Apple Requiring Two-Factor Authentication for Developer Accounts as of February 27

MacRumors

macrumors bot
Original poster
Apr 12, 2001
7,429
8,491



Starting on February 27, Apple will be requiring all developers to have two-factor authentication enabled for their Apple IDs, with two-factor necessary for signing into Developer accounts after that date.

Apple today told developers via email that the requirement is being implemented to help keep developer accounts more secure and to make sure that no third-parties can access a developer account.


Developers who do not have two-factor authentication enabled for their Apple IDs will need to turn it on by February 27.

Two-factor authentication can be enabled on an iPhone or Mac by following Apple's instructions. Once enabled, a verification code from a trusted device will be required when logging in to a developer account.

Article Link: Apple Requiring Two-Factor Authentication for Developer Accounts as of February 27
 

cmaier

macrumors G5
Jul 25, 2007
14,048
8,522
California
Since you all are using a secondary iCloud account, like me, here’s the trick:

On your Mac, create a new user account. Set up that account to use your developer iCloud account. You will be prompted to turn on 2factor. Do so. Give it your phone number. When it’s done. Remove the user account.

Now, when you are prompted for 2factor, click the “I didn’t receive a code” link, and you can choose to send a code to your phone.
 

KazKam

macrumors 6502
Oct 25, 2011
475
1,581
This is extremely problematic for my use-case. I'm the Apple Developer/Connect admin for a very large organization that publishes multiple apps from multiple developers/app managers under our license.

Due to turnover and the account being tied to a large organization, the "owner" of the account is more of a role account, and not really tied to an individual with a particular number/device.

IMO if Apple really wants to enforce two factor, they need to offer more two-factor options or account for role-based accounts in a better way. This is going to be anywhere from a huge PITA to a nightmare. :(
 

zorinlynx

macrumors 603
May 31, 2007
5,533
6,487
Florida, USA
This is extremely problematic for my use-case. I'm the Apple Developer/Connect admin for a very large organization that publishes multiple apps from multiple developers/app managers under our license.

Due to turnover and the account being tied to a large organization, the "owner" of the account is more of a role account, and not really tied to an individual with a particular number/device.

IMO if Apple really wants to enforce two factor, they need to offer more two-factor options or account for role-based accounts in a better way. This is going to be anywhere from a huge PITA to a nightmare. :(
I know, the first thing I thought when I read this was "Who the hell uses their personal Apple ID for a dev account?"

Apple needs to allow for receiving two factor codes for multiple Apple IDs on one device, otherwise this is going to piss people the hell off.
 

LovedMacFirst

macrumors newbie
Feb 23, 2016
13
3
We actually have the same issue above. Not sure why Apple has not embraced dual Apple IDs. Dropbox as an example did a great job at having Personal and Work accounts on a single install.

The options available to solve this issue are all pretty bad.
 

cmaier

macrumors G5
Jul 25, 2007
14,048
8,522
California
Since you all are using a secondary iCloud account, like me, here’s the trick:

On your Mac, create a new user account. Set up that account to use your developer iCloud account. You will be prompted to turn on 2factor. Do so. Give it your phone number. When it’s done. Remove the user account.

Now, when you are prompted for 2factor, click the “I didn’t receive a code” link, and you can choose to send a code to your phone.

Also, if you log off the account prior to removing the user, OR you remove the device in appleid.apple.com, then you don’t have to click a link each time. You will receive an iMessage each time you need to provide a code.
 

jtara

macrumors 68000
Mar 23, 2009
1,826
432
This is awful. And stupid. And awfully stupid.

For our company account, NOBODY logs in to an Apple device using that ID. That will apply for most companies. Fortunately, need to log in with that account is minimal, since each developer uses their own linked account. When somebody DOES log in (to accept terms and conditions, to pay the yearly bill, etc. etc.) it will be different people who have access to the password.

The phone number goes to a VOIP line.

My own developer account is separate from the account that I log in to my Mac and iDevices with. Because I thought that was a Good Idea. At least I can verify by SMS.

But of course, SMS is a TERRIBLE way to do 2-factor authentication.

