Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Encryption Desktops (Apple) IOS OS X Operating Systems Privacy Security Apple

Apple To Force Users To 2FA On iOS 11, macOS High Sierra (onthewire.io) 119

Trailrunner7 quotes a report from On the Wire: With the upcoming releases of iOS 11 and macOS High Sierra later this year, Apple is planning to force many users to adopt two-factor authentication for their accounts. The company this week sent an email to customers who have the existing two-step verification enabled for their Apple IDs, informing them that once they install the public betas of the new operating systems they will be migrated to two-factor authentication automatically. Two-step verification is an older method of account security that Apple rolled out before full two-factor authentication was available. Apple is phasing that out and will be upgrading people with eligible devices automatically. "Once updated, you'll get the same extra layer of security you enjoy with two-step verification today, but with an even better user experience. Verification codes will be displayed on your trusted devices automatically whenever you sign in, and you will no longer need to keep a printed recovery key to make sure you can reset a forgotten password," the email from Apple says.
This discussion has been archived. No new comments can be posted.

Apple To Force Users To 2FA On iOS 11, macOS High Sierra

Comments Filter:
  • by turkeydance ( 1266624 ) on Wednesday June 07, 2017 @08:10PM (#54573091)
    and the rest of my relatives asking me to fix it.
    • by Anonymous Coward on Wednesday June 07, 2017 @08:29PM (#54573251)

      Today I tried to help someone in verification code hell. She enters her Apple ID on new phone. The verification code is sent to the old phone. She can't read the code on the old phone because Apple wants her to verify something on the old phone but the duelling popups prevent her from accessing the item. Then the new phone re-initiates a verification code.

      • by Anonymous Coward

        You could use the alternate verification method - it will call or text your phone number with the code.

      • Yep, had the same kind of problem. Gave in to Apple's nagging, enabled TFA, all devices asked for confirmation codes but none received any. Finally managed to get one code somewhere after many attempts with different methods, logged in, disabled TFA right away. Some devices kept nagging for a code, but a couple of resets later all was OK.

        Also, what happens if two of my devices get stolen? Can't the thief then lock me out of my own account? "Hey, Apple, I 'forgot' the password for the iPhone and iPad I just

        • by Gr8Apes ( 679165 )
          I'm hazarding a guess here, but this experience is the "old TFA" which has been replaced, according to the TFA. At least I hope so, because the TFA available before iOS11 and High Sierra was, to be kind, an utter and complete pile of shit.
        • My problems with it where just as annoying. My laptop would ask for a password, enter the password, and a verification code would pop up on my phone. Enter the code, and the computer asks for my password, and then a new verification code pops up on the phone. Endless loop of this bullshit for 10 minutes at a time, before the system finally gets the picture and lets me in. I turned off 2FA until they work a few more of the bugs out.
          • by marklark ( 39287 )

            I did this, but for a lot shorter time. If you read the instructions, it asks you to enter your password _plus_ the verification code to log on.

        • by sconeu ( 64226 )

          This was my problem. I did the TFA thing, but when it asked for the code, they never sent it.

    • by msauve ( 701917 ) on Wednesday June 07, 2017 @08:58PM (#54573445)
      I'm with you. Just yesterday I had to help someone restore an Apple password (too many wrong tries on a single device). To quote Steve Jobs, the whole thing was "brain-dead."

      Bad tries on a single iThing resulted in a DOS for every other Apple device linked to the same account. To recover, there was an option which promised to take days, or you needed an IOS 10 (?) device. That somehow produced a code, which you were told in one place to append to the old password when logging into a different device, and elsewhere told to use as the full password. Oh, and before you got that code, up came a warning that an "unauthorized device" was trying to access the account from some remote city (their geoIP sucks, and the warning was clearly wrong).

      It was very, very much an exercise in frustration and too much time. Why not simply require a confirmation that things were good from some device other than the one with too many failed attempts, or worst case force a new existing password login then change from a different device? Because Think Different, and fuck you, we're Apple.
      • I recently ran into a similar problem when visiting my parents recently.

        I wanted to update my mother's Mac to the latest version of macOS, but she was apparently logged out from her Apple account, so clicking the Get button in the Mac App Store to initiate the download resulted in a login prompt before it could start. I punched in her credentials, saw it spin for a bit, and then was given a cryptic error message that yielded no fruitful results in a quick search. Trying again resulted in more of the same: a

        • by msauve ( 701917 )
          Makes one feel like Candide, with Pangloss-Apple trying to convince us that it's the best of all possible worlds.
    • by bug_hunter ( 32923 ) on Wednesday June 07, 2017 @09:02PM (#54573481)
      Are your family currently using two step authentication?

