Apple Two-Step Verification Now Available for iMessage and FaceTime [Updated]

Cmd-Z said:

Whenever you change the primary Apple ID password (which seems to be required about every 3-4 months),

Click to expand...

You are only forced to change your password every 90 days if you have certain high security application access on your Apple ID account.

At one point I worked for a reseller and had access to Apple Sales Web (a portal for getting sales materials and demo licenses for Apple software), and even though I hadn't accessed it in years, and maybe couldn't anymore, that being attached to my account made me have to change my password every 90 days.

Some older developer accounts can have the issue also.

If you are having to change your password every 90 days, and do not access any internal Apple applications you should open a support case and try to get it escalated until you get someone who can find the right group that has put that on your account and can remove it. Mind you it took me four tries and working with several support groups (Apple Care, Developer Support, etc) before I was escalated to a manager who really took ownership of the case and made sure it got taken care of. Even at that point it took well over a month for it to work its way through the process. But now I have had my same password for 5 or 6 months.

With the number of Apple devices I use at home and at work, it was definitely worth it not to have to update that password on all the services on all those devices 4 times a year.

Shawn Parr said:

If you are having to change your password every 90 days, and do not access any internal Apple applications you should open a support case and try to get it escalated until you get someone who can find the right group that has put that on your account and can remove it.

Click to expand...

Excellent, I will definitely look into that! The last password fiasco was a disaster, my AirPort Extreme went into duh-mode after changing the Back to My Mac password and I had to reset the router, re-create the network and re-connect all the other AirPorts in the house, that was a blown Saturday morning.

Oh-RLY said:

You're a nobody then no-one cares about you and you need not worry about this feature. However there are high-profile people out there who would like their personal communications to be secure. i.e. celebrities, news reporters, politicians, executives, etc.

Click to expand...

I don't see how it wouldn't be secure. Are you saying someone would log in pretending to be a celebrity on another device and start sending messages from another device? But that device wouldn't have the right cell #? Unless they have your device physically, I don't see the problem. And in that case, you just shut it down remotely.

Again, what is the issue?

iMerik said:

Signed out just now and was forced to use app-specific passwords.

Maybe this is a dumb question, but can't they just incorporate two-factor for both of these apps where you'd sign in with your AppleID password and be asked to send a code to your trusted iOS device or mobile number? Maybe that'll be an iOS9 deal.

Click to expand...

I agree, this is what I was hoping for. In fact, most of the articles I've read in the last 2 days actually imply that this is the case, when it isn't.

Isn't my freaking fingerprint good enough? Why even bother with that thing? Why are a subset of paranoid people driving this? Let them opt in for something that makes them feel worthy of being spied upon if they want and leave me alone.

Thank you.

HardHatMack said:

iMerik said:

Signed out just now and was forced to use app-specific passwords.

Maybe this is a dumb question, but can't they just incorporate two-factor for both of these apps where you'd sign in with your AppleID password and be asked to send a code to your trusted iOS device or mobile number? Maybe that'll be an iOS9 deal.

Click to expand...

I agree, this is what I was hoping for. In fact, most of the articles I've read in the last 2 days actually imply that this is the case, when it isn't.

Click to expand...

Yeah, the articles get it mostly wrong, or at least the headlines. I mean, you need to sign into the Apple ID website with multifactor to generate the app-specific password, but calling the app-specific password for iMessage and FaceTime multifactor seems misleading.

If Apple had incorporated real multifactor into these apps, I want to say it's even more friendly than having to type in a four digit code if you use the trusted iOS device option. I think I've experienced this when setting up iCloud Keychain, but if my verified iOS device is the phone I'm setting Keychain up on, Apple sends the multifactor code to my phone and my phone automatically accepts it during the two-step authentication process without even requiring me to type the code in (unlike the SMS option). This is obviously the more user-friendly option they should have gone with for iMessage and FaceTime, even if that would have required updating those apps.

carlgo said:

Isn't my freaking fingerprint good enough? Why even bother with that thing? Why are a subset of paranoid people driving this? Let them opt in for something that makes them feel worthy of being spied upon if they want and leave me alone.

Thank you.

Click to expand...

