El Capitan, iOS 9 security and the new version of two-factor authentication

Written by

Kirk McElhearn, writing for Intego:

Apple has offered two-factor authentication for some time (here’s how you set it up), but with the release of iOS 9 and OS X El Capitan, Apple is changing the way this works. Previously, you had to save a recovery key, a long string of characters that Apple suggested you print out and store in a safe place. This presented a number of problems, however, such as people not saving it, losing it, or not being in the location where it was stored when they needed to access it.

It’s a good idea to turn on two-factor authentication, especially now that the process is a bit simpler. If, however, you get locked out of your account, it can take several days for Apple to reinstate it. If this happens, go to iforgot.apple.com and follow the instructions. Apple will contact you and ask you a number of questions, so you can prove that you are, indeed, you, and have not been replaced by an alien or a cyborg.

Note that two-factor authentication is different than two-factor verification. From Apple’s web site:

Two-factor authentication is a new service built directly into iOS 9 and OS X El Capitan. It uses different methods to trust devices and deliver verification codes, and offers a more streamlined user experience. The current two-step verification feature will continue to work separately for users who are already enrolled.

And:

If you can’t sign in, reset your password, or receive verification codes, you can regain access to your account by requesting account recovery. Simply provide a verified phone number where you can receive a text message or phone call regarding your account. Apple will review your case and send an automated message to the number you provided when your Apple ID is ready for recovery. This message will direct you to iforgot.apple.com to complete the required steps and regain access to your account.

Account recovery will take a few days—or longer—depending on what account information you are able to provide. The process is designed to get you back into your account as quickly as possible while denying access to anyone who might be pretending to be you.

This last bit is a bit mysterious, but that doesn’t bother me. The key is that Apple recognizes that social engineering may be at work and has a protocol in place to at least make it possible to get your account back if you lose all your safety nets.