Apple Two-Step Verification Now Available for iMessage and FaceTime [Updated]

MacRumors · Feb 12, 2015

Apple's two-step verification system now covers FaceTime and iMessage, reports The Guardian. Signing into an iMessage or FaceTime account protected by two-step verification will ask users to input an app specific password, which can only be obtained by logging in to an Apple ID account on the web with an authentication code, thereby preventing any unauthorized login attempts.

Two-factor verification is an opt-in system that was first introduced in March of 2013 to increase the security of Apple ID accounts. Prior to today, a verification code was only required for making changes to an account, signing into iCloud, or making iTunes/App Store purchases from a new device.

Two-factor authentication for iCloud is a recent addition that was implemented in September following the breach of several celebrity iCloud accounts, leading to a slew of leaked photos. The hacking incident led Apple to improve the security of iCloud and it also prompted the company to send out security emails when a device is restored, iCloud is accessed, or a password change is attempted.

Last month, a Medium post highlighting some of the remaining shortcomings of two-factor authentication was shared by several technology sites, which may have inspired Apple to update the service to protect iMessage and FaceTime accounts. The post pointed out that it was still possible to log into iMessage, FaceTime, iTunes, the App Store, and into the website using an account with two-factor authentication enabled without being asked for a verification code.

It seems two-factor authentication for iMessage and FaceTime may still be rolling out to users, as MacRumors was able to log into iMessage and FaceTime accounts with two-factor authentication enabled without a code.

Update: Two-factor authentication for iMessage and FaceTime seems to be more widely available now, and it appears that logging into an account requires an app specific password rather than a code to prevent unauthorized entry attempts.

Article Link: Apple Two-Step Verification Now Available for iMessage and FaceTime [Updated]

Apple_Robert · Feb 12, 2015

Good move by Apple.

iMerik · Feb 12, 2015

Signed out just now and was forced to use app-specific passwords.

Maybe this is a dumb question, but can't they just incorporate two-factor for both of these apps where you'd sign in with your AppleID password and be asked to send a code to your trusted iOS device or mobile number? Maybe that'll be an iOS9 deal.

jetjaguar · Feb 12, 2015

iMerik said:
Signed out just now and was forced to use app-specific passwords.

Maybe this is a dumb question, but can't they just incorporate two-factor for both of these apps where you'd sign in with your AppleID password and be asked to send a code to your trusted iOS device or mobile number? Maybe that'll be an iOS9 deal.

Yea i would like if my two step for my apple id covered everything instead of having to generate app specific passwords

kolax · Feb 12, 2015

jetjaguar said:
Yea i would like if my two step for my apple id covered everything instead of having to generate app specific passwords

Whole point in app specific passwords is that if that password gets compromised, your account is still safe.

organic bond · Feb 12, 2015

What I don't like is that this is compulsory. Annoying.

dampfnudel · Feb 12, 2015

organic bond said:
What I don't like is that this is compulsory. Annoying.

Staying safe can be annoying, but the alternative can be a lot worse.

ad1815 · Feb 12, 2015

This is tooo complex!

Passcode, iCloud password, two-factor authentication, app specific password, recovery code, key chain passcoe..... This is way too complex. I have a background in IT and I cannot keep up with the complexity. I don't think the average use knows how to navigate through.

Apple has to give us something simpler. Maybe Apple Watch is the saviour?

Apple_Robert · Feb 12, 2015

ad1815 said:
Passcode, iCloud password, two-factor authentication, app specific password, recovery code, key chain passcoe..... This is way too complex. I have a background in IT and I cannot keep up with the complexity. I don't think the average use knows how to navigate through.

Apple has to give us something simpler. Maybe Apple Watch is the saviour?

I don't see anything overly hard about the two-step verification process.

Apple makes it very clear on their website what the process is about. Apple also makes the user pro-active in turning it on, so that there is no I didn't know what i did rhetoric.

If a person has trouble remembering passwords, it would behoove him or her to use a password manager like 1Password, in my opinion.

I use 1Password so that I don't have to remember every single password.

If someone doesn't want to use two-step verification, he or she doesn't have to.

Several people want all of this process centralized with one central password. However, I don't think that is a safe method to employ.

If people were already hacking into said programs and stealing information and changing account passwords, many Apple users would be up in Mac arms, because Apple wasn't doing enough.

