Apple iMessage/Facetime

[mxxcon]

http://techcrunch.com/2015/02/12/apple-adds-more-security-to-imessage-and-facetime-with-two-factor-authentication/

Btw, should these services be added separately from Apple's "retail" entry?

[RichJeanes]

If they're separate from your retail account, then yes. I'm not an Apple user, but I'm pretty sure they are. Aren't iMessage/FT part of iCloud? I thought that already had TFA?

[Carlgo11]

@RichJeanes iMessage & FaceTime are separate from iCloud.

[mxxcon]

Iirc it's all the same account, but apparently different products have different authentication mechanisms.

[jamcat22]

Apple has two different systems for additional verification.
The first is 2FA (two-factor authentication), and the second is 2SV (two-step verification).
Both are separate mechanisms and how they work varies greatly.

2FA (two-factor authentication)	2SV (two-step verification)
- Protects all parts of your account (except those listed towards the end of the comment)	- Protects certain parts of your account
- Code entered in special box (for software that supports it), app-specific passwords (for certain software), added to end of password (for software without built-in support), or no code required at all (for software that isn't protected by 2FA; see list below)	- Code entered in special box (for software that supports it), app-specific passwords (for certain software), or no code required at all (for software that isn't protected by 2SV)
- Requires a device running at least OS X El Capitan or iOS 9 to enable and receive codes	- Can be enabled on any Apple ID using the Manage Your Apple ID page
- After enabling on a macOS/OS X or iOS device, SMS or Phone Call can be used to receive codes in addition to push notifications	- SMS or a push notification to an iOS device can be used to receive codes
- At least one SMS number is required	- At least one SMS number is required
- Codes are 6 digits	- Codes are 4 digits
- Recovery is dynamic and does not require a recovery key	- Recovery is static and requires a recovery key

As of March 21st, 2016, 2FA is available for all Apple IDs. In order to enable it, ensure you are running at least OS X El Capitan or iOS 9.3, and follow the instructions available here.
If you'd like to upgrade from 2SV to 2FA, follow the instructions available here.

If you still receive an error indicating that your account isn't eligible to enable 2FA, ensure all devices connected to your account are updated to the latest macOS or iOS version and try enabling the feature on an iOS device running the latest, non-beta version of iOS 9.3 or above.

Only certain parts of your account are protected by 2SV.
All parts of your account are not yet protected by 2FA. The list of services it does not protect is towards the bottom of this comment.

Currently, both 2FA enabled from a supported device and 2SV enabled from the Manage Your Apple ID page protect:

• Managing your Apple ID on the Manage Your Apple ID website (changing password and other info shared across the entire ID)
• Changing or resetting your password anywhere (including on the Manage Your Apple ID website, a macOS/OS X device, an iOS device, etc.)
• Managing payment information anywhere (including on the Manage Your Apple ID website, the Apple Store account website, a macOS/OS X device, an iOS device, etc.)
• Accessing iCloud from the iCloud website
• Adding an iCloud account to a new device (iOS, macOS/OS X, Windows, etc.) or restoring a backup from iCloud
• Using the iTunes Store, iBooks Store, or the App Store on a new device (exception for iTunes desktop app)
• Authorizing a computer to play content associated with an Apple ID
• Turning on Home Sharing
• Using the Apple Store app on iOS devices
• Using Photos for Mac to order photo prints
• Signing into iMessage or FaceTime (which are separate services from iCloud)
• Signing into Game Center
• Getting support related to your Apple ID (the support representative sends you a code before they can do anything)
• Using your Apple ID to lookup products you have or get support on the Apple website
• Signing into the Apple Beta Software Program
• Signing into Apple Software Customer Seeding (AppleSeed)
• Signing into Report a Problem (for iTunes)
• Signing into your Mac with iCloud to recover/reset FileVault (Yay!)
• Signing into the Jobs at Apple portal
• Signing into Repair Status
• Signing into One to One
• Signing into Apple Support Communities
• Signing into iAd Workbench
  • Report Status: Closed (issue resolved)
  • Report ID: 21608037
• Signing into Apple Developer
  • Report Status: Closed (issue resolved)
  • Report ID: 21614396
• Signing into iTunes Connect
  • Report Status: Partially closed (issue not completely resolved)
  • Report ID: 21608170
• Signing into Apple Music Profile
  • Report Status: Partially closed (issue not completely resolved)
  • Report ID: 21608170
• Signing into the Apple Push Certificates Portal
  • Report Status: Closed (issue resolved)
  • Report ID: 21608295
  • Apple Security Submission Status: Reply received (enhancement request filed)
• Signing into the TestFlight app on iOS
• Signing into Apple Distinguished Educators
• Signing into Apple Deployment Programs
• Signing into Search Ads
• Signing into News Publisher
• Signing into the Apple Support app on iOS
• Signing into AppleCare Registration
• Making or managing a reservation for Apple Store workshops
• Checking iPhone Upgrade Program upgrade eligibility status
• Signing into, or up for Apple Teacher
• Signing into Maps Connect
  • Report Status: Closed
  • Report ID: 21608250

