Apple Requiring Two-Factor Authentication for Developer Accounts as of February 27

[MacRumors]

Starting on February 27, Apple will be requiring all developers to have two-factor authentication enabled for their Apple IDs, with two-factor necessary for signing into Developer accounts after that date.

Apple today told developers via email that the requirement is being implemented to help keep developer accounts more secure and to make sure that no third-parties can access a developer account.

Developers who do not have two-factor authentication enabled for their Apple IDs will need to turn it on by February 27.

Two-factor authentication can be enabled on an iPhone or Mac by following Apple's instructions. Once enabled, a verification code from a trusted device will be required when logging in to a developer account.

Article Link: Apple Requiring Two-Factor Authentication for Developer Accounts as of February 27

 

[cmaier]

Since you all are using a secondary iCloud account, like me, here’s the trick:

On your Mac, create a new user account. Set up that account to use your developer iCloud account. You will be prompted to turn on 2factor. Do so. Give it your phone number. When it’s done. Remove the user account.

Now, when you are prompted for 2factor, click the “I didn’t receive a code” link, and you can choose to send a code to your phone.

 

[KazKam]

This is extremely problematic for my use-case. I'm the Apple Developer/Connect admin for a very large organization that publishes multiple apps from multiple developers/app managers under our license.

Due to turnover and the account being tied to a large organization, the "owner" of the account is more of a role account, and not really tied to an individual with a particular number/device.

IMO if Apple really wants to enforce two factor, they need to offer more two-factor options or account for role-based accounts in a better way. This is going to be anywhere from a huge PITA to a nightmare.

 

[zorinlynx]

This is extremely problematic for my use-case. I'm the Apple Developer/Connect admin for a very large organization that publishes multiple apps from multiple developers/app managers under our license.

Due to turnover and the account being tied to a large organization, the "owner" of the account is more of a role account, and not really tied to an individual with a particular number/device.

IMO if Apple really wants to enforce two factor, they need to offer more two-factor options or account for role-based accounts in a better way. This is going to be anywhere from a huge PITA to a nightmare.

I know, the first thing I thought when I read this was "Who the hell uses their personal Apple ID for a dev account?"

Apple needs to allow for receiving two factor codes for multiple Apple IDs on one device, otherwise this is going to piss people the hell off.

 

[LovedMacFirst]

We actually have the same issue above. Not sure why Apple has not embraced dual Apple IDs. Dropbox as an example did a great job at having Personal and Work accounts on a single install.

The options available to solve this issue are all pretty bad.

 

[cmaier]

Since you all are using a secondary iCloud account, like me, here’s the trick:

On your Mac, create a new user account. Set up that account to use your developer iCloud account. You will be prompted to turn on 2factor. Do so. Give it your phone number. When it’s done. Remove the user account.

Now, when you are prompted for 2factor, click the “I didn’t receive a code” link, and you can choose to send a code to your phone.

Also, if you log off the account prior to removing the user, OR you remove the device in appleid.apple.com, then you don’t have to click a link each time. You will receive an iMessage each time you need to provide a code.

 

[jtara]

This is awful. And stupid. And awfully stupid.

For our company account, NOBODY logs in to an Apple device using that ID. That will apply for most companies. Fortunately, need to log in with that account is minimal, since each developer uses their own linked account. When somebody DOES log in (to accept terms and conditions, to pay the yearly bill, etc. etc.) it will be different people who have access to the password.

The phone number goes to a VOIP line.

My own developer account is separate from the account that I log in to my Mac and iDevices with. Because I thought that was a Good Idea. At least I can verify by SMS.

But of course, SMS is a TERRIBLE way to do 2-factor authentication.

If they want to get serious, allow 2-factor with a dongle. And allow multiple dongles to be registered per account.

 

[cmaier]

This is awful. And stupid. And awfully stupid.

For our company account, NOBODY logs in to an Apple device using that ID. That will apply for most companies. Fortunately, need to log in with that account is minimal, since each developer uses their own linked account. When somebody DOES log in (to accept terms and conditions, to pay the yearly bill, etc. etc.) it will be different people who have access to the password.

The phone number goes to a VOIP line.

My own developer account is separate from the account that I log in to my Mac and iDevices with. Because I thought that was a Good Idea. At least I can verify by SMS.

But of course, SMS is a TERRIBLE way to do 2-factor authentication.

If they want to get serious, allow 2-factor with a dongle. And allow multiple dongles to be registered per account.

It uses iMessage, not sms, when you follow my suggestion.

 

[Kabeyun]

Excellent. Leader in privacy & account security. Now maybe they’ll get sued for it.

 

[DynoRunnerr]

This is extremely problematic for my use-case. I'm the Apple Developer/Connect admin for a very large organization that publishes multiple apps from multiple developers/app managers under our license.

Due to turnover and the account being tied to a large organization, the "owner" of the account is more of a role account, and not really tied to an individual with a particular number/device.

IMO if Apple really wants to enforce two factor, they need to offer more two-factor options or account for role-based accounts in a better way. This is going to be anywhere from a huge PITA to a nightmare.

Huh ? Have the organization enroll devices, those devices can be used for two-factor ?

 

[JosephAW]

Soon this will be mandatory for all iOS users.

 

[xplora]

Since you all are using a secondary iCloud account, like me, here’s the trick:

On your Mac, create a new user account. Set up that account to use your developer iCloud account. You will be prompted to turn on 2factor. Do so. Give it your phone number. When it’s done. Remove the user account.

Now, when you are prompted for 2factor, click the “I didn’t receive a code” link, and you can choose to send a code to your phone.

Once you have done this, and I assume (only because it is this way in my case) if your devices are using the Apple ID for purchasing, and you add it as a secondary iCloud account, it will add the device as a trusted device (even if you do not complete the setup of the second account).

