Apple Two-Step Verification Now Available for iMessage and FaceTime [Updated]

[Primejimbo]

Not for app-specific passwords. Whenever you change the primary Apple ID password (which seems to be required about every 3-4 months), all your app-specific passwords are revoked, thus forcing you to re-do those each time your main password changes:

http://support.apple.com/en-us/HT6186

Who changes their password every 3-4 months? Last time I did was almost a year ago. I only did it because I wanted something stonger too.

Unless I misunderstood the article, if you already have two-step verification enabled (a good thing) then you'll be required to use app-specific passwords for iMessage and FaceTime, because they don't support two-step verification (i.e. the code sent to an alternate device).

Yes the article is correct, but once set up, that's it. You only need to do it again when you add or switch a device. No different than having Outlook or gmail work with your mail app if you use 2 step verification.

 

[Avenged110]

I don't see the point? What is there in FaceTime or iMessage I need to secure? It's not like my SSN is stored there.

Along these lines, I wish there was a way to use two-factor exclusively for information that is actually valuable to me. For example, require a code when viewing any account related pages that include credit card, address, etc. or before purchasing anything, but don't get in the way for things like iCloud where there's nothing of real value.

 

[Small White Car]

I don't see the point? What is there in FaceTime or iMessage I need to secure? It's not like my SSN is stored there.

Well, considering that banks are now using a text message as THEIR 2-factor authentication and the fact that texts sync with iMessage and... well you start to see the problem. Your life is becoming a web and entire thing is only as strong as its weakest point.

 

[Primejimbo]

I don't see the point? What is there in FaceTime or iMessage I need to secure? It's not like my SSN is stored there.

So you don't care your talking to a friend, family member, or a loved one and some can read everything and see all the picture you send them?

 

[Cmd-Z]

I don't see the point? What is there in FaceTime or iMessage I need to secure? It's not like my SSN is stored there.

I don't know, but I wonder how long will it be until this spreads to other services that use your Apple ID, like Home Sharing, Game Center, Back to My Mac, etc. etc. With all the Apple devices in my house, it takes me an hour to go around and update each one when I'm forced into a password change! Now I also have to add changing app-specific passwords? Ay yi yi ... I'm all for security, but this is getting a bit tedious.

 

[Cmd-Z]

Who changes their password every 3-4 months? Last time I did was almost a year ago. I only did it because I wanted something stonger too.

Well I don't know what to tell you, Apple makes me change my password at least 3x per year. My wife's ID does not, but she does not buy anything with her ID so maybe that's the difference? Not sure why Apple picks on me, but it's about as regular at daylight savings (OK, a bit more frequent). And no, there's no associated warning about a compromise that prompts this password change requirement, it will show up if I'm buying something from iTunes, or logging into the Apple support forum.

Yes the article is correct, but once set up, that's it. You only need to do it again when you add or switch a device.

You also have re-do all your app-specific passwords anytime your primary password is reset or changed, read the bottom of the article I linked.

 

[Pakaku]

Passcode, iCloud password, two-factor authentication, app specific password, recovery code, key chain passcoe..... This is way too complex. I have a background in IT and I cannot keep up with the complexity. I don't think the average use knows how to navigate through.

Apple has to give us something simpler. Maybe Apple Watch is the saviour?

I really hope a $400 password manager isn't the solution.

 

[caesarp]

So you don't care your talking to a friend, family member, or a loved one and some can read everything and see all the picture you send them?

Wouldn't care. It's all boring. I don't sext.

 

[lkrupp]

What I don't like is that this is compulsory. Annoying.

Switch to Android and experience no security at all then. See which side you like best.

 

[Tech198]

You know, this would also now be a good time to mention TouchID ......


Its becoming useless with Apple, since the only thing they have it for is for the App and iTunes Store.

For those devices which don't have Touch ID, then app specific password, but Touch ID on Iphone 5s and later is seriously going to waste...

I would say more developers are taking advantage of this unique bio-metric tech, the Apple even is.

I would have thought Apple would be using touch id across everything, including 2 step as an alternative to. But nope.....

If you can authenticate with Touch ID, why would you need 2 step, since its more secure anyway.

 

[B2k1977]

You know, this would also now be a good time to mention TouchID ......