iCloud Keychain has separate SMS/software 2FA that is required and is enabled even if you don't have 2FA/2SV on your Apple ID.
Remotely deactivating iMessage from the Apple self-solve website (which you can find out more about here) requires SMS 2FA even if you don't have 2FA/2SV on your Apple ID.

While 2SV doesn't protect, 2FA still protects:

• Using the iTunes Store, iBooks Store, or the App Store on iTunes for Desktop (This includes managing account info, payment info, and making purchases.)
• Using iPhoto to order photo prints
  • Status: Retesting...
• Signing into the Apple Bug Reporter
  • Report Status: Open
  • Report ID: 21607730 (Duplicate of 18287000)
  • Apple Security Submission Status: Not Submitted
• Signing into Apple areas that use AppleConnect (a special SSO program)
  • Status: Retesting...
• Signing into the Volume Purchase Program for Business
  • Report Status: Not Submitted
  • Apple Security Submission Status: Not Submitted
• Signing into the Volume Purchase Program for Education
  • Report Status: Not Submitted
  • Apple Security Submission Status: Not Submitted
• Signing into the Volume Purchase Program Fulfillment Center
  • Report Status: Not Submitted
  • Apple Security Submission Status: Not Submitted

2FA/2SV might not protect:

• Using iAd Producer to upload ads to the iAd server
  • Status: Not Tested
• Signing into Apple School Manager
  • Status: Not Tested
• Signing into the TestFlight app on tvOS
  • Status: Not Tested

Neither 2FA NOR 2SV protect:

• Using the main Apple website (formally the Apple Store website. This includes buying products, checking the status of an order, tracking a shipment, pre-signing for a delivery, canceling an order, returning items, printing an invoice, changing the shipping or billing info for an order, editing gift messaging or engraving, viewing order history, checking the balance of a gift card, and viewing your activity with a specialist.)
  • Report Status: Not Submitted
  • Apple Security Submission Status: Not Submitted
• Disabling Find My iPhone/iPad/iPod/Mac/Apple Watch in the Settings app, System Preferences, or the Watch app either by turning it off, signing out of iCloud, or turning off Activation Lock
  • Report Status: Closed ("expected behavior")
  • Report ID: 21628565
• Signing into Feedback Assistant on iOS or macOS
  • Report Status: Not Submitted
  • Apple Security Submission Status: Not Submitted
• Signing into the WWDC app on iOS
  • Report Status: Not Submitted
  • Apple Security Submission Status: Not Submitted
• Using iTunes Connect to apply for selling Music, TV Shows, or Movies through the iTunes Store
  • Report Status: Open
  • Report ID: 21608170
  • Apple Security Submission Status: Not Submitted
• Enabling iTunes Connect for iBooks
  • Report Status: Open
  • Report ID: 21608170
  • Apple Security Submission Status: Not Submitted

FAQs:

2FA (two-factor authentication)	2SV (two-step verification)
Main FAQ	Main FAQ
Switching from 2SV to 2FA
Availability FAQ
Getting a verification code
	SMS FAQ
App Specific Passwords FAQ	App Specific Passwords FAQ
Password Reset FAQ	Password Reset FAQ
Recovery FAQ	Recovery FAQ

[RichJeanes]

Why? Just... Why?