I shouldn't even respond to this, but I will. You don't have to enable two-step verification / multifactor authentication. If you didn't have that enabled, I agree that all system apps that ask for your Apple ID account and password should be able to retrieve it from the iCloud Keychain (assuming you've stored it there) which would need just your Touch ID fingerprint to retrieve. But with Touch ID replacing your password in that scenario, you'd still want a second factor in place, hence Apple's two-step verification.

Like the majority of Internet users, many posters here simply do not understand the devastation that a talented blackhat hacker could cause you if they have access to your Apple ID (or any other web account for that matter).

Let's think about the simple things first. If someone gains access to your FaceTime or iMessages, then they likely also have access to your iCloud account, your iCloud email, your iCloud photos, your iCloud iPhone backups, and find my iPhone which will tell them where you are 24/7/365. They would also have access to any personal information you have stored in iCloud including your name, phone, email address, secondary email address, birthdate, family sharing, etc.. From there, if they just want to be mean, they can enable 2-factor for you, then purposely lock you out of your Apple ID account forever (yes, someone else can cause you to forfeit your account, and all your Apple store purchases forever).

Even worse, the person could go through your iCloud email and contacts, and look for other accounts that you have used your email for (bank accounts, social accounts, credit cards, retirement, investments, etc). Then they could simply reset those account passwords (because the reset emails come to your iCloud email right)? Then, they would OWN you and everything in your life.

So, you've got to understand that if a hacker gains access to even a single one of your accounts (e.g. Apple ID, Gmail, Office 365, etc..., they can leverage that single account to do great harm to your finances, your identity, and your life in general.

So, never underestimate your own value to a hacker and never undervalue the security advice that folks try to give you on forums like this.

I think there may be accounts with more then one iPhone but have only one phone number on record. Anyway, I suspect there are accounts where what you mention makes complete sense. I know that I had used my iTunes account many times from my computer and iPad, but when I finally used my iPhone to purchase from iTunes, I got the verification request and it was super easy to do and only requested that one time.

I seem to be having trouble with this, on my MBP it has signed me out of Messages, I enter my details and click sign in. I am then prompted to create a code and sign in again. I am never given the option to enter the code I'm given. How am i supposed to sign in?

jfoley89 said:

I seem to be having trouble with this, on my MBP it has signed me out of Messages, I enter my details and click sign in. I am then prompted to create a code and sign in again. I am never given the option to enter the code I'm given. How am i supposed to sign in?

Click to expand...

Try go into "Preference" of iMessage and FaceTime to enter your app-specific password, if that is what you mean by "code". If it is the 4 digit code apple sent you, then it just allows you to log into your Apple ID. Then, you need to go to "password & security" to generate app-specific password for the apps.

Hope that helps.

Absolute nonsense.

Can anyone login to their apple account and see the app specific passwords?

NOPE. You sure as hell can't. which means you either have to A. remember that long string of random characters or B. write it down somewhere.

Both options are stupid.

You need this password any time you need to relogin to these services.
Also.. this whole process breaks cellular calls via FaceTime and continuity.


Another cloud failure from apple. They'll never get it right.

tgwaste said:

Absolute nonsense.

Can anyone login to their apple account and see the app specific passwords?

NOPE. You sure as hell can't. which means you either have to A. remember that long string of random characters or B. write it down somewhere.

Both options are stupid.

You need this password any time you need to relogin to these services.
Also.. this whole process breaks cellular calls via FaceTime and continuity.


Another cloud failure from apple. They'll never get it right.

Click to expand...

My file vault got corrupted and I had to reinstall this morning. This has made my morning absolutely ****ing horrible as iCloud constantly prompts for my password without any indication which app is requesting a password. I also learned today my iPhone isn't showing up in trusted devices and I have no idea as to how to get it to show up in trusted devices. I was not aware that this process broke continuity.

This app specific password is ********.

Yes I have 2 step enabled. But my son is in Italy, with no MacBook and once again his iMessage needs a sting of letters he did not save.

Major pain. His seems to ask for it once every three weeks prompting the needs of the actual computer to generate another one.

Of course I cannot do it without sending his phone a verification code that has a different sim it it while away. So that's impossible, so what's app is it I soppy we for the remainder of his trip.

Fricken mess.