Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple Requiring Two-Factor Authentication for Developer Accounts as of February 27
- Thread starter MacRumors
- Start date
- Sort by reaction score
This is extremely problematic for my use-case. I'm the Apple Developer/Connect admin for a very large organization that publishes multiple apps from multiple developers/app managers under our license.
Due to turnover and the account being tied to a large organization, the "owner" of the account is more of a role account, and not really tied to an individual with a particular number/device.
IMO if Apple really wants to enforce two factor, they need to offer more two-factor options or account for role-based accounts in a better way. This is going to be anywhere from a huge PITA to a nightmare.
Exactly, so basically we now need a device that is basically just to authenticate the login. And if you are a developer managing multiple accounts, you need multiple devices.
[doublepost=1550155292][/doublepost]
What does 2FA authentication have to do with shady devs?
If you have the password to the account, you might as well just add the iCloud account as a secondary account on your phone and live with it. You don’t need multiple devices for multiple accounts - just add each iCloud account as a new account on your device and turn off all the checkboxes.
Picking choosing which devices would actually be pretty awesome. I know that if I get a 2FA prompt now and I don't have my phone in front of me, I get to run around my apartment playing whack-an-apple to see which device got the message.
Because shady devs apparently have been hacking into the Developer Portal accounts of stupid devs who use weak passwords. This enables them to obtain assets needed to re-sign the stupid dev's apps with their own Enterprise signature.
Some shady devs might even hack into GitHub, Bitbucket, etc. to obtain actual source code. Of course, Apple has no control over that.
Honestly, there is NO need for 2FA so long as strong passwords are used, and rotated on a regular basis.
If you are using 2FA, and not offering the use of a hardware security device (dongle or keypad-equipped appliance), you might as well not bother. Apple does not to my knowledge offer this option.
The device has an accurate clock. The login server (or some hardware device attached to a login server) has an accurate clock. After providing user ID and password, the server challenges the user to provide a one-time code. The user punches a personally-selected PIN into the device. The device provides a one-time code. The code is typically good for one minute or so. An algorithm present in both the device and the server (or some device connected to server) is able to generate the same one-time code based on current time and security device ID (each is of course unique) and the codes are compared. If an account might be shared my multiple individuals, multiple security devices would have to be registered. Typically, these are small devices that people carry on their physical keychain.
MOST banks offer this option and typically provide the appliance for free for large accounts. They only cost a few dollars, in any case.
I will have to review, there was a notice from Apple when last I logged-in to the developer portal about changes in how linked accounts are handled. I *think* this might be related to some mitigation of the need to ever actually log-in to a company account after initial setup, assuming sufficient privileges have been given to linked accounts. Will go read when I have time, obviously soon!
Last edited:
But what about people like me who have one Apple ID for all store purchases (shared with wife and kids) and a second Apple ID for their own private iCloud syncing and data?
Can developers just add the 3rd Apple ID in Settings > Passwords and Accounts > Add Account?
Yes. In fact, that’s what I do.
You need to first *enable* 2FA for the developer account (probably using the Mac user account trick I detail above). Once you do that and remove the user, you can then add the account as yet another iCloud account to your iPhone (or whatever devices you want), disable email, contacts, etc. on that account, and then receive push notifications of 2FA codes to the device. You can even do it with multiple developer accounts, mixtures of developer and iTunes artist/iBooks author accounts, etc.
This is extremely problematic for my use-case. I'm the Apple Developer/Connect admin for a very large organization that publishes multiple apps from multiple developers/app managers under our license.
Due to turnover and the account being tied to a large organization, the "owner" of the account is more of a role account, and not really tied to an individual with a particular number/device.
IMO if Apple really wants to enforce two factor, they need to offer more two-factor options or account for role-based accounts in a better way. This is going to be anywhere from a huge PITA to a nightmare.
Apple is looking for a PR solution, not a real solution. 2 factor the way Apple does it is not more secure, except maybe in a few very minor edge cases. To be secure, 2 factor needs to use a separate device from the one the login originated that always requires a password to access the key. The password needs to be different from the normal account password and it needs to be always locked. Apple marketing is engaging in security theater here at the detriment of users.
While there would always be a game of whack-a-pirate going on, at least by killing the accounts, Apple would interrupt their cash flow and possibly break all of the pirated apps, punishing the jagoffs who won't pay legit developers.
Thanks to cmaier tips given on this thread, this is what I have done :
All in all, this setup is ok to me. Secure and not much cumbersome. It may not apply to large team however. But the Messages.app trick is a plus.
- switched to an administrator account I had setup before for special/rescue purpose.
- used my dev appleID as iCloud account and activated TF auth. Gave my iPhone #.
- logged out from iCloud from the preferences panel.
- logged out from admin account on the Mac (Mojave). Did NOT delete the account, since it is there for a purpose.
- logged back to my normal account where dev work is made and iCloud use a personal Apple ID (that iCloud Drive is heavily used to test my own application development).
- my normal working session alway has Messages.app open, since we use it to quick info exchange. Message use the personal iCloud account, with also the same phone number given at step #2
- logged in the dev portal and got the TF number in the Messages.app (on the Mac), as an iMessage.
- important to note : the pop-up panel to enter the auth number does autofill from Messages on the Mac if the application is open and configured with relevant email and/or number.
All in all, this setup is ok to me. Secure and not much cumbersome. It may not apply to large team however. But the Messages.app trick is a plus.
I still don't understand why Apple don't offer the option to use other 2-factor authentication methods, like the code method that almost every other service uses. That way you could allow as many people as needed to use that code, via 1Password, Google Authenticator, etc