[Carlgo11]

@RichJeanes most big companies provide bad security for it's customers. If it's not outside threats it's the company itself. No matter what OS your phone runs it's vulnerable. Apple, Google, Windows. Not to mention the 3d parties of the Android OS....

[jamcat22]

@RichJeanes I know. At least Google and Microsoft's 2FA protect everything.

I don't understand why Apple can't just use one SSO server with one sign in page for everything.

[mxxcon]

@jamcat22 They have so many different systems that it's difficult to use a single authentication method. They coded themselves into a corner.
"Apple is a hardware company". 😉

[jamcat22]

@mxxcon 😄

[jamcat22]

Just updated my previous comment with the following changes:

Things 2SV also protects:

• Using Photos for Mac (Beta) to order photo prints
• Signing into your Mac with iCloud to recover/reset FileVault (Yay!)
• Signing into the Apple Beta Software Program (AppleSeed)
• Signing into Apple Software Customer Seeding (AppleSeed)

Things that 2SV didn't protect but are now protected:

• Signing into My Support Profile (stores your device info for quick support and keeps track of your support cases and warranties)

Things 2SV also does not protect:

• Using iPhoto to order photo prints

[jamcat22]

Maybe we should find a way to group big websites together...
That way we could show what parts of the website support 2SV and what parts don't.
And maybe we could have something that says every part of a particular website is protected (like Microsoft).

Just thinking...

[RichJeanes]

Apple is so disparate in their sign-on services that we could (almost?) justify creating an "Apple" category...

[jdavis]

@RichJeanes I get the idea but no, haha. I won't stand for that =]

If anything, why not put @jamcat22's analysis into a note and then link to that for the docs?

[jdavis]

Actually, @RichJeanes. This would be the perfect time to use the link: option under exceptions: as detailed here: https://github.com/jdavis/twofactorauth/blob/master/CONTRIBUTING.md#exceptions--restrictions

You can create an exception and then turn that on and it will link there with more details. It was sort of a half-ass idea that isn't even being used so it might need to be worked on.

[jamcat22]

@jdavis how does the exception link even work? I have been wondering about that for ages.

[jamcat22]

Where does the link go? How do you set it? Is it a separate link from the doc file?

[RichJeanes]

That's what I was trying to ask in #1022 and @jdavis pointed me here 😖
Definitely something that needs to be addressed in our documentation.

[jamcat22]

Updated my comment again with the following changes:

• Links have been added wherever possible.
• Corrected the fact that iCloud Keychain also supports software 2FA
• Added the fact that remotely deactivating iMessage from the Apple self-solve website (which you can find out more about here) requires SMS 2FA even if you don't have 2FA/2SV on your Apple ID.

Things 2SV also protects:

• Changing or resetting your password anywhere (including on the Manage Your Apple ID website, an OS X device, an iOS device, etc.)
• Signing into Report a Problem (for iTunes)

Things 2SV also does not protect:

• Signing into Maps Connect
• Signing into iTunes Connect
• Signing into Repair Status
• Signing into the Volume Purchase Program for Business
• Signing into the Volume Purchase Program for Education
• Signing into One to One
• Using your Apple ID to lookup products you have or get support on the Apple website

[jamcat22]

@jdavis Can you please explain how the exception link function works? Where does the link go? Can you define where the link goes? Can you have text in the exception box at the same time?

