After my someone painful and tedious experience with two-factor authentication on Google, I wasn’t sure I could face doing it on my Apple ID. Since I wrote the previous article, I’ve continued to add to the count of times I’ve had to do the 2FA dance with Google, like when my friend Diane wrote a blog post on her Tumblr account and I wanted to leave a darn comment. The paper cuts have slowed way down over the week but this “you only do it once per device!” claim is pure horse pucky.
In spite of this, I decided to go ahead and try two-factor authentication on my Apple ID. I made this decision because somehow I actually got locked out of my Apple ID. I feared that my account was being targeted by the bad guys but after it happened a second time two days later, I decided to take to the Twitters to see if anyone else was getting locked out.
Neil Bernstein jumped in and said it was happening to him too, so he started searching and found a few other folks with the same problem. I’m not sure who cracked the code on the root cause, but it turned out to be the EasilyDo email app for iOS I recommended a few weeks ago. I wrote to the EasilyDo folks and they confirmed that Apple changed something last weekend and as a result their customers were getting locked out. I expressed sympathy for them and told them I’d remove the app for now but sure hope thy get it fixed soon so I can get it back because I adore that app. I’ve heard they have a fix out but I’m going to let others go first on this one!
So anyway, this got me thinking, if I’m going to have to keep changing my password, I might as well turn on two-factor authentication anyway. But guess what? You can’t set up two-factor authentication on your Apple ID for three days after changing your password! Good thing I found out from Neil what was causing it, because I wasn’t able to keep the same password for 3 whole days. I asked permission and 3 days later I was granted the ability to turn it on.
I did a search on Apple two-factor authentication and found the Apple Support Article about how to set it up. They claim in the article that you can find it via the iCloud Preferences Security tab, but that’s a lie, it’s not in there. I whined on Twitter (as one does) and George Starcher told me to hunt for the Apple ID page which is at appleid.apple.com.
I have to say that the experience was actually quite good and compared to Google, relatively painless. Each step of the process was very clearly explained. After entering the answers to my security questions, and adding a trusted phone number, a verification code was sent to my phone.
Once that was done I got a screen that made me very happy. It said “Verify Trusted Devices”. From his screen I can select every device from which I want to authenticate…ONCE. Just like people said! I did have to refresh the devices list but then I tapped on an iPad, iPhone and iPad one by one, and a different code came up on each one that I could enter on the Mac. That’s the way it’s supposed to work!
After verifying a few devices, I was given a Recovery Key, explaining that it was critical that I print this out and save it in case I ever forget my password. Otherwise I would lose access to everything. I of course didn’t make a paper print, but I printed it to PDF, put it on my Drobo, and put a copy in my 1Password file and typed the Recovery Key into a 1Password entry. They don’t let you copy and paste the code, which turns out to be brilliant. On the next page, it basically says prove you weren’t stupid and you really did keep a copy of your Recovery Key. You cannot proceed forward until you prove it! I thought that was fantastic.
I took a deep breath and hit the “Enable Two-Step Verification” button. Ok, now what?
I opened up the App Store on the Mac where I set up two-factor authentication, and it asked me to sign in, but didn’t ask for a code. Then I tried to buy something on the App Store and it did ask for a code. It showed me the four devices I had verified and asked which one I wanted to use, and the code showed up instantly on chosen device. I opened up iMessage, and again I had to sign in, but again I didn’t have to supply a code.
I did the initial work on my 12″ MacBook so I switched over to my MacBook Pro and tried to download updates from the App Store and there I did have to enter a code because it wasn’t on the Verified list. Worked REALLY quickly and only happened once.
On the verified devices, I never had to enter a code to get my email or download updated apps or pretty much anything at all. I didn’t have to authenticate to my Apple ID at all for messages, not sure why I had to do that on the MacBook. But cool that they were immediately and in all ways Apple, authenticated with that initial code to verified devices.
However, there were some oddities. I have an older iPad that I keep on hand for doing screencasting, and I did not add it to the Verified devices list. I opened up Mail and it complained that my iCloud account needed to be updated. I dismissed the popup message…and my Apple Mail came in just fine. I found that very strange – it shouldn’t have let me do that!
Next I tested our AppleTV 4 and that was weird too. I went into the App Store and just as I hoped, it asked me to verify my identity using one of my verified devices. Ok, cool. I picked my phone, but the next screen said, “Sign in to verify your payment info. Please enter your Apple ID and password and click OK.” But it didn’t tell me WHERE to do that – on the AppleTV or on the phone? And it never sent a code to my phone. I got caught in this loop too where I’d click OK, and it would go back to the verify from another device screen.