      The article was really unclear in it's description, but it just seems to be "Two step" is moving to "Two factor". Looks like regular authentication is still regular authentication.
      • Hmm actually after reading the article again, I'm unsure about my previous statement.
        Carry on.
      • Are your family currently using two step authentication?

        Tried it, but I kept stepping on my partner's feet. Currently I'm using foxtrot authentication, but I'm think of taking tango authentication lessons in the future.

        It does look odd when you're signing on to your account in public though. And doing it on a bus or train is a definite no-no.

      • I had 2FA but ironically had to disable it because my FIL gave us an AppleTV he had gathering dust and when trying to set it up it wouldn't work until I turned down the security.
    • any change, anything new or different and the calls start.
    • Charge $300 per hour and your relatives will leave you alone. Mine did.
    • Helping grandma beats trying to recover an Apple ID.

      When I first got an iPod I created an Apple ID with an old email address. Never bought anything on it, never even put real contact info or credit card information on it. A few weeks ago I got an email that my security questions were changed. I called up Apple, apparently the only way they verify someone is the owner of an account is through those security questions so they couldn't do anything to help me.

      TLDR: Make sure you have a strong password, because

  • Serious question since I won't go to Windows 10 I may have to go to Apple. If I buy an Apple laptop or desktop, must I create an Apple account to use my machine? Can I not simply buy it, create an admin account and user account and go to work?

    • by Anonymous Coward

      No Apple account needed to use iOS or Mac devices or get os updates. Just need an account for the App Store. (And iCloud)

      • by Anonymous Coward

        Everything you mentioned requires an Apple ID. 2FA will be required before long. I work for Apple Care. It's an unmitigated disaster from a user experience perspective. Massive call driver.

        • by Anonymous Coward

          LOL I login to and use my phone and computer everyday without any active Apple accounts. Nice try tho.

          To download from the AppStore, you do need an account.

        • by jerk ( 38494 ) <cherbert&gmail,com> on Wednesday June 07, 2017 @09:26PM (#54573627)

          You're an AC that works at Teleperformance or some other call center, and you think you know what you're talking about. No Apple ID is required to create an account on a Mac or to download updates.

          Update (iOS and MacOS) are available here [apple.com], no App Store required.

          As he stated, you do need an Apple ID for the App Store and iCloud features.

          • And you are required to use iCloud. I fought this battle for months, and finally just got a Dell Precision with Ubuntu, because it was time to upgrade anyway.

            I did everything I could to disable iCloud, but I could never escape the random pop-ups in OSX telling me that I needed to enter my iCloud password. It was fucking ridiculous. Almost as ridiculous as the Android bug where Gmail tells you you can't use it because Google Play doesn't have the microphone and body sensors allowed....

    • Re: (Score:3, Funny)

      by DigiShaman ( 671371 )

      Yes. You can create a local account instead of linking it to Apple iCloud. But beware, a local only account means you're a lone ranger. You're on your own, and shunned from Apple until you embrace the cloud.

    • by asjk ( 569258 )
      As of the last update for desktop OS there is an option to skip creation of or loggin into one's Apple account. I'm going to say it's not required. Additionally you should be able to use the Apple Mail and Messages apps without an Apple account.
    • If I buy an Apple laptop or desktop, must I create an Apple account to use my machine?

      No, you don't have to.

      Can I not simply buy it, create an admin account and user account and go to work?

      Yes, you can.

      That said, there is support built into the system for several of Apple's services. And since the account itself doesn't cost you anything and you get some entry level services for free, there's really not much reason to not create one.

      • by Trogre ( 513942 )

        It's worth pointing out here that if you don't use an Apple ID then you won't be able to use the App Store and, consequently, won't get security updates.

        A very courageous design decision there.

        • Apple's App Store will still allow downloading the security and OS updates without you being signed in with a particular iCloud user account. You just need that for anything else you want to download.