Its becoming useless with Apple, since the only thing they have it for is for the App and iTunes Store.

For those devices which don't have Touch ID, then app specific password, but Touch ID on Iphone 5s and later is seriously going to waste...

I would say more developers are taking advantage of this unique bio-metric tech, the Apple even is.

I would have thought Apple would be using touch id across everything, including 2 step as an alternative to. But nope.....

If you can authenticate with Touch ID, why would you need 2 step, since its more secure anyway.

Maybe it's already in the works. Kudos though, that's a good idea.

 

[Hayakuro]

So... Not a two factor auth in practice. Can't say I'm surprised, unfortunately. Apple's strong point is not cloud services or the security that goes along with them.

 

[bathurstguy]

You know, this would also now be a good time to mention TouchID ......


Its becoming useless with Apple, since the only thing they have it for is for the App and iTunes Store.

For those devices which don't have Touch ID, then app specific password, but Touch ID on Iphone 5s and later is seriously going to waste...

I would say more developers are taking advantage of this unique bio-metric tech, the Apple even is.

I would have thought Apple would be using touch id across everything, including 2 step as an alternative to. But nope.....

If you can authenticate with Touch ID, why would you need 2 step, since its more secure anyway.

TouchID is stored in the trusted chip on the device and never synced to Apple or iCloud. So how would touch ID help to validate you on a new device...

 

[Cmd-Z]

If you can authenticate with Touch ID, why would you need 2 step, since its more secure anyway.

It would be nice, but if you have two step verification enabled, then it is also needed for a computer's access to iCloud.com, setting up a Mac to link to iCloud, and I think setting up Apple TVs -- none of which have Touch ID. But I get it, if its there why not use it where you can?

 

[Primejimbo]

Well I don't know what to tell you, Apple makes me change my password at least 3x per year. My wife's ID does not, but she does not buy anything with her ID so maybe that's the difference? Not sure why Apple picks on me, but it's about as regular at daylight savings (OK, a bit more frequent). And no, there's no associated warning about a compromise that prompts this password change requirement, it will show up if I'm buying something from iTunes, or logging into the Apple support forum.

I buy a lot with mine and I have never had Apple tell me to change it. My wife and daughter also buy stuff with their Apple ID and never had this happen either.

You also have re-do all your app-specific passwords anytime your primary password is reset or changed, read the bottom of the article I linked.

I get that, just don't see it as an issue to me, because I never had Apple tell me to change my password.

Wouldn't care. It's all boring. I don't sext.

It has nothing to do with sext. It has everything to do with privacy and security, but if you don't want it, then leave it off. You HAVE that option.

With all the Apple devices in my house, it takes me an hour to go around and update each one when I'm forced into a password change! Now I also have to add changing app-specific passwords? Ay yi yi ... I'm all for security, but this is getting a bit tedious.

I would contact Apple Support, I have never heard this before. My mom, in-laws, and even my sister never had this also, and they would be calling me complaining if they did really fast.

 

[arkhanjel]

Hmmm

I must have just missed this. I just signed in everything on a new iPad and didn't get the two step.

 

[IHelpId10t5]

Passcode, iCloud password, two-factor authentication, app specific password, recovery code, key chain passcoe..... This is way too complex. I have a background in IT and I cannot keep up with the complexity. I don't think the average use knows how to navigate through.

Apple has to give us something simpler. Maybe Apple Watch is the saviour?

This hits it on the head. As an IT professional you would love to recommend that everyone turn on 2-factor wherever it exists. However, the reality is that for the MAJORITY of users, the probability of them getting hacked is much smaller than the probability of them locking themselves out of their own account! It's unfortunate, but true, that even many technically savvy people are horrible at organization and record-keeping. They are so used to just being able to reset forgotten passwords at will, that they are at great risk of forfeiting any account that they choose to enable 2-factor on.

Password managers certainly go a long way towards optimal use of unique passwords. However, how many users do you know would actually know how to use their password manager of choice well. How many people do you know that if they enabled 2-factor for a given service like an AppleID, would take the time to customize their vault entry to include their 2-factor recovery key?

How many people do you know that understand that they will forfeit their purchases, email, iCloud, etc, forever if they enable 2-factor on their AppleID but then get locked out and don't know their recovery key?

