Apple to introduce two-factor authentication option in iOS 9 and OS X El Capitan

Starting with OS X 10.11 (“El Capitan”) and iOS 9, Apple will introduce a two-factor authentication option that will replace the current two-step verification one.

With the 2SV feature, introduced in early 2013, made users use both a password and a verification code received on their phone. They were also given a 14-character recovery key in case they forgot their password and lost their phone or had it stolen. But if they lose or forget this recovery key, they could be be locked out of their Apple ID account forever.

For the new 2FA feature, Apple dropped the recovery key.

“Whenever you sign in with your Apple ID on a new device or browser, you will verify your identity by entering your password plus a six-digit verification code. The verification code will be displayed automatically on any Apple devices you are already signed in to that are running iOS 9 or OS X El Capitan. Just enter the code to complete sign in. If you don’t have an Apple device handy, you can receive the code on your [trusted] phone via a text message or phone call instead,” the company explained how the new feature (still in beta) will work.

“Once signed in, you won’t be prompted for a verification code again on that device unless you erase your device, remove it from your device list, or need to change your password for security reasons. When signing in on the web, you can choose to trust your browser so you won’t be prompted for a verification code the next time you sign in from that computer.”

If users lose access to all of their devices, they can request the account recovery process to be started and provide a verified phone number for receiving information (via messages or phone calls). The company will review each case, and point users to a site where they will be required to go through several steps in order to gain access to their accounts.

“Account recovery will take a few days—or longer—depending on what account information you are able to provide. The process is designed to get you back into your account as quickly as possible while denying access to anyone who might be pretending to be you,” the company explained, which to me seems to indicate that the review process is performed by actual people.

Another move to help legitimate users regain access to their accounts but keep attackers adept at social engineering out has been made: Apple Support can answer users’ questions about the account recovery process, but the operators will not be able to verify their identity or expedite the process in any way.