    • by nine-times ( 778537 ) <nine.times@gmail.com> on Wednesday June 07, 2017 @09:22PM (#54573607) Homepage

      You aren't required to have an Apple account, but you'll probably want to. Having an Apple ID allows you to do a cloud backup of any iOS devices you might get. It allows you to access the app stores for both MacOS and iOS. It lets you use "Find my Mac" to track or remote-wipe your computer if you lose it, and "Back to my Mac", which gives you file sharing and remote screen access to your other Macs without needing a VPN, if you have multiple of them, even if they're behind a firewall. If you want to buy anything from iTunes, you'll need an Apple ID. It's even the sign-on if you want to order anything directly from Apple's website. If you want to anything that connects to Apple, you'll want an Apple ID.

      That doesn't mean you need to get one. You don't need to link it to your local sign-on. You don't even need to use Apple's domain (e.g. you can have the Apple ID use a Gmail address or whatever) unless you want to get a free email account with it.

      It's ultimately not that onerous. They don't try to railroad you into to the degree that Microsoft does.

      • by crtreece ( 59298 )
        So if you want to Apple, you have to apple apple your apple. The benefit of appling your apples is that you can then apple apple your apple and apple your apple apple. You will also be able to apple your apple without having to apple apple apple apple. Best of all, if you lose your apple, you can apple the apple apple, and apple apple the apple remotely.

        • Yeah, pretty much.

        • But just to be serious for a second, some of the benefits of getting Apple devices come from the fact that they're all made by the same company, designed to work together. Like you can get an iMac, a Kindle TV thing, Windows phone, and Android-based watch, and the iMac still works fine. But if you get an Apple TV, iPhone, and Apple Watch, then you can link them all with your Apple ID, and now they interact in nice ways. You can take a picture with your phone, and it shows up in your Apple Photos app. Yo
  • iTC still is just username and password. Access to apps, Developer portal - all just username and password. Get your shit together apple.
  • Apple's current two-step authentication can be quite buggy at times. I have an iPhone and an iPad, both of which are trusted devices (only iOS devices can serve as trusted devices) - yet the approval codes don't always show up on whichever device I've selected.

    I've set up new devices, logged into iCloud, added the iCloud Keychain... and had the (supposedly automatic) approval prompt not show up at all on any current devices. I've seen, on numerous occasions, Sierra installs randomly unable to connect to a m

  • ... two fucking articles.

    I have to explain everything.

  • Apple ID security update with iOS 11 and macOS High Sierra

    Dear Bleh Bleh Bleh,
    Thank you for using two-step verification to protect the security of your Apple ID.
    If you install the iOS 11 or macOS High Sierra public betas this summer and meet the basic requirements, your Apple ID will be automatically updated to use two-factor authentication. This is our most advanced, easy-to-use account security, and itâ(TM)s required to use some of the latest features of iOS, macOS, and iCloud.
    Once updated, youâ

  • One thing that doesn't make sense to me is having 2FA enabled for an iPhone. If one tries to log in to one's iCloud account via one's iPhone, the 2FA code gets sent to the iPhone. What good is that?
    • by kqs ( 1038910 )

      It sounds to me like you can get your second factor on your OS-X computer. If you have an OS-X computer.

      Since I use macbooks but also android and chromebooks, and no iOS devices, this seems like a not-so-good design to me. But I don't understand the details of the system yet, so I'll withhold judgement for now.

      • It sounds to me like you can get your second factor on your OS-X computer. If you have an OS-X computer.

        Yes, you can; but that does nobody any good if you're nowhere near your computer. The 2FA code is sent to all your iOS and logged-in macOS devices.

    • by Gabest ( 852807 )
      You obviously have your Mac with you when you are using your _mobile_ phone.
    • I have an iPhone AND an iPad, so such a solution would work for me
  • The latest update to Windows 10 is moving things forward on the Microsoft side with 2-factor authentication that's more "user friendly". Basically, in a domain on a network, you'd still create a username and a traditional password for the user account, but the machine won't ever make the person use that password to authenticate themselves. The 2 factors will be combinations of a 6 digit (or longer) PIN code they selected and a biometric authentication such as fingerprint reader or facial recognition using

  • I hope to hell this doesn't make it more difficult for me to use my android phone with my mac. It already requires some sort of emulator to work.
  • I typically only have one trusted device at a time. What makes you think I trust my cellphone?

  • by SeaFox ( 739806 ) on Thursday June 08, 2017 @12:13AM (#54574379)

    I got an email a few weeks back from Apple, too. Emphasis mine.