For these reasons, in 2014 I still find it tough to recommend 2F for anyone that I don't know well enough to understand their technical and credential management aptitude. For the other 99%, I just try to get them interested in using a password manager instead.

 

[Cmd-Z]

I must have just missed this. I just signed in everything on a new iPad and didn't get the two step.

Two step verification is optional, and if you have not set it up for your Apple ID then you won't be prompted for an app-specific password for iMessage and FaceTime.

 

[GermanSuplex]

The whole point of using multifactor is that a compromised password alone won't give you access to the account. I don't think you are making a good case for using app-specific over multifactor for iMessage and FaceTime, and I would venture to bet that we'll eventually see both apps using the verified iOS device and/or verified SMS device multifactor code instead of app-specific passwords. App-specific passwords are the opposite of easy to use compared to Apple's implementation of multifactor, which is the primary reason I say they'll eventually switch over to using it instead.

Also, if you read Apple's wording on pages like Frequently asked questions about two-step verification for Apple ID and Using app-specific passwords, you'll gather that Apple provides app-specific passwords if "I want to sign in to iCloud using an app that doesn’t support two-step verification for Apple ID" and "app-specific passwords are a feature of two-step verification that allow you to sign in to iCloud securely when you use third party apps." It's actually funny that iMessage and FaceTime now fall under the same category as third party apps in this case.

This. I found it surprising that they want to their own built-in apps to use app-specific passwords just like a third-party email client would, for instance.

 

[Cmd-Z]

I would contact Apple Support, I have never heard this before. My mom, in-laws, and even my sister never had this also, and they would be calling me complaining if they did really fast.

Well, it depends on the number of services you use, and the number of devices that use your ID. In my case its 2 iPhones, 2 iPads, 2 Macs, 5 Apple TVs, and an AirPort Extreme. Then for services I have to change the password for iTunes Store, iCloud, HomeSharing, iMessage/FaceTime, and Back to My Mac on my router. Not hard, just tedious. But, 1st world problems eh?

 

[Oh-RLY]

I don't see the point? What is there in FaceTime or iMessage I need to secure? It's not like my SSN is stored there.

You're a nobody then no-one cares about you and you need not worry about this feature. However there are high-profile people out there who would like their personal communications to be secure. i.e. celebrities, news reporters, politicians, executives, etc.

 

[aristotle]

Do not want. In my experience, the more complicated you make it, the more likely people will either write their passwords on post-it notes (or in the notes app) or find a weak password that meet reqs while being easy to remember.

Companies that require changing passwords every 90 days results in people just rotating a digit or two in a password to get around the policy to not reuse the same password for several months.

 

[allanfries]

Well, I still have yet to do this. Guess I feel, I'm secure enough with touch ID and multiple 9-plus digit pass codes, etc.

 

[76ShovelHead]

What I don't like is that this is compulsory. Annoying.

Truly a pain in the arse. This method of authentication, while good in its' intent, is terribly inconvenient. TurboTax has a similar approach, where every "new" device logged into (i.e. the app on my phone and tablet) required me to send a code to my registered email, then enter that code, before I could finally log in.

----------

Passcode, iCloud password, two-factor authentication, app specific password, recovery code, key chain passcoe..... This is way too complex. I have a background in IT and I cannot keep up with the complexity. I don't think the average use knows how to navigate through.

Apple has to give us something simpler. Maybe Apple Watch is the saviour?

There will never be a simple be-all end-all solution. Hackers will always find a way, the best thing we can do is keep the complexity if only as a deterrent. Unfortunately, the user ends up paying for it (the hassle) –but at least steps are being taken.

 

[Primejimbo]

Well, it depends on the number of services you use, and the number of devices that use your ID. In my case its 2 iPhones, 2 iPads, 2 Macs, 5 Apple TVs, and an AirPort Extreme. Then for services I have to change the password for iTunes Store, iCloud, HomeSharing, iMessage/FaceTime, and Back to My Mac on my router. Not hard, just tedious. But, 1st world problems eh?

My set up isn't much different, I just have 1 iPhone and 1 iPad, 3 Apple TVs, a time machine, airport, home sharing, and 3 Macs under my Apple ID. I see how this would drive you nuts too. I know in my @Outlook account I can set it up so it makes me change my password every 90 days, is there a setting for Apple like this that we don't know about?