Six Colors
Six Colors

by Jason Snell & Dan Moren

This Week's Sponsor

End users aren't your enemy! Kolide gets users to fix their own device compliance problems–and unsecure devices can't log in. Click here to learn how.

By Dan Moren

Doing the two-step: Switching to Apple’s two-factor authentication

Note: This story has not been updated for several years.

Apple has, for a while now, offered two separate additional security measures to protect your Macs, iOS devices, and iCloud account, but thanks to some inexpert nomenclature, it can be a little difficult to tell them apart


The first, two-step verification, has been offered for several years. It prompts you to enter a four-digit code when you sign into your iCloud account, purchase something from one of Apple’s stores on a new device, or make changes to your Apple ID. Those codes were delivered by push notification to an authenticated device of your choosing, or via SMS text message. It also necessitated the use of “app-specific passwords” (long random passwords generated by Apple) to log into accounts and services that didn’t support the two-step verification process, and provided a Recovery Key to store as an override, should you be unable to receive the relevant code any other way.

The newer two-factor authentication is an improvement upon that process, which Apple started rolling out last year. While the principle is similar, the execution is refined. The verification code is now six digits and is automatically sent to all of your authorized devices. When a new device is logged into your iCloud account, you’re also shown the rough location of that device (on a city level), so that you can be sure it’s not someone halfway around the world trying to gain access; there are also buttons to allow or deny that login. Authentication only happens when you log into your iCloud account from a new device for the first time, or when logging into an account on the web. (In the latter case, you can choose to trust your browser so you don’t have to do that every time.)

Upsides to the newer two-factor approach are the phasing out of app-specific passwords and (Update: This is actually incorrect. App-specific passwords are still required for incompatible services with two-factor authentication. Sorry about that!) the Recovery Key1; on the other hand, two-factor does require that all your devices be running at least iOS 9, El Capitan, watchOS 2, or some version of tvOS.

Making the switch

I’ve been using two-step verification for a while, so when Apple rolled out two-factor authentication in 2015, it wasn’t immediately clear how to go about switching to the new (and supposedly improved) system.

Disable Two-Step Verification via your Apple ID management page.

Though Apple didn’t provide an obvious way to make that jump, the key is simply to deactivate your existing two-step authentication setup via the Apple ID management site; click Edit in the Security section, and choose Turn Off Two-Step Verification. Once I picked some new security questions and verified my date of birth and backup email address, I had to go re-enter my iCloud password on all of my associated devices.


After that, I went to Settings > iCloud on my iPhone, tapped on my account, then chose Password & Security and selected Set Up Two-Factor Authentication. I was asked to verify a phone number, and that was about it. With that done, I went around to my other devices, opened up System Preferences or Settings and navigated to my iCloud account, then entered the two-factor authentication code when prompted.2

So is my account much safer now? Given that I already had two-step verification on, probably not really. But I sure get that warm, fuzzy feeling inside by being up-to-date with the latest security measures.

  1. There’s a new automated account recovery tool in case you can’t get to any authenticated device or one of your SMS-capable phone numbers. 
  2. In a few of these circumstances, my phone didn’t prompt me with a two-factor code. Fortunately, under that Password & Security section of your iCloud settings on iOS you can tap Get Verification Code to manually receive one. 

[Dan Moren is the East Coast Bureau Chief of Six Colors. You can find him on Mastodon at or reach him by email at His latest novel, the supernatural detective story All Souls Lost, is now available for pre-order.]

If you appreciate articles like this one, support us by becoming a Six Colors subscriber. Subscribers get access to an exclusive podcast, members-only stories, and a special community.

Search Six Colors