By Dan Moren
July 7, 2016 8:57 AM PT
More on Apple’s two-factor authentication: Apple Watch, app passwords, more
Note: This story has not been updated for several years.
There’s still a lot of confusion over Apple’s two-step verification and two-factor authentication systems, so here are a few things I’ve come across since making the switch, which hopefully help clarify the details of this system.
- The Apple Watch (at least running watchOS 2) cannot receive two-factor verification codes. However, if you want to take advantage of the Auto Unlock features of watchOS 3 and macOS Sierra, it still seems to require that two-factor authentication be enabled on your account. (It doesn’t seem as though the older two-step verification system is sufficient.)
If you want to see a list of trusted devices and those that can receive two-factor codes (which largely but not entirely overlap), go to the iCloud preference pane on your Mac, or the iCloud section of Settings on your iOS device, and look at your account, then select Devices. That’ll provide a list of every device logged into your iCloud account; selecting each will tell you if they’re trusted and can receive two-factor codes.
- I noticed that some of my devices were not listed as trusted here, including my iPad Air 2. I’m positing that’s because before a device can be considered trusted, you need to at some point enter your password and a two-factor authentication code. Easiest way to do this seems to be viewing your iCloud account on that device, as above. Once I entered my password and entered an authentication code, that device was then listed as trusted.
- Sometimes the map you get informing you where a login attempt is originating doesn’t accurately reflect where you actually are.1 I’m guessing that’s because if the login attempt is made on a device without a GPS unit, Apple defaults to using Wi-Fi-based location, which can be inaccurate, since it’s essentially based on a database matching Wi-Fi access points with geographical locations. If routers are moved between locations, the database doesn’t always update quickly. (Update: Twitter user Guillaume says that the maps are actually based on looking up the location of an IP. Which would definitely explain why they can be so far off.)
As I mentioned in the original article, some of my devices didn’t seem to be automatically receiving two-factor codes. I’ve since heard this from a few other folks, and though I haven’t been able to figure out exactly why this is the case, try the usual suspects: reboot the device, log out and back into iCloud, and, if all else fails, give it some time. My iPhone was not receiving codes yesterday when I enabled the system, but it seemed to be working today.
As mentioned in a subsequent update, two-factor authentication does not remove the need for app-specific passwords, but it does seem that you no longer need them for any Apple services. (However, if you have a Mac or iOS device running on older software, you may need to resort to a workaround wherein you enter your password and two-factor code together to log in.) Third-party services that don’t support Apple’s two-factor method–and here I’m not clear if it’s possible for them to support it or not–may still require an app-specific password, which you can generate at Apple’s Apple ID management site. That said, I noticed when I went there to audit my app-specific passwords that they’d all been removed–probably when I switched over to two-factor authentication.2
That’s what I’ve discovered so far. Got any further questions or observations? Let me know via email or Twitter!
- This morning, for example, I logged in to my iCloud account from my local coffee shop, and I was pleasantly informed that an attempt had been made from somewhere in New Jersey. I am pretty sure I am not in New Jersey–though can any of us ever truly be certain? ↩
- Apple does not specifically say this will happen, but it does note that if you change or reset your Apple ID password, it will revoke all app-specific passwords. ↩
[Dan Moren is the East Coast Bureau Chief of Six Colors. You can find him on Mastodon at @email@example.com or reach him by email at firstname.lastname@example.org. His latest novel, the supernatural detective story All Souls Lost, is out now.]
If you appreciate articles like this one, support us by becoming a Six Colors subscriber. Subscribers get access to an exclusive podcast, members-only stories, and a special community.