    Dear (SeaFox),

    Beginning on June 15, app-specific passwords will be required to access your iCloud data using thirdparty apps such as Microsoft Outlook, Mozilla Thunderbird, or other mail, contacts, and calendar services not provided by Apple.

    If you are already signed in to a thirdparty app using your primary Apple ID password, you will be signed out automatically when this change takes effect. You will need to generate an app-specific password and sign in again.

    To generate an app-specific password, turn on two-factor authentication for your Apple ID and then follow the instructions below:

      Sign in to your Apple ID account page (https://appleid.apple.com)
      Go to App-Specific Passwords under Security
      Click Generate Password

    For more information, read Using App-Specific Passwords. If you need additional help, visit Apple Support.

    Apple Support

    So now I have to set up a separate email password for my main computer (which is Windows 8.1, using Thunderbird), my email client on my Android phone, the address book app on my phone (which syncs to iCloud), the Calendar app (which also syncs to iCloud) -- maybe another one because I have a Thunderbird install on my tablet (Win 8.1), oh, and my Thunderbird install on my actual Apple laptop.

    That's six fucking passwords I have to generate for what I could do with just one before, just because I don't want to sync my contacts and calendaring data through a provider that will definitely be data-mining my info.

    • I only use my iPad to access my iCloud email: anything else gets accessed from this TrueOS laptop. I have one iPhone, one Lumia, one iPad, one Verizon Ellipsis, one MotoX and 2 laptops. I use the laptops for emails, so don't access those from the iPad. I use the Ellipsis for Gmail, and all my personal stuff - banking, credit cards & so on. I use the iPhone to FaceTime w/ family, iPad for games (actually, it gets used more by the kids), Lumia for any office calls (and checking my hotmail email) and

    • by rgbscan ( 321794 )

      On the Flipside... when fantastical gets hacked (my preferred Calendar app - and yes I have it on it's own password), you only lose only that data. The rest of your Apple account, and iCloud data is intact and safe. Personally, since I use a different variation of my password on every website, taking that same template to each app is no bother.

      Are you really someone who uses the same password across the board???? yikes! It's modern times. Get 1Pass and be done with it.

      • by SeaFox ( 739806 )

        Are you really someone who uses the same password across the board???? yikes! It's modern times. Get 1Pass and be done with it.

        I was referring to six different apps that all access the same iCloud account, therefore they are all using the same credentials to access said single account right now.

        I wonder if you see the irony in your suggestion is to use a password manager -- taking all your individual, unique passwords and making them all accessible with one master account while telling me using the "same password" across the board is a bad idea. And it's a paid service too! Yessir, lemme pay for the venerability of having all my cr

    • "That's six fucking passwords I have to generate for what I could do with just one before, just because I don't want to sync my contacts and calendaring data through a provider that will definitely be data-mining my info."

      If you sync with Google and turn on 2FA, you have to use app-specific passwords anyway.

  • Is Apple also going to upgrade their CSRs to resist social engineering to have 2FA turned off?

    With PayPal, all you had to do to get around 2FA was call them up and social engineer your way into a password reset, which would also turn off 2FA. In other words, 2FA was so easy to bypass, it was of almost no actual security value.

    A gate with a super advanced padlock is not secure if you can simply go around the gate. And that's WAY too easy to do with nearly every 2FA implementation. There is always a way ar

  • Something you know (password), and something you own (the bloody phone itself!). So that's two.

    Oh, and I'm already terrified about losing my phone, but the more "security codes" it sends to me, the worse it gets...

  • by WaffleMonster ( 969671 ) on Thursday June 08, 2017 @01:26AM (#54574639)

    I wish vendors would cease false 2FA advertisements because the security claims are unfair and misleading to users.

    Actual multifactor authentication requires two dissimilar factors... generally what you know *AND* what you have.

    What everyone is doing effectively amounts to what you know *OR* what you have. The second factor adds as much security to the system as an obvious password reset question...In other words it isn't additive...it actually reduces effective security of the system.

    The goal has never been security. It's getting people to stop saying "I forgot my password".

  • is that using 2FA to verify your login doesn't help much if the authentication device is what you're logging in. So if you only have an iPhone, there isn't much point.
  • I tried it and it's flaky at best. I have spotty cell reception in my office (two x 1/4 inch panes of glass do that) and it can take a while to get a text or other notification.
  • This asshole spams all Apple threads praising everything apple and defending all their fuckups. What's the defence on this one, FakeTimCook?

I came, I saw, I deleted all your files.