In early June, Apple said two-factor authentication would be tightly integrated into OS X 10.11 El Capitan and iOS 9, but provided little detail as to what that means. The current setup is scattered across sites and methods in order to deliver a second one-time use, time-limited code or other method of verification when a user logs in to an Apple site or on an Apple device with an Apple ID set up for it.
Apple today posted a detailed explanation about how two-factor authentication works starting with the public betas of iOS 9 and El Capitan.
Among other changes, the Recovery Key option that has tripped up users in the past, and led in some cases to users having to abandon an Apple ID as permanently unavailable, has been removed, an Apple spokesperson confirmed. With the new system, Apple customer support will work through a detailed recovery process with users who lose access to all their trusted devices and phone numbers.
Two-factor authentication systems can deter or defeat attempts to log into accounts remotely, as an attack has to not just have a password, but also access to a device, computer, or phone number belonging to the target account. This turns hacking from "wholesale" to "retail": unless a flaw is found in the underlying system, each protected account has to be cracked one at a time.
A longer code, a simpler process
As in the existing system, you have to set up at least one--but up to any number--of iOS and OS X systems as "trusted devices." These appear in a list in your Apple ID account and can be removed from there, as well as in OS X in iCloud system preferences, by clicking Account Details, and in iOS 9 in Settings > iCloud > Account. You also have to verify at least one phone number as a backup.
Currently, the phone has to receive text messages, but in the update, a phone can receive texts or phone calls, which indicates an option will be to have the code spoken aloud by an automatic system, typical with other two-factor systems.
The current system, labeled "two-step" by Apple, requires an (ironic) extra step during login. When you log in at an Apple site that supports two-step now, after entering an Apple ID account name and password, a pop-up dialog or screen of some sort prompts you to select a trusted device or trusted phone number to which a four-digit code is sent, and then enter that code in a following step.
In the new system for El Capitan and iOS 9, the need to specify a device to which a code is sent is removed. After entering the account name and password, Apple says all trusted devices running the newer OSes will display a six-digit verification code. That code, as before, only appears when an iOS device or OS X system is unlocked. Apple notes there will be an option to send the code to a trusted phone from the code-entry page by clicking "Didn't Get a Code?"
Sign up for CIO Asia eNewsletters.