Apple Requiring Two-Factor Authentication for Developer Accounts as of February 27

Discussion in 'iOS Blog Discussion' started by MacRumors, Feb 13, 2019.

  1. MacRumors macrumors bot


    Apr 12, 2001

    Starting on February 27, Apple will be requiring all developers to have two-factor authentication enabled for their Apple IDs, with two-factor necessary for signing into Developer accounts after that date.

    Apple today told developers via email that the requirement is being implemented to help keep developer accounts more secure and to make sure that no third-parties can access a developer account.


    Developers who do not have two-factor authentication enabled for their Apple IDs will need to turn it on by February 27.

    Two-factor authentication can be enabled on an iPhone or Mac by following Apple's instructions. Once enabled, a verification code from a trusted device will be required when logging in to a developer account.

    Article Link: Apple Requiring Two-Factor Authentication for Developer Accounts as of February 27
  2. cmaier macrumors G5

    Jul 25, 2007
    Since you all are using a secondary iCloud account, like me, here’s the trick:

    On your Mac, create a new user account. Set up that account to use your developer iCloud account. You will be prompted to turn on 2factor. Do so. Give it your phone number. When it’s done. Remove the user account.

    Now, when you are prompted for 2factor, click the “I didn’t receive a code” link, and you can choose to send a code to your phone.
  3. KazKam macrumors 6502


    Oct 25, 2011
    This is extremely problematic for my use-case. I'm the Apple Developer/Connect admin for a very large organization that publishes multiple apps from multiple developers/app managers under our license.

    Due to turnover and the account being tied to a large organization, the "owner" of the account is more of a role account, and not really tied to an individual with a particular number/device.

    IMO if Apple really wants to enforce two factor, they need to offer more two-factor options or account for role-based accounts in a better way. This is going to be anywhere from a huge PITA to a nightmare. :(
  4. zorinlynx macrumors 603


    May 31, 2007
    Florida, USA
    I know, the first thing I thought when I read this was "Who the hell uses their personal Apple ID for a dev account?"

    Apple needs to allow for receiving two factor codes for multiple Apple IDs on one device, otherwise this is going to piss people the hell off.
  5. LovedMacFirst macrumors newbie


    Feb 23, 2016
    We actually have the same issue above. Not sure why Apple has not embraced dual Apple IDs. Dropbox as an example did a great job at having Personal and Work accounts on a single install.

    The options available to solve this issue are all pretty bad.
  6. cmaier macrumors G5

    Jul 25, 2007

    Also, if you log off the account prior to removing the user, OR you remove the device in, then you don’t have to click a link each time. You will receive an iMessage each time you need to provide a code.
  7. jtara macrumors 68000

    Mar 23, 2009
    This is awful. And stupid. And awfully stupid.

    For our company account, NOBODY logs in to an Apple device using that ID. That will apply for most companies. Fortunately, need to log in with that account is minimal, since each developer uses their own linked account. When somebody DOES log in (to accept terms and conditions, to pay the yearly bill, etc. etc.) it will be different people who have access to the password.

    The phone number goes to a VOIP line.

    My own developer account is separate from the account that I log in to my Mac and iDevices with. Because I thought that was a Good Idea. At least I can verify by SMS.

    But of course, SMS is a TERRIBLE way to do 2-factor authentication.

    If they want to get serious, allow 2-factor with a dongle. And allow multiple dongles to be registered per account.
  8. cmaier macrumors G5

    Jul 25, 2007
    It uses iMessage, not sms, when you follow my suggestion.
  9. Kabeyun macrumors 68000


    Mar 27, 2004
    Eastern USA
    Excellent. Leader in privacy & account security. Now maybe they’ll get sued for it.
  10. DynoRunnerr macrumors newbie

    Jan 29, 2019
    Huh ? Have the organization enroll devices, those devices can be used for two-factor ?
  11. JosephAW macrumors 68020


    May 14, 2012
    Soon this will be mandatory for all iOS users.
  12. xplora, Feb 13, 2019
    Last edited: Feb 13, 2019

    xplora macrumors member

    Sep 23, 2010
    Hamilton, New Zealand
    Once you have done this, and I assume (only because it is this way in my case) if your devices are using the Apple ID for purchasing, and you add it as a secondary iCloud account, it will add the device as a trusted device (even if you do not complete the setup of the second account).

