Amazon UK Mac Software Affiliate Link

Is Apple going to make two-factor authentication for Apple IDs mandatory?

by Graham Needham (BH) on 16th May 2017

We received the email pictured below from Apple today (16th May 2017):

app-specific passwords

Basically, on 15th June 2017 app-specific passwords will be required for third party software products accessing iCloud data e.g. if you use Microsoft Outlook to access your iCloud email. Ultimately, in the first instance, there's nothing wrong with this because more security is good, right? There are two scenarios here that are worth considering…

The first, is that to continue using third party applications with iCloud you are now forced to switch two-factor authentication on whether you like it or not. Two-factor authentication sounds great but we've seen many situations where this has led to monumentally deep rabbit-hole support problems - something that once you are stuck in, it can get very messy and the only way out is via Apple Support and that's depending on whether they will help you or not (they are very security conscious around Apple ID related matters - Apple Support can answer your questions about the account recovery process, but can't verify your identity or expedite the process in any way). And so, in a worse case scenario people could end up being locked out of their computers, iPhones and/or iPads.

The second, and far more concerning, is the possibility that future versions of macOS and iOS will make two-factor authentication a requirement/mandatory to even be able to install/use them. Even now, some accounts created in iOS 10.3 or macOS Sierra 10.12.4 and later already don't have the possibility of turning off two-factor authentication! Apple has been heavily pushing two-factor authentication with the last couple of versions of macOS and iOS (a recent macOS system update requested you to turn on two-factor authentication and iOS 10 makes it really easy to turn on without you even realising what you are doing), so it's not hard to believe they will go this route and make two-factor authentication mandatory. Also, note that the date that this all starts is 15th June 2017 - this will be just after Apple's WWDC has finished and thus probably when the first previews of macOS 10.13 and iOS 11 will be made available to developers.

So what do we recommend? In preparation for two-factor authentication we recommend the following (all of which are worth doing as best security practices anyway!):

  • Read up on Apple's two-factor authentication
  • Make sure your Apple computers are running OS X 10.11 El Capitan or later
  • Make sure your Apple iDevices are running the latest version of iOS
  • Login and manage your Apple ID:
    • Use a secure password
    • Make sure you have set a "rescue email", the email address is current and you can access that email account preferably from devices other than your Apple devices
    • Check, and update if necessary, your security questions - although these are not used for two-factor authentication they are needed to recover access to an Apple ID!
    • View and manage your trusted devices - this is very important as two-factor authentication verification codes would be sent to all trusted devices!
If and once you have turned on two-factor authentication:
  • Check your primary trusted phone number is up to date
  • Add additional trusted phone numbers - they don't have to be Apple devices because if you're signing in and don't have a trusted device handy that can display verification codes, you can have a code sent to a trusted phone number via text or even a traditional phone call instead
  • Keep your trusted Apple computers physically secure
  • Lock your trusted Apple iDevices with a passcode
  • Generate app-specific passwords

Useful links:
Update 21st September 2017 - Apple will forcibly convert two-step verification accounts to two-factor authentication if you upgrade to iOS 11 or later / macOS 10.13 High Sierra or later!

Blog Post Author = Graham Needham (BH)
Blog Post Created On = 16th May 2017
Blog Post Last Revised = 25th January 2018 12:52
Blog Post URL =

This blog post is representative of the blog author's individual opinions and as such any opinions that may be expressed here may not necessarily reflect the views of everyone at MacStrategy or the holding company Burning Helix.

See all blog postings for all countries
Twitter Logo
© Burning Helix s.r.o.

Printed on / /

© Burning Helix s.r.o.