Become a MacRumors Supporter for $25/year with no ads, private forums, and more!

Apple Two-Step Verification Now Available for iMessage and FaceTime [Updated]

MacRumors

macrumors bot
Original poster
Apr 12, 2001
50,430
11,813



Apple's two-step verification system now covers FaceTime and iMessage, reports The Guardian. Signing into an iMessage or FaceTime account protected by two-step verification will ask users to input an app specific password, which can only be obtained by logging in to an Apple ID account on the web with an authentication code, thereby preventing any unauthorized login attempts.

Two-factor verification is an opt-in system that was first introduced in March of 2013 to increase the security of Apple ID accounts. Prior to today, a verification code was only required for making changes to an account, signing into iCloud, or making iTunes/App Store purchases from a new device.

Two-factor authentication for iCloud is a recent addition that was implemented in September following the breach of several celebrity iCloud accounts, leading to a slew of leaked photos. The hacking incident led Apple to improve the security of iCloud and it also prompted the company to send out security emails when a device is restored, iCloud is accessed, or a password change is attempted.

Last month, a Medium post highlighting some of the remaining shortcomings of two-factor authentication was shared by several technology sites, which may have inspired Apple to update the service to protect iMessage and FaceTime accounts. The post pointed out that it was still possible to log into iMessage, FaceTime, iTunes, the App Store, and into the website using an account with two-factor authentication enabled without being asked for a verification code.

It seems two-factor authentication for iMessage and FaceTime may still be rolling out to users, as MacRumors was able to log into iMessage and FaceTime accounts with two-factor authentication enabled without a code.

Update: Two-factor authentication for iMessage and FaceTime seems to be more widely available now, and it appears that logging into an account requires an app specific password rather than a code to prevent unauthorized entry attempts.

Article Link: Apple Two-Step Verification Now Available for iMessage and FaceTime [Updated]
 

iMerik

macrumors 6502a
May 3, 2011
603
444
Upper Midwest
Signed out just now and was forced to use app-specific passwords.

Maybe this is a dumb question, but can't they just incorporate two-factor for both of these apps where you'd sign in with your AppleID password and be asked to send a code to your trusted iOS device or mobile number? Maybe that'll be an iOS9 deal.
 
Last edited:
Comment

jetjaguar

macrumors 68040
Apr 6, 2009
3,225
1,419
somewhere
Signed out just now and was forced to use app-specific passwords.

Maybe this is a dumb question, but can't they just incorporate two-factor for both of these apps where you'd sign in with your AppleID password and be asked to send a code to your trusted iOS device or mobile number? Maybe that'll be an iOS9 deal.

Yea i would like if my two step for my apple id covered everything instead of having to generate app specific passwords
 
Comment

kolax

macrumors G3
Mar 20, 2007
9,181
115
Yea i would like if my two step for my apple id covered everything instead of having to generate app specific passwords

Whole point in app specific passwords is that if that password gets compromised, your account is still safe.
 
Comment

ad1815

macrumors member
Oct 30, 2012
38
5
This is tooo complex!

Passcode, iCloud password, two-factor authentication, app specific password, recovery code, key chain passcoe..... This is way too complex. I have a background in IT and I cannot keep up with the complexity. I don't think the average use knows how to navigate through.

Apple has to give us something simpler. Maybe Apple Watch is the saviour?
 
Comment

Apple_Robert

Contributor
Sep 21, 2012
18,343
20,017
In the middle of several books.
Passcode, iCloud password, two-factor authentication, app specific password, recovery code, key chain passcoe..... This is way too complex. I have a background in IT and I cannot keep up with the complexity. I don't think the average use knows how to navigate through.

Apple has to give us something simpler. Maybe Apple Watch is the saviour?
I don't see anything overly hard about the two-step verification process.

Apple makes it very clear on their website what the process is about. Apple also makes the user pro-active in turning it on, so that there is no I didn't know what i did rhetoric.

If a person has trouble remembering passwords, it would behoove him or her to use a password manager like 1Password, in my opinion.

I use 1Password so that I don't have to remember every single password.

If someone doesn't want to use two-step verification, he or she doesn't have to.

Several people want all of this process centralized with one central password. However, I don't think that is a safe method to employ.

If people were already hacking into said programs and stealing information and changing account passwords, many Apple users would be up in Mac arms, because Apple wasn't doing enough.