[jamcat22]

Updated my comment again with the following changes:

Things that 2SV didn't protect but are now protected:

• Signing into the Jobs at Apple portal
• Signing into Repair Status
• Signing into One to One

[jamcat22]

Updated my comment with the following changes:

• Updated the Apple Beta Software Program with its new web address.
• Corrected the fact that the Apple Beta Software Program is not a part of AppleSeed.
• Added the status of bug reports to Apple wherever possible.
• Made high-security risk items bold.

Things 2SV also protects:

• Signing into Apple Support Communities

Things 2SV might not protect:

• Using iAd Producer to upload ads to the iAd server

Things that 2SV didn't protect but are now protected:

• Using the Apple Store app on iOS devices
• Signing into Game Center

Things 2SV also does not protect:

• Disabling Find My iPhone/iPad/iPod/Mac in the Settings app or in System Preferences either by turning it off or signing out
• Removing a device from Find My iPhone (which turns off activation lock)
• Signing into Apple Music Profile
• Enabling iTunes Connect for iBooks
• Using iTunes Connect to apply for selling Music, TV Shows, or Movies through the iTunes Store
• Signing into iAd Workbench

[jamcat22]

Updated my comment with the following changes:

Things 2SV also might not protect:

• Using the iTunes Store, iBooks Store, or the App Store on iTunes for Desktop (This includes managing account info, payment info, and making purchases.)

If anyone has a screenshot of iTunes for Desktop requiring a verification code, please comment below.

Things 2SV also does not protect:

• Authorizing a computer to play content associated with an Apple ID
• Turning on Home Sharing

[jamcat22]

Updated my comment and other comments with the following changes:

• Clarified 2FA vs 2SV.
• Added descriptions of 2FA and 2SV.
• Changed terms in all comments to reflect terminology.
• Added FAQ links for 2FA.

Things that 2SV didn't protect but are now protected:

• Using your Apple ID to lookup products you have or get support on the Apple website

Things 2SV also does not protect:

• Signing into Feedback Assistant on iOS or OS X

[Carlgo11]

@jamcat22 you missed a dot somewhere in that comment.

[jamcat22]

@Carlgo11 Bring. It. On.

[jamcat22]

Updated my comment and other comments with the following changes:

• Changed descriptions of 2FA and 2SV into a table for easier comparison. (So cool!)
• Updated comment links to new URLs.
• Updated status of multiple bug reports.
• Updated status of submissions to Apple Product Security.
• Updated FAQ links.

Things that 2SV didn't protect but are now protected:

• Signing into iAd Workbench

Things 2SV also does not protect:

• Signing into the WWDC app on iOS

[jamcat22]

Updated my comment with the following changes:

• Updated the "My Apple ID" website name to "Manage Your Apple ID"

Things that 2SV didn't protect but are now protected:

• Managing payment information anywhere (including on the Manage Your Apple ID website, the Apple Store account website, an OS X device, an iOS device, etc.)

[Important side note: While the Apple Store Account (payment info) page is now protected by the newest version of their sign in page, the main Apple website login (also used for the Apple Store) is still not. This means people can make purchases without using 2SV, but they cannot modify billing info.]

• Signing into Apple Developer
• Signing into iTunes Connect
• Signing into Apple Music Profile

By the way, have you guys seen the new Apple ID website? It's amazing. Still nowhere near as complex as Microsoft or Google though.

[jamcat22]

Updated my comment with the following changes:

• Reclassified items on the list as either being protected by both 2FA and 2SV, only 2FA, or neither 2FA nor 2SV.

Things neither 2FA nor 2SV protect:

• Using the main Apple website (formally the Apple Store website. Used to buy phones, computers, and accessories)
• Disabling Find My iPhone/iPad/iPod/Mac in the Settings app or in System Preferences either by turning it off, signing out of iCloud, or turning off Activation Lock
• Signing into Maps Connect
• Signing into Feedback Assistant on iOS or OS X
• Signing into the WWDC app on iOS

[Carlgo11]

What about make a note/ page about this?

