How to Set Up Two-Factor Authentication for Multiple Apple IDs on One Device

As of February 27, 2019, Apple is requiring that all Developer accounts with an Account Holder role be secured with two-factor authentication in order to ensure that only the account owner is able to sign into the account.


Two-factor authentication involves a pop-up code being generated on trusted devices linked to an Apple ID any time a login attempt is made unless you've logged with that same browser within the past 30 days and selected the option to trust it. That verification code from the trusted device must then be entered for the login to be approved.

The requirement has caused some confusion among developers who have multiple Apple IDs, particularly those who use a dedicated Apple ID for their Developer account that is separate from their primary iCloud account used on their devices.

Apple has posted a developer support document that outlines a few ways to enable two-factor authentication on a non-primary Apple ID, but Apple's suggestion for iOS involves signing out of your primary iCloud account. That can be a hassle as your phone unsyncs and tries to delete content associated with that account, so it's better to use other methods if you can.

Turning on two-factor authentication for an alternate Apple ID and getting it to work