How to prevent unauthorised access to your Apple account

In this post, I will show you how to strengthen the security of your Apple ID account with Two-Factor Authentication.

This tip is useful if:

  1. You're not using Two-Factor Authentication (2FA) or Two-Step Verification (2SV) yet

  2. You want to prevent anyone from accessing your Apple account even if they guess or acquire your password.

Please note that to take advantage of this feature, you'll need at least:

  1. A dedicated phone number (GSM or landline)

  2. A device with the following versions of the operating system:

    • iOS 9 and up on iPhone/iPad

    • macOS 10.11 (El Capitan) and up on your Mac

Note:

If the words "Two-Step Verification" don't ring a bell, then proceed directly to the "Problem" section.

On the other hand, if you've already activated 2SV, and would consider switching to the newer (and slightly more secure) 2FA method, visit this Apple Support article:

Please be aware that once you've turned Two-Step Verification OFF, you won't be able to activate it again.

Here is a quick comparison of both methods:

  • Like 2FA, 2SV requires approval via a unique code sent to another trusted device.

  • Unlike 2FA, 2SV does not notify you automatically when a connexion attempt is being made

Two-Factor Authentication (2FA) Two-Step Verification (2SV)
Best when devices are running the latest version of the operating system Excellent alternative when 2FA is not available
Display location of login attempt Unknown location of login attempt
Requires approval by tap & 6-digit code Requires approval via 4-digit code only
All trusted devices are being notified of the login attempt Authentication method/device is chosen by the person attempting to log in
Works even without Internet connexion Requires Internet connection to send the code

Problem

What if someone guesses or gets hold of your Apple password, via phishing or because it was used for another service, which itself got compromised?

The answer is frighteningly simple: your account becomes almost instantly hackable.

I say "almost" because it depends whether the answers to your security questions are easily guessable or not.

In practice, once your account is compromised, the hacker can:

  • change the password and the email address associated to your account

  • access everything you see on iCloud.com (photos, contacts, calendar, notes, ...)

  • purchase music, movies and apps using either your credit card or remaining credits

Solution

So how can you prevent anyone from accessing your Apple account even if they know your password?

By requiring additional information in the form of a 6-digit code that changes all the time and is either generated by one of your devices or sent by text or phone call.

This extra layer of protection is called Two-Factor Authentication (2FA) and applies when signing into your Apple account for the first time or after signing out of it on any given device.

In other words, the 6-digit code will not be required anymore once a device has been setup or after explicitly trusting a specific browser when you log into iCloud.com or apple.com for the first time.

As soon as you sign into a device using 2FA, it becomes a "Trusted Device".

This is where the tip from newsletter #4 is important: make sure to lock your device as soon as possible and have a strong passcode to prevent access to your Apple account from a device that is already setup.

Note:

As per the following support article on Apple's website, Two-Factor Authentication is not available for all Apple ID accounts, without really explaining their criteria.

If for some reason, 2FA is not available for your Apple ID, log into https://appleid.apple.com.

Under the security section, you may be able to activate the older 2SV method instead (which is much better than nothing).

From my own experience, I noticed that neither 2SV, nor 2FA were available for children accounts managed through Family Sharing.

What are the pros and cons of activating Two-Factor Authentication?

Pros Cons
No need for security questions anymore Need to have a trusted device with you or be able to take calls and/or receive SMS messages
The location of the connection attempt is displayed on a map Need to append the 6-digit code to the password on devices running an older version of the operating system
Works with landline phone numbers Increased need to physically protect your iPhone and/or your Mac
Warning message sent automatically to ALL trusted devices Need to sign out then sign back in again to convert other devices into trusted devices
More secure than the older Two-Step Verification method Requires to keep your Apple ID account up to date by adding new and revoking old phone numbers and/or Apple trusted devices

So how does this work?

  1. You turn on Two-Factor Authentication from one of your devices (iPhone, iPad or Mac) 

    • iPhone/iPad: Settings > Apple ID > Password & Security

    • Mac:  > System Preferences > iCloud > Account details > Security

  2. You enter or confirm at least 1 trusted phone number (GSM or landline)

  3. You may be asked to add credit card information (for account recovery purposes)

  4. If needed, sign out from other devices and sign in again, using the authentication code from the first trusted device or sent to your trusted phone number.

Courtesy from Apple

Courtesy from Apple

The next time you, or anybody else, tries to log into your Apple account on a new device or browser session:

  1. You'll get a notification on your trusted devices, with the approximate location on a map.

    • If you did not originate that login attempt, you can press "Don't allow" to block it

    • If you did originate that login attempt, press "Allow" on one of your trusted device

  2. Then, there are 3 methods to allow you to sign in:

    1. Enter the 6-digit code which appeared on the trusted device where you tapped "Allow"

    2. If you didn't have any of your trusted device with you, you can request to send the code to your trusted phone number (SMS or call)

    3. If your trusted device is offline and none of your trusted phone numbers is available, then you can generate a code directly from one of your trusted devices:

      • iPhone/iPad:

        • iOS 10.3 or above: Settings > Apple ID > Password & Security > “Get Verification Code”

        • iOS 10.2 or below: Settings > iCloud > Tap on your Apple ID > Tap on "Get Verification Code"

      • Mac:  > System Preferences > iCloud > Click on "Account Details" > Click on "Get Verification code" 

So, yes, it's less convenient then simply entering your Apple ID password, but it's the small price to pay to keep your account secure.

Remember that you only have to go through this procedure once on each device and/or browser session.


And you, did you active Two-Factor Authentication on your Apple account? If so, what do you think of it?

Please let me know in the comments below!

<--Add a dash before the > on this line to activate the language selector with flags->