[jamcat22]

@Carlgo11 I'm thinking of either doing that, or linking directly to this issue, depending on if we can have notes pages with Markdown. I'd be open to coding it in HTML, but then it won't look quite as nice.

[jamcat22]

Updated my comment with the following changes:

• Indicated the fact that, as of March 21st, 2016, 2FA is available for all Apple IDs.
• Added instructions on how to enable 2FA successfully, how to deal with the most frequently encountered error, and how to upgrade from 2SV to 2FA.
• Made headers one size larger.
• Removed bold font for report status items that are set to "Not Submitted".

Things both 2FA and 2SV protect:

• Signing into the TestFlight app on iOS

[jamcat22]

Updated my comment with the following changes:

• Updated information on upgrading from 2SV to 2FA.
• Added FAQ links for switching from 2SV to 2FA, and password resets.
• My Support Profile, which was used to store your device info for quick support and keep track of your support cases and warranties, now redirects to Apple's Get Support website, which is listed in the comment as - Using your Apple ID to lookup products you have or get support on the Apple website and therefore is covered by both 2FA and 2SV.

Things that might not be protected by 2FA/2SV:

• Signing into Apple School Manager

Things that 2FA didn't protect that are now protected, yet are still not protected by 2SV:

• Signing into Maps Connect

Things both 2FA and 2SV protect:

• Signing into Apple Distinguished Educators
• Signing into Apple Deployment Programs

Things that 2FA protects, but aren't protected by 2SV:

• Signing into, or up for Apple Teacher
• Signing into the Volume Purchase Program Fulfillment Center

[jamcat22]

Updated my comment with the following changes:

• Fixed small grammatical errors.
• Updated information on disabling Activation Lock and Find My Device to include Apple Watch.
• Updated information on what is within the scope of using the main Apple website to include buying products, checking the status of an order, tracking a shipment, pre-signing for a delivery, canceling an order, returning items, printing an invoice, changing the shipping or billing info for an order, editing gift messaging or engraving, viewing order history, checking the balance of a gift card, and viewing your activity with a specialist.

Things both 2FA and 2SV protect:

• Signing into Search Ads
• Signing into News Publisher

Things that 2SV now protects, in addition to already being protected by 2FA:

• Authorizing a computer to play content associated with an Apple ID
• Turning on Home Sharing
• Signing into the Apple Push Certificates Portal

Things 2FA/2SV might not protect:

• Signing into the TestFlight app on tvOS

[jamcat22]

Updated my comment with the following changes:

Things 2FA protected in the past, but are now no longer protected by 2FA or 2SV:

• Using iTunes Connect to apply for selling Music, TV Shows, or Movies through the iTunes Store
• Enabling iTunes Connect for iBooks

Seriously Apple‽ I honestly can't believe that in addition to 2FA/2SV being so segmented, convoluted, and poorly thought out for years now, items which used to be protected by 2FA are now being left unprotected! This is just ridiculous for a company as large and detail-oriented as Apple.

[jamcat22]

Updated my comment with the following changes:

Things both 2FA and 2SV protect:

• Signing into the Apple Support app on iOS
• Signing into AppleCare Registration
• Using your Apple ID to check the coverage of your device on the Apple website
• Making or managing a reservation for Apple Store workshops

[jamcat22]

Updated my comment with the following changes:

• Updated the link for One to One
• Updated the link for the Apple Store account website

Things both 2FA and 2SV protect:

• Checking iPhone Upgrade Program upgrade eligibility status
• Signing into the iTunes Remote app on iOS

Things that 2SV now protects, in addition to already being protected by 2FA:

• Signing into, or up for Apple Teacher
• Signing into Maps Connect

[gingerbeardman]

Apple Migrating iOS 11 and macOS High Sierra Users With Two-Step Verification to Two-Factor Authentication
https://www.macrumors.com/2017/06/12/ios-11-macos-high-sierra-two-factor-auth/