It all comes down to how secure one wants to be.

iMerik · Feb 12, 2015

Kilamite said:
Whole point in app specific passwords is that if that password gets compromised, your account is still safe.

The whole point of using multifactor is that a compromised password alone won't give you access to the account. I don't think you are making a good case for using app-specific over multifactor for iMessage and FaceTime, and I would venture to bet that we'll eventually see both apps using the verified iOS device and/or verified SMS device multifactor code instead of app-specific passwords. App-specific passwords are the opposite of easy to use compared to Apple's implementation of multifactor, which is the primary reason I say they'll eventually switch over to using it instead.

Also, if you read Apple's wording on pages like Frequently asked questions about two-step verification for Apple ID and Using app-specific passwords, you'll gather that Apple provides app-specific passwords if "I want to sign in to iCloud using an app that doesn’t support two-step verification for Apple ID" and "app-specific passwords are a feature of two-step verification that allow you to sign in to iCloud securely when you use third party apps." It's actually funny that iMessage and FaceTime now fall under the same category as third party apps in this case.

AppleMatt · Feb 12, 2015

So how do I turn this on?

AppleMatt

Apple_Robert · Feb 12, 2015

AppleMatt said:
So how do I turn this on?

AppleMatt

https://appleid.apple.com

Sign into your account. Click on password and privacy. You will see the option to turn on two-step verification. Once you select it, you will have to wait 48 per Apple security measures, before the verification can go active, which involves going back to said website and going through the process.

coolfactor · Feb 12, 2015

I've recently started using multi-factor authentication at several service providers that I utilize in my company's infrastructure. I have become fond of the Google Authenticator approach whereby temporary codes are provided once a minute via the Authenticator app, and you need to enter the displayed code before it changes to a new code. This has worked extremely well.

AppleMatt · Feb 12, 2015

BasicGreatGuy said:
https://appleid.apple.com

Sign into your account. Click on password and privacy. You will see the option to turn on two-step verification. Once you select it, you will have to wait 48 per Apple security measures, before the verification can go active, which involves going back to said website and going through the process.

Ah, perfect! Thanks - I signed in and out expecting it to prompt me.

AppleMatt

coolfactor · Feb 12, 2015

BasicGreatGuy said:
https://appleid.apple.com

Sign into your account. Click on password and privacy. You will see the option to turn on two-step verification. Once you select it, you will have to wait 48 per Apple security measures, before the verification can go active, which involves going back to said website and going through the process.

I didn't have to wait 48 hours. I was able to set up two-factor authentication immediately, and created an app-password for FaceTime.

My only concern around the implementation is that the system now needs to check a login request against up to 50 stored app-passwords. Does that not increase the chances of a breach by 50x? Good thing the passwords are secure, but I hope they are stored in a secure fashion on Apple's servers.

NMBob · Feb 12, 2015

dampfnudel said:
Staying safe can be annoying, but the alternative can be a lot worse.

Yeah, someone could break into your phone and send an iMessage with one of the new emoticons that doesn't match your race, and then you could get sued for being racially insensitive. (colon, right parenthesis)

T-Will · Feb 12, 2015

At least Apple prompts and takes you directly to the app-specific password page, unlike other services I've used that repeatedly get a password error without explanation.

mw360 · Feb 12, 2015

coolfactor said:
I didn't have to wait 48 hours. I was able to set up two-factor authentication immediately, and created an app-password for FaceTime.

My only concern around the implementation is that the system now needs to check a login request against up to 50 stored app-passwords. Does that not increase the chances of a breach by 50x? Good thing the passwords are secure, but I hope they are stored in a secure fashion on Apple's servers.

I would think they shouldn't be stored on Apple's servers at all if they're doing it right. Apple should store a hash of the password, not the password itself.

Anyway, the 50x thing is sort of true but that is easily cancelled out by adding one more random character to the end of the password. I haven't seen these app-specific passwords but I'm guessing they are long and random.

mw360 · Feb 12, 2015

BasicGreatGuy said:
I don't see anything overly hard about the two-step verification process.

Apple makes it very clear on their website what the process is about. Apple also makes the user pro-active in turning it on, so that there is no I didn't know what i did rhetoric.

If a person has trouble remembering passwords, it would behoove him or her to use a password manager like 1Password, in my opinion.

I use 1Password so that I don't have to remember every single password.