It all comes down to how secure one wants to be.
 
Last edited:
Comment

iMerik

macrumors 6502a
May 3, 2011
603
444
Upper Midwest
Whole point in app specific passwords is that if that password gets compromised, your account is still safe.
The whole point of using multifactor is that a compromised password alone won't give you access to the account. I don't think you are making a good case for using app-specific over multifactor for iMessage and FaceTime, and I would venture to bet that we'll eventually see both apps using the verified iOS device and/or verified SMS device multifactor code instead of app-specific passwords. App-specific passwords are the opposite of easy to use compared to Apple's implementation of multifactor, which is the primary reason I say they'll eventually switch over to using it instead.

Also, if you read Apple's wording on pages like Frequently asked questions about two-step verification for Apple ID and Using app-specific passwords, you'll gather that Apple provides app-specific passwords if "I want to sign in to iCloud using an app that doesn’t support two-step verification for Apple ID" and "app-specific passwords are a feature of two-step verification that allow you to sign in to iCloud securely when you use third party apps." It's actually funny that iMessage and FaceTime now fall under the same category as third party apps in this case.
 
Last edited:
Comment

Apple_Robert

Contributor
Sep 21, 2012
18,343
20,017
In the middle of several books.
So how do I turn this on?

AppleMatt

https://appleid.apple.com

Sign into your account. Click on password and privacy. You will see the option to turn on two-step verification. Once you select it, you will have to wait 48 per Apple security measures, before the verification can go active, which involves going back to said website and going through the process.
 
Last edited:
Comment

coolfactor

macrumors 601
Jul 29, 2002
4,773
4,991
Vancouver, BC
I've recently started using multi-factor authentication at several service providers that I utilize in my company's infrastructure. I have become fond of the Google Authenticator approach whereby temporary codes are provided once a minute via the Authenticator app, and you need to enter the displayed code before it changes to a new code. This has worked extremely well.
 
Comment

AppleMatt

macrumors 68000
Mar 17, 2003
1,780
20
UK
https://appleid.apple.com

Sign into your account. Click on password and privacy. You will see the option to turn on two-step verification. Once you select it, you will have to wait 48 per Apple security measures, before the verification can go active, which involves going back to said website and going through the process.

Ah, perfect! Thanks - I signed in and out expecting it to prompt me.

AppleMatt
 
Comment

coolfactor

macrumors 601
Jul 29, 2002
4,773
4,991
Vancouver, BC
https://appleid.apple.com

Sign into your account. Click on password and privacy. You will see the option to turn on two-step verification. Once you select it, you will have to wait 48 per Apple security measures, before the verification can go active, which involves going back to said website and going through the process.

I didn't have to wait 48 hours. I was able to set up two-factor authentication immediately, and created an app-password for FaceTime.

My only concern around the implementation is that the system now needs to check a login request against up to 50 stored app-passwords. Does that not increase the chances of a breach by 50x? Good thing the passwords are secure, but I hope they are stored in a secure fashion on Apple's servers.
 
Comment

NMBob

macrumors 65816
Sep 18, 2007
1,258
1,066
New Mexico
Staying safe can be annoying, but the alternative can be a lot worse.:(

Yeah, someone could break into your phone and send an iMessage with one of the new emoticons that doesn't match your race, and then you could get sued for being racially insensitive. (colon, right parenthesis)
 
Comment

T-Will

macrumors 65816
Sep 8, 2008
1,028
409
At least Apple prompts and takes you directly to the app-specific password page, unlike other services I've used that repeatedly get a password error without explanation.
 
Comment

mw360

macrumors 68000
Aug 15, 2010
1,686
1,663
I didn't have to wait 48 hours. I was able to set up two-factor authentication immediately, and created an app-password for FaceTime.

My only concern around the implementation is that the system now needs to check a login request against up to 50 stored app-passwords. Does that not increase the chances of a breach by 50x? Good thing the passwords are secure, but I hope they are stored in a secure fashion on Apple's servers.

I would think they shouldn't be stored on Apple's servers at all if they're doing it right. Apple should store a hash of the password, not the password itself.

Anyway, the 50x thing is sort of true but that is easily cancelled out by adding one more random character to the end of the password. I haven't seen these app-specific passwords but I'm guessing they are long and random.
 
Comment

mw360

macrumors 68000
Aug 15, 2010
1,686
1,663
I don't see anything overly hard about the two-step verification process.

