Samuel Gibbs at The Guardian:
The security feature adds an extra layer of protection against hackers trying to access users’ accounts. After logging in with their usual name and password, two-factor asks account holders to use a second security code to verify their messaging and video chat accounts.
I’m a big proponent of two-factor authentication, but I don’t love the way this is implemented. Rather than requiring a verification code, as happens when you try to log in to your iCloud account, FaceTime and iMessage will instead prompt you for an app-specific password (essentially a randomly generated one-time password) when you try to login. To do that you have to go to a website, log in, verify that login with a two-factor code, and then get the app-specific password and paste it back into the originating application. Seems like it could be a little less clunky.
App-specific passwords are good because they’re disposable and you can always revoke them and create a new one if an account is accessed, but they can be a pain to manage. Most people don’t want to spend their time keeping track of all the different one-time passwords they’ve created.
All of that said, it’s good to see Apple taking proactive steps to ensure security on its many services, instead of playing catch-up after the fact.