If someone doesn't want to use two-step verification, he or she doesn't have to.

Several people want all of this process centralized with one central password. However, I don't think that is a safe method to employ.

If people were already hacking into said programs and stealing information and changing account passwords, many Apple users would be up in Mac arms, because Apple wasn't doing enough.

It all comes down to how secure one wants to be.

He's right though, it's too complicated. Even if in actual usage it's very simple, Apple engineers here are being way too lazy in shoving their own jargon directly onto users. Look at the picture in the article. Tell me that every one you know would read that and know exactly what it means. Most people I know would just describe that as 'some error came up' and give up trying. It's wordy and opaque and exactly the sort of thing Apple used to claim to avoid.

Gizmotoy · Feb 12, 2015

If you're just generating an app-specific password, what's the second factor implied in two-factor authentication in this case? I thought Apple's Two Factor was always used password, device, or recovery key, pick two.

Edit: Wait, and this is rolling out to every application that uses iCloud? And you're limited to 25 app-specific passwords? How is that going to work?

Geniva · Feb 12, 2015

Ok. So I need to login to iCloud, iMessages, and FaceTime and generate unique passcodes for each one on an iPad? Why can't I just login ONCE and have all my services just work off that login?

inscrewtable · Feb 12, 2015

As the recent high profile photo hackings have shown, people are stupid and their stupidity harms Apple, therefore Apple are well within their rights to make the 'opt out' rather than 'opt in'.

Primejimbo · Feb 12, 2015

ad1815 said:
Passcode, iCloud password, two-factor authentication, app specific password, recovery code, key chain passcoe..... This is way too complex. I have a background in IT and I cannot keep up with the complexity. I don't think the average use knows how to navigate through.

Apple has to give us something simpler. Maybe Apple Watch is the saviour?

You have a background in IT and you can't keep up? I don't at all, or even close, and I think this is easy and great! My mom (who is over 60) has no issues with this at all either. Once it set up on a new device, you don't have to worry about it again until that device is replaced or you get another one.

You don't have to set this up, but don't be mad when someone hacks your iTunes account/Apple ID.

BasicGreatGuy said:
I don't see anything overly hard about the two-step verification process.

Apple makes it very clear on their website what the process is about. Apple also makes the user pro-active in turning it on, so that there is no I didn't know what i did rhetoric.

If a person has trouble remembering passwords, it would behoove him or her to use a password manager like 1Password, in my opinion.

I use 1Password so that I don't have to remember every single password.

If someone doesn't want to use two-step verification, he or she doesn't have to.

Several people want all of this process centralized with one central password. However, I don't think that is a safe method to employ.

If people were already hacking into said programs and stealing information and changing account passwords, many Apple users would be up in Mac arms, because Apple wasn't doing enough.

It all comes down to how secure one wants to be.

I have 1Password also and I don't remeber any passwords, maybe a few. I love those 2 step verification and it's a great extra layer of security.

Cmd-Z · Feb 12, 2015

Primejimbo said:
Once it set up on a new device, you don't have to worry about it again until that device is replaced or you get another one.

Not for app-specific passwords. Whenever you change the primary Apple ID password (which seems to be required about every 3-4 months), all your app-specific passwords are revoked, thus forcing you to re-do those each time your main password changes:

http://support.apple.com/en-us/HT6186

Primejimbo said:
You don't have to set this up, but don't be mad when someone hacks your iTunes account/Apple ID.

Unless I misunderstood the article, if you already have two-step verification enabled (a good thing) then you'll be required to use app-specific passwords for iMessage and FaceTime, because they don't support two-step verification (i.e. the code sent to an alternate device).

caesarp · Feb 12, 2015

What am I missing

I don't see the point? What is there in FaceTime or iMessage I need to secure? It's not like my SSN is stored there.

Apple Two-Step Verification Now Available for iMessage and FaceTime [Updated]

macrumors bot

Contributor

macrumors 6502a

macrumors 68040

macrumors G3

Cancelled

macrumors 601

macrumors member

Contributor

macrumors 6502a

macrumors 68000

Contributor

macrumors 604

macrumors 68000

macrumors 604

macrumors 68000

macrumors 65816

macrumors 68020

macrumors 68020

macrumors 65816

macrumors newbie

macrumors 68000

macrumors 68040

macrumors 6502a

macrumors 65816

Our Staff