Apple makes it very clear on their website what the process is about. Apple also makes the user pro-active in turning it on, so that there is no I didn't know what i did rhetoric.

If a person has trouble remembering passwords, it would behoove him or her to use a password manager like 1Password, in my opinion.

I use 1Password so that I don't have to remember every single password.

If someone doesn't want to use two-step verification, he or she doesn't have to.

Several people want all of this process centralized with one central password. However, I don't think that is a safe method to employ.

If people were already hacking into said programs and stealing information and changing account passwords, many Apple users would be up in Mac arms, because Apple wasn't doing enough.

It all comes down to how secure one wants to be.

He's right though, it's too complicated. Even if in actual usage it's very simple, Apple engineers here are being way too lazy in shoving their own jargon directly onto users. Look at the picture in the article. Tell me that every one you know would read that and know exactly what it means. Most people I know would just describe that as 'some error came up' and give up trying. It's wordy and opaque and exactly the sort of thing Apple used to claim to avoid.
 
Comment

Gizmotoy

macrumors 65816
Nov 6, 2003
1,084
122
If you're just generating an app-specific password, what's the second factor implied in two-factor authentication in this case? I thought Apple's Two Factor was always used password, device, or recovery key, pick two.

Edit: Wait, and this is rolling out to every application that uses iCloud? And you're limited to 25 app-specific passwords? How is that going to work?
 
Comment

Geniva

macrumors newbie
Feb 17, 2011
14
1
Ok. So I need to login to iCloud, iMessages, and FaceTime and generate unique passcodes for each one on an iPad? Why can't I just login ONCE and have all my services just work off that login?
 
Comment

inscrewtable

macrumors 68000
Oct 9, 2010
1,627
390
As the recent high profile photo hackings have shown, people are stupid and their stupidity harms Apple, therefore Apple are well within their rights to make the 'opt out' rather than 'opt in'.
 
Comment

Primejimbo

macrumors 68040
Aug 10, 2008
3,295
131
Around
Passcode, iCloud password, two-factor authentication, app specific password, recovery code, key chain passcoe..... This is way too complex. I have a background in IT and I cannot keep up with the complexity. I don't think the average use knows how to navigate through.

Apple has to give us something simpler. Maybe Apple Watch is the saviour?
You have a background in IT and you can't keep up? I don't at all, or even close, and I think this is easy and great! My mom (who is over 60) has no issues with this at all either. Once it set up on a new device, you don't have to worry about it again until that device is replaced or you get another one.

You don't have to set this up, but don't be mad when someone hacks your iTunes account/Apple ID.

I don't see anything overly hard about the two-step verification process.

Apple makes it very clear on their website what the process is about. Apple also makes the user pro-active in turning it on, so that there is no I didn't know what i did rhetoric.

If a person has trouble remembering passwords, it would behoove him or her to use a password manager like 1Password, in my opinion.

I use 1Password so that I don't have to remember every single password.

If someone doesn't want to use two-step verification, he or she doesn't have to.

Several people want all of this process centralized with one central password. However, I don't think that is a safe method to employ.

If people were already hacking into said programs and stealing information and changing account passwords, many Apple users would be up in Mac arms, because Apple wasn't doing enough.

It all comes down to how secure one wants to be.

I have 1Password also and I don't remeber any passwords, maybe a few. I love those 2 step verification and it's a great extra layer of security.
 
Comment

Cmd-Z

macrumors 6502
Nov 14, 2014
493
522
Coyote, CA
Once it set up on a new device, you don't have to worry about it again until that device is replaced or you get another one.
Not for app-specific passwords. Whenever you change the primary Apple ID password (which seems to be required about every 3-4 months), all your app-specific passwords are revoked, thus forcing you to re-do those each time your main password changes:

http://support.apple.com/en-us/HT6186


You don't have to set this up, but don't be mad when someone hacks your iTunes account/Apple ID.
Unless I misunderstood the article, if you already have two-step verification enabled (a good thing) then you'll be required to use app-specific passwords for iMessage and FaceTime, because they don't support two-step verification (i.e. the code sent to an alternate device).
 
Comment

caesarp

macrumors 6502a
Sep 30, 2012
967
388
What am I missing

I don't see the point? What is there in FaceTime or iMessage I need to secure? It's not like my SSN is stored there.
 
Last edited:
Comment
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.