If they want to get serious, allow 2-factor with a dongle. And allow multiple dongles to be registered per account.
 

cmaier

macrumors G5
Jul 25, 2007
14,048
8,522
California
This is awful. And stupid. And awfully stupid.

For our company account, NOBODY logs in to an Apple device using that ID. That will apply for most companies. Fortunately, need to log in with that account is minimal, since each developer uses their own linked account. When somebody DOES log in (to accept terms and conditions, to pay the yearly bill, etc. etc.) it will be different people who have access to the password.

The phone number goes to a VOIP line.

My own developer account is separate from the account that I log in to my Mac and iDevices with. Because I thought that was a Good Idea. At least I can verify by SMS.

But of course, SMS is a TERRIBLE way to do 2-factor authentication.

If they want to get serious, allow 2-factor with a dongle. And allow multiple dongles to be registered per account.
It uses iMessage, not sms, when you follow my suggestion.
 

DynoRunnerr

macrumors newbie
Jan 29, 2019
12
38
This is extremely problematic for my use-case. I'm the Apple Developer/Connect admin for a very large organization that publishes multiple apps from multiple developers/app managers under our license.

Due to turnover and the account being tied to a large organization, the "owner" of the account is more of a role account, and not really tied to an individual with a particular number/device.

IMO if Apple really wants to enforce two factor, they need to offer more two-factor options or account for role-based accounts in a better way. This is going to be anywhere from a huge PITA to a nightmare. :(
Huh ? Have the organization enroll devices, those devices can be used for two-factor ?
 

xplora

macrumors member
Sep 23, 2010
69
42
Hamilton, New Zealand
Since you all are using a secondary iCloud account, like me, here’s the trick:

On your Mac, create a new user account. Set up that account to use your developer iCloud account. You will be prompted to turn on 2factor. Do so. Give it your phone number. When it’s done. Remove the user account.

Now, when you are prompted for 2factor, click the “I didn’t receive a code” link, and you can choose to send a code to your phone.
Once you have done this, and I assume (only because it is this way in my case) if your devices are using the Apple ID for purchasing, and you add it as a secondary iCloud account, it will add the device as a trusted device (even if you do not complete the setup of the second account).

In short, yes, a single device can be a trusted device for more than one Apple ID.
 
Last edited:

ZZ Bottom

macrumors 6502a
Apr 14, 2010
798
187
This is extremely problematic for my use-case. I'm the Apple Developer/Connect admin for a very large organization that publishes multiple apps from multiple developers/app managers under our license.

Due to turnover and the account being tied to a large organization, the "owner" of the account is more of a role account, and not really tied to an individual with a particular number/device.

IMO if Apple really wants to enforce two factor, they need to offer more two-factor options or account for role-based accounts in a better way. This is going to be anywhere from a huge PITA to a nightmare. :(
In the exact same boat. What we opted to do was to setup one of our primary test devices (an iPhone X) as the two factor device and use that every time we have to authenticate. It’s not great, but since that device stays securely in the dev team area it can be obtained as needed.

I agree though and wish Apple had a better arrangement for our situations.
 

cmaier

macrumors G5
Jul 25, 2007
14,048
8,522
California
Once you have done this, and I assume (only because it is this way in my case) if your devices are using the Apple ID for purchasing, and you add it as a secondary iCloud account, it will add the device as a trusted device (even if you do not complete the setup of the second account).

In short, yes, a single device can be a trusted device for more than one Apple ID.
Also true, for those who are using that Apple ID for another purpose (like iTunes music, or whatever), though I assume most people who are using a second iCloud account for appstoreconnect aren’t using it for anything else.
 

jtara

macrumors 68000
Mar 23, 2009
1,826
432
What we opted to do was to setup one of our primary test devices (an iPhone X) as the two factor device and use that every time we have to authenticate. It’s not great, but since that device stays securely in the dev team area it can be obtained as needed.
We do not have a "dev team area".

No two people are in the same physical location.

At least I'd only have to drive 20 miles to implement this scheme. Other teams would need to send somebody a two-day journey across the planet.

Hello, Apple? Wake up. It's 2019. There are distributed development teams!

Contacting a person designated to access the company account as needed is not a good solution either, when the person might be asleep at the time...

I could see this if Apple offered more diverse 2FA choices.

The work-arounds will make accounts LESS secure!

Yes, every developer should be working using their own account. But there is always a "master" account they are connected to and there comes from time to time to do things that can only be done on that account. And it is common to need to have multiple individuals who have access to that account.

IMO, it would be ABSOLUTELY FOOLISH for that account to be somebody's personal Apple account that they use on their personal devices.

Or ANY Apple devices, for that matter!

The most secure thing is for that account to be used for one purpose, and one purpose only!
 

cmaier

macrumors G5
Jul 25, 2007
14,048
8,522
California
Another simple solution: on each device where you want to see codes, simply go to settings, accounts, add account, iCloud. Toggle off mail, notes, calendar, etc. so nothing is selected.

Now you receive official Apple 2-factor notifications on that device. (You can have multiple iCloud accounts)
 
  • Like
Reactions: JJC1138

racerhomie

macrumors 6502
Aug 14, 2015
346
594
I am extremely happy about this. I hope within iOS 13 apple forces all user accounts with 2FA. Or they should keep more new features only for accounts to 2FA. We are humans & passwords are super easy to crack.

I do know that 70%+ of iTunes accounts are already 2FA enabled. So, hopefully their Black market value increases.
 

C DM

macrumors Sandy Bridge
Oct 17, 2011
47,469
15,999
I am extremely happy about this. I hope within iOS 13 apple forces all user accounts with 2FA. Or they should keep more new features only for accounts to 2FA. We are humans & passwords are super easy to crack.

I do know that 70%+ of iTunes accounts are already 2FA enabled. So, hopefully their Black market value increases.
They should go with DNA checks to make it all more secure.
 
  • Like
Reactions: Craiguyver

Kelvin_Cheng

macrumors newbie
Jul 18, 2018
3
0
What will happen if some developers forget to check emails and have not enabled 2-factor authentication after Feb 27 2019?
Will they be locked out from Apple developer account permanently?
 

cmaier

macrumors G5
Jul 25, 2007
14,048
8,522
California
What will happen if some developers forget to check emails and have not enabled 2-factor authentication after Feb 27 2019?
Will they be locked out from Apple developer account permanently?
No, but they wont have access to the developer portals until they set it up.
 

Pagemakers

macrumors 68020
Mar 28, 2008
2,441
723
Manchester UK
Since you all are using a secondary iCloud account, like me, here’s the trick:

On your Mac, create a new user account. Set up that account to use your developer iCloud account. You will be prompted to turn on 2factor. Do so. Give it your phone number. When it’s done. Remove the user account.

Now, when you are prompted for 2factor, click the “I didn’t receive a code” link, and you can choose to send a code to your phone.
Thanks for the heads up.

Apple - what another STUPID idea!
 

H3LL5P4WN

macrumors 68020
Jun 19, 2010
2,208
2,205
Pittsburgh PA
Skimming some of these comments as I'm not a dev myself, the consensus seems to be that this is awkward at best, doomsday at worst.

Why doesn't Apple just nuke these shady devs?
 

cmaier

macrumors G5
Jul 25, 2007
14,048
8,522
California
Thanks for the heads up.

Apple - what another STUPID idea!
Also see my other post re an alternative. Add a second iCloud account to your phone, and turn off all checkboxes (mail, contacts, etc.). Then you get the normal-style (push) codes on that device. Downside is you need to do it on every device where you want to receive codes (whereas iMessage is already probably set up on all your devices). Six of one, half dozen of the other.
[doublepost=1550154925][/doublepost]
Skimming some of these comments as I'm not a dev myself, the consensus seems to be that this is awkward at best, doomsday at worst.

Why doesn't Apple just nuke these shady devs?
2FA is generally a good idea in any case, even putting aside the account-sharing issue (which isn’t really what all the reporting has been about lately anyway). It’s just that apple’s method of 2FA, while “neat” in some ways, leaves a lot to be desired in other ways. For example, it would be nice to be able to use appleid.apple.com and just add devices to receive codes by push, without regard to phone numbers, iCloud accounts “installed” on the device, etc. You can’t even setup 2FA without a device - you can’t do it on the web.
 
  • Like
Reactions: SteveOfTheStow