Apple Adds Two-Step Verification to iCloud and Apple ID

Apple has done a great job walking users through this process.<p>Setting up "trusted devices" (iPhone, iPad, etc.) works really well: Apple already knows which devices you own, so all you have to do is select the device and you get an instant push notification to unlock to see the verification code.<p>Apple gives you a backup recovery code with very clear instructions to print/write it somewhere safe. They require you to re-enter it as part of the setup process to make sure you got it right.<p>When you need a code, you pick the device you want it sent to and Apple pushes it out instantly via some feature baked into iOS. You can also set up any phone to have a code delivered via SMS, but presumably this is less secure because it could be read even if your phone is locked.<p>Overall this is a great experience for the user -- much more friendly than Google Authenticator.<p>In fact I wish this process was open a la Google Authenticator so that other applications could use it (this will happen when hell freezes over).

Argh! Incredibly annoying edge case! I'm in Poland, but have all my language settings set to English, and the only country codes for receiving SMSs are those of English-speaking countries!<p>Can't see any easy way to change my language on the page. How annoying!

Really happy to finally have this option, but disappointing that there isn't (yet) a way to generate codes from your trusted device as with Google Authenticator. Hopefully it's on the way.

In case anyone else changed their password to something absurdly long only to run into the same trouble I did:<p>Apple passwords have a max length of 32 characters.<p>Unfortunately, the change password page doesn't enforce this limit and will blissfully let you think you've changed your password to something that has 50 characters, but actually only stores 32.<p>Later, when you use a Password Manager that saved the full 50 characters, suddenly your password doesn't work.<p>Some Apple pages' login password fields cut off automatically at 32, which lets the pasted password work (as you can't paste more than 32), but this is not the case within iTunes itself or on the iPhone.<p>Solution: Apple needs to limit the new password entry fields on the My Apple ID -&#62; Password and Security page to 32 characters. Or, alternatively, accept and store longer passwords. (as 32 characters is a bit tight if you're using a passphrase)

What on earth is Apple doing here. The steps I went through so far:<p>1) I had to switch my password to something more "secure". That means adding a capital letter and a number. I am sick and tired of companies forcing me to use non-memorable passwords that have less entropy than if I had come up with something memorable, personal and long by myself.<p>2) "You must wait 3 days to enable two-step verification. This waiting period helps ensure that no one other than the owner of this Apple ID can set up two-step verification. A notification email will be sent to all addresses we have on file. Thank you for your patience."<p>Regardless of the reasoning for having this in place, all it does is make for a more difficult user experience. Currently when I signed into my Apple ID today, Apple didn't have this process in place and assumed that it was me signing in. So by asking me to change my password when I want to enable this feature it should probably be assumed that I am the account holder. If I was in fact an attacker, changing the password on my account, what if I was on holiday for a week? What if that email hit my spam folder? What if I just didn't notice the email because I am one of the many millions of people who fight inbox zero daily?<p>EDIT: Furthermore, this has now broken my iMessage and Facetime, with Apple not sending a new activation to my device so I can use these services.

"Initially, two-step verification is being offered in the U.S., UK, Australia, Ireland, and New Zealand. Additional countries will be added over time." Not in Germany yet.

It's kind of sad that it's taken Apple so long to do this, and they've done such a mediocre job of it. Offline verification vs. SMS, taking advantage of the secure element in 3GS+ phones, etc., and supporting credential management for third party sites, all would have made Apple superior to desktops or Android for enterprise use, or high-end consumers. But they did none of that.

Great to see this as finally an option, interesting that there is a 3 day wait to activate it though...just to be certain it is my identity that wants to add it.

To what extend is it two factor when one of the factors is the device you are working on? One of the biggest risks I see with iCloud is someone finding/stealing my phone, and using it to erase other devices. A code send to my phone won't prevent that. For online services, a code to your phone makes lots of sense (something you have part). For phone services, I'm less sure.

Hooray! I can only hope that by doing this, Apple will bring 2-factor authentication to the public forefront.

There is nothing on two-factor in my UI. Perhaps it's limited to some geographies? (I'm not in the US)

I just attempted to add two-step, and Apple told me I needed a stronger password before continuing. How do they know my password strength if it is salted+hashed properly?

One odd thing is that it won't let me enable two-factor without setting a <i>stronger</i> password.

wonder if its got to do with credit card fraud on iTunes than any specific sensitive data concern. Do people use iCloud a lot? or maybe they are thinking of providing some cloud service this year which needs the added security