I finally went into Settings, signed OUT of my account and back in (never verifying my payment info in any way) and it never asked me again to verify the device! I even went into the App Store and bought an app and I was never queried for a code. It was like they paid lip service to my two-factor authentication but didn’t actually require it at all!
I tested two AppleTV 3’s and they never challenged me for a code, and I verified I could play my purchased movies. I wasn’t a good enough of a team player to buy anything on those devices though, so perhaps that would have triggered the code. Or perhaps it doesn’t support two-factor authentication?
The final test was to find out if my having two-factor authentication on my devices would wreck those on my family plan. I knew my son-in-law really wanted this one game but was mad because he’d bought it once on Lindsay’s account but I turns out in-app-purchases don’t move between users, so I had Lindsay buy it on his account (which would still charge me) and it worked with no fuss at all. I was glad to know that I hadn’t made their lives harder. If they want to do two-factor authentication it should be their choice of whether to deal with it.
When I did my initial setup, out of laziness I only verified 3 devices beyond the MacBook. That gave me the opportunity to answer another question. Can I go back and add devices and trusted phone numbers? I logged into the Apple ID site, this time on my UNverified MacBook Pro. Interestingly enough, it let me log in WITHOUT a two-factor code. So, yeah. while I was in there, I was able to add another trusted phone number. Without a code.
Then I tried to add my MacBook Pro to the verified devices, but it didn’t show up in the list. They suggested I verify that Find my Mac was turned on (which it wasn’t) so I turned it on and went back to the website, only to find out that they’d logged me out. Now that’s interesting. I tried to log back in and NOW it asked me for a code. Very interesting. It had been about two hours since I’d set up two-factor authentication, so that delay was pretty weird. I was able to get back in, but still can’t add my Macs as trusted devices. Maybe it only works with iOS devices?
Overall I have to say that my first few hours with two-factor authentication on my Apple ID has been worlds easier than it was with my Google ID. I wonder whether it would have been slightly easier if I’d had Android devices; perhaps the Google authentication does go to the entire device in that case as it does with iOS devices for an Apple ID.
Bottom line, setting up two-factor authentication with an Apple ID is far fewer paper cuts than it was with Google, but it was also sloppy in not asking for my codes as often as it should have. Which one would you prefer?
Google Two Factor works at the device and service level.
Setting up a new device, for example, for Gmail requires entry of the User ID, Password, and Two Factor Code. On Android, if the QR Code generated from the original setup is saved as an image, a Gmail account can be setup by using Authenticator’s scan function using the device camera at the QR image.
Setting up a service, such as Drobpox that uses Google Two Factor, works the same (as I recall, haven’t had to do any DB setup changes in a long time).
If Google Two Factor is used to log into a web service via a browser, you will have to enter the code, although it is my observation that the code remains on a device in the form of a browser cookie and re-entry of the code won’t be necessary unless cookies are erased (which I do automatically in Firefox, and so have to enter the code at each return to the service.)
That’s no different than the banks and brokers that provide me “dongles” that generate a one time code (or may send an SMS with the Code).
“Apps” in Android store the code so it doesn’t have to be re-entered after initial setup. That may differ in iOS due to the way Apple has secured “secure memory” and what privileges an App has to access it.
I’m not sure the cookie is getting stored, or at least stored the way I thought it would be. For example, I went to G+ on Safari on my MBP and authenticated with a code. Then a while later (not having cleared cache or anything like that) I went to Tumblr to leave a comment and the only option was to use my Google identity, and it asked for a code. Now that could mean that the Google cookie didn’t follow me to Tumblr I suppose?
Several web services use Google 2-Factor (G2F)
There’s ALSO Google Identity which I’ve never knowingly used. I think Google Identity is what Tumblr uses. And I don’t think being logged into Gmail opens Tumblr, without more.
Google offers an API for services that want to use the Google Two Factor One Time Code System. My Dropbox G2F Code, for example is unique to DB. In fact, I want it that way, and don’t want my Google ID to unlock Dropbox. Or Amazon S3.
The G2F does not persist across separate web services. It would be much less secure if it did. Even within Google, each of the several Gmail accounts I have don’t share G2F Codes, each is unique. Google services (e.g. Google Music) are logged in using the underlying account credentials, so a user logged into Gmail that uses G2F does not have to separately enter a G2F Code for GMusic.