, but I don't think iTunes would prevent them from doing so.
  • I experienced this chain of events as well while setting up my new iPhone 6+. I didn't have my iPad or Mac with me and the old phone didn't have a SIM card (nor was it currently on WiFi). So I tapped "send to device" and hoped it would all work out. :) While it *did* I was curious as to the security implications. I *do* want to mention that I *think* I saw a ghost of a popup that looked like the verification code alert that disappeared quickly. So what I'm assuming was that the code was actually sent and immediately accepted since it realized it was the same device being authenticated. Although that makes sense, it does seem insecure.
  • No even if someone is able to restore the device and have an SMS message sent to the device at that point if they try changing anything or getting into anything it will still require a two-factor Authentication whether it be signing in or even signing out of your iCloud or iTunes or for that matter opening up your wallet or even going into your settings everything with two-factor authentication makes everything more secure.
  • I had already two-factor authentication enabled on Google, Facebook, Microsoft, Dropbox, Evernote, Twitter, etc. Nice of Apple to finally join all these companies in implementing this useful security measure. Better late than never, I guess.
  • Going to piss off a lot of teenagers and grandparents Posted via S6 Edge
  • I don't use 2 factor, and no lockscreen pin, and I wish I could get rid of just the swipe lockscreen entirely.
    I couldn't briefly explain why, but I don't need the stuff
  • If I am the only person in the world with my finger print. Why do I need or want this? Sent from the iMore App
  • 2FA is the right thing and something Apple should have done years ago. Lagging behind in security is not something they should be crowing about given the rash if hack and data losses due to the lack of 2FA. Nice that its coming around finally.
  • Any idea how this will work for shared accounts? My wife and I have both our iPhones on the same Apple account, will it send a code to multiple phones if necessary?
  • Leave it to Rene to NOT mention that Google has been doing this for years. If Apple came up with it, and then someone like Samsung did it... wow. We'd never heard the end of it! LOL
  • Rene, I used my primary Apple ID not realizing it was converted to the Apple ID beta site. Well I currently cannot turn off Two Factor authentication with iOS9 or El-Capitan. So now I am stuck with having to keep a device on iOS9 and put the code in everytime I log in with this ID. As far as I have found I there is nothing that can turn this off have you heard anything? Apple support is clueless since its Beta and this is very frustrating. Thanks.
  • I take it this does not work for an App Store-only account? Because you have to be signed into iCloud in order to receive the codes? Possible workaround: set up a new user account on a Mac and sign into iCloud with the Apple ID that's normally only used to access the App Store. Has anyone tried this?