Apple’s introduction of two-step verification for Apple IDs is consistent with the trend in the industry to strengthen user authentication practices. Facebook has been experimenting with one-time passwords and social CAPTCHA authentication; Google began offering 2-step verification a while back. It’s great to see Apple get onto this bus.
Apple explains that “two-step verification is an optional security feature for your Apple ID.” To activate it, sign into My Apple ID on Apple’s website and go to the Password and Security area. You will then have the ability to specify which “trusted devices” associated with your Apple ID you wish to use as the second authentication token.
When designating a trusted device, such as an iPhone or an iPad, Apple will send a 4-digit verification code, which will pop up on the device almost instantaneously. You’ll need to enter the code on Apple’s website to confirm that you’re in the possession of the device.
Once you’ve enabled two-step verification, you’ll need to verify that you still have the device whenever you login to the My Apple ID website, when you “make an iTunes, App Store, or iBookstore purchase from a new device” or when you attempt to “get Apple ID-related support from Apple.”
For example, after signing into the My Apple ID website with your username and password, you’ll be presented with the prompt to “verify your identity” using one of the enrolled devices.
A pop-up like this will appear on the designated trusted device:
If your device is locked when the code is delivered, you will need to unlock it before seeing the code. The overall experience is a bit more streamlined than what Google uses, because Google requires the user to install and the activate the Google Authenticator app on the mobile device.
Receiving the code requires an active data connection. If you are using an iPhone, don’t have data but are able to receive SMS, Apple can send a verification code to your a verified phone via SMS. To take advantage of this feature, you need to verify the phone number through the My Apple ID website.
When activating the two-step verification option, Apple automatically generates a Recovery Key, which can be used as an authentication token if you lose access to a trusted device:
Google, Apple and to some extent Facebook now give users the option of strengthening their account authentication process. It’s only a matter of time before other industry giants, such as Twitter, jump in. Perhaps stronger authentication becomes the norm, we might see some innovation in making it more reliable and convenient for end-users.