In short, yes, a single device can be a trusted device for more than one Apple ID.

 

[ZZ Bottom]

This is extremely problematic for my use-case. I'm the Apple Developer/Connect admin for a very large organization that publishes multiple apps from multiple developers/app managers under our license.

Due to turnover and the account being tied to a large organization, the "owner" of the account is more of a role account, and not really tied to an individual with a particular number/device.

IMO if Apple really wants to enforce two factor, they need to offer more two-factor options or account for role-based accounts in a better way. This is going to be anywhere from a huge PITA to a nightmare.

In the exact same boat. What we opted to do was to setup one of our primary test devices (an iPhone X) as the two factor device and use that every time we have to authenticate. It’s not great, but since that device stays securely in the dev team area it can be obtained as needed.

I agree though and wish Apple had a better arrangement for our situations.

 

[cmaier]

Once you have done this, and I assume (only because it is this way in my case) if your devices are using the Apple ID for purchasing, and you add it as a secondary iCloud account, it will add the device as a trusted device (even if you do not complete the setup of the second account).

In short, yes, a single device can be a trusted device for more than one Apple ID.

Also true, for those who are using that Apple ID for another purpose (like iTunes music, or whatever), though I assume most people who are using a second iCloud account for appstoreconnect aren’t using it for anything else.

 

[jtara]

What we opted to do was to setup one of our primary test devices (an iPhone X) as the two factor device and use that every time we have to authenticate. It’s not great, but since that device stays securely in the dev team area it can be obtained as needed.

We do not have a "dev team area".

No two people are in the same physical location.

At least I'd only have to drive 20 miles to implement this scheme. Other teams would need to send somebody a two-day journey across the planet.

Hello, Apple? Wake up. It's 2019. There are distributed development teams!

Contacting a person designated to access the company account as needed is not a good solution either, when the person might be asleep at the time...

I could see this if Apple offered more diverse 2FA choices.

The work-arounds will make accounts LESS secure!

Yes, every developer should be working using their own account. But there is always a "master" account they are connected to and there comes from time to time to do things that can only be done on that account. And it is common to need to have multiple individuals who have access to that account.

IMO, it would be ABSOLUTELY FOOLISH for that account to be somebody's personal Apple account that they use on their personal devices.

Or ANY Apple devices, for that matter!

The most secure thing is for that account to be used for one purpose, and one purpose only!

 

[cmaier]

Another simple solution: on each device where you want to see codes, simply go to settings, accounts, add account, iCloud. Toggle off mail, notes, calendar, etc. so nothing is selected.

Now you receive official Apple 2-factor notifications on that device. (You can have multiple iCloud accounts)

 

[usarioclave]

Why exactly do my accounts need to be more secure? Become someone is abusing the enterprise certificate program?

 

[racerhomie]

I am extremely happy about this. I hope within iOS 13 apple forces all user accounts with 2FA. Or they should keep more new features only for accounts to 2FA. We are humans & passwords are super easy to crack.

I do know that 70%+ of iTunes accounts are already 2FA enabled. So, hopefully their Black market value increases.

 

[C DM]

I am extremely happy about this. I hope within iOS 13 apple forces all user accounts with 2FA. Or they should keep more new features only for accounts to 2FA. We are humans & passwords are super easy to crack.

I do know that 70%+ of iTunes accounts are already 2FA enabled. So, hopefully their Black market value increases.

They should go with DNA checks to make it all more secure.

 

[Kelvin_Cheng]

What will happen if some developers forget to check emails and have not enabled 2-factor authentication after Feb 27 2019?
Will they be locked out from Apple developer account permanently?

 

[cmaier]

What will happen if some developers forget to check emails and have not enabled 2-factor authentication after Feb 27 2019?
Will they be locked out from Apple developer account permanently?

No, but they wont have access to the developer portals until they set it up.

 

[Pagemakers]

Since you all are using a secondary iCloud account, like me, here’s the trick:

On your Mac, create a new user account. Set up that account to use your developer iCloud account. You will be prompted to turn on 2factor. Do so. Give it your phone number. When it’s done. Remove the user account.

Now, when you are prompted for 2factor, click the “I didn’t receive a code” link, and you can choose to send a code to your phone.

Thanks for the heads up.

Apple - what another STUPID idea!

 

[H3LL5P4WN]

Skimming some of these comments as I'm not a dev myself, the consensus seems to be that this is awkward at best, doomsday at worst.

Why doesn't Apple just nuke these shady devs?

 

[mdatwood]

While not the most secure, you can just use any phone number as the 2fa. Apple does not force a device to be setup or used.

 

[cmaier]

Thanks for the heads up.

Apple - what another STUPID idea!

Also see my other post re an alternative. Add a second iCloud account to your phone, and turn off all checkboxes (mail, contacts, etc.). Then you get the normal-style (push) codes on that device. Downside is you need to do it on every device where you want to receive codes (whereas iMessage is already probably set up on all your devices). Six of one, half dozen of the other.
[doublepost=1550154925][/doublepost]

Skimming some of these comments as I'm not a dev myself, the consensus seems to be that this is awkward at best, doomsday at worst.

Why doesn't Apple just nuke these shady devs?

2FA is generally a good idea in any case, even putting aside the account-sharing issue (which isn’t really what all the reporting has been about lately anyway). It’s just that apple’s method of 2FA, while “neat” in some ways, leaves a lot to be desired in other ways. For example, it would be nice to be able to use appleid.apple.com and just add devices to receive codes by push, without regard to phone numbers, iCloud accounts “installed” on the device, etc. You can’t even setup 2FA without a device - you can’t do it on the web.