    In short, yes, a single device can be a trusted device for more than one Apple ID.
  13. ZZ Bottom macrumors 6502a

    Apr 14, 2010
    In the exact same boat. What we opted to do was to setup one of our primary test devices (an iPhone X) as the two factor device and use that every time we have to authenticate. It’s not great, but since that device stays securely in the dev team area it can be obtained as needed.

    I agree though and wish Apple had a better arrangement for our situations.
  14. cmaier macrumors G5

    Jul 25, 2007
    Also true, for those who are using that Apple ID for another purpose (like iTunes music, or whatever), though I assume most people who are using a second iCloud account for appstoreconnect aren’t using it for anything else.
  15. jtara macrumors 68000

    Mar 23, 2009
    We do not have a "dev team area".

    No two people are in the same physical location.

    At least I'd only have to drive 20 miles to implement this scheme. Other teams would need to send somebody a two-day journey across the planet.

    Hello, Apple? Wake up. It's 2019. There are distributed development teams!

    Contacting a person designated to access the company account as needed is not a good solution either, when the person might be asleep at the time...

    I could see this if Apple offered more diverse 2FA choices.

    The work-arounds will make accounts LESS secure!

    Yes, every developer should be working using their own account. But there is always a "master" account they are connected to and there comes from time to time to do things that can only be done on that account. And it is common to need to have multiple individuals who have access to that account.

    IMO, it would be ABSOLUTELY FOOLISH for that account to be somebody's personal Apple account that they use on their personal devices.

    Or ANY Apple devices, for that matter!

    The most secure thing is for that account to be used for one purpose, and one purpose only!
  16. cmaier macrumors G5

    Jul 25, 2007
    Another simple solution: on each device where you want to see codes, simply go to settings, accounts, add account, iCloud. Toggle off mail, notes, calendar, etc. so nothing is selected.

    Now you receive official Apple 2-factor notifications on that device. (You can have multiple iCloud accounts)
  17. usarioclave macrumors 65816

    Sep 26, 2003
    Why exactly do my accounts need to be more secure? Become someone is abusing the enterprise certificate program?
  18. racerhomie macrumors regular


    Aug 14, 2015
    I am extremely happy about this. I hope within iOS 13 apple forces all user accounts with 2FA. Or they should keep more new features only for accounts to 2FA. We are humans & passwords are super easy to crack.

    I do know that 70%+ of iTunes accounts are already 2FA enabled. So, hopefully their Black market value increases.
  19. C DM macrumors Sandy Bridge

    Oct 17, 2011
    They should go with DNA checks to make it all more secure.
  20. Kelvin_Cheng macrumors newbie

    Jul 18, 2018
    What will happen if some developers forget to check emails and have not enabled 2-factor authentication after Feb 27 2019?
    Will they be locked out from Apple developer account permanently?
  21. cmaier macrumors G5

    Jul 25, 2007
    No, but they wont have access to the developer portals until they set it up.
  22. Pagemakers macrumors 68020


    Mar 28, 2008
    Manchester UK
    Thanks for the heads up.

    Apple - what another STUPID idea!
  23. H3LL5P4WN macrumors 68000


    Jun 19, 2010
    Pittsburgh PA
    Skimming some of these comments as I'm not a dev myself, the consensus seems to be that this is awkward at best, doomsday at worst.

    Why doesn't Apple just nuke these shady devs?
  24. mdatwood macrumors 6502a

    Mar 14, 2010
    Denver, CO
    While not the most secure, you can just use any phone number as the 2fa. Apple does not force a device to be setup or used.
  25. cmaier macrumors G5

    Jul 25, 2007
    Also see my other post re an alternative. Add a second iCloud account to your phone, and turn off all checkboxes (mail, contacts, etc.). Then you get the normal-style (push) codes on that device. Downside is you need to do it on every device where you want to receive codes (whereas iMessage is already probably set up on all your devices). Six of one, half dozen of the other.
    --- Post Merged, Feb 14, 2019 ---
    2FA is generally a good idea in any case, even putting aside the account-sharing issue (which isn’t really what all the reporting has been about lately anyway). It’s just that apple’s method of 2FA, while “neat” in some ways, leaves a lot to be desired in other ways. For example, it would be nice to be able to use and just add devices to receive codes by push, without regard to phone numbers, iCloud accounts “installed” on the device, etc. You can’t even setup 2FA without a device - you can’t do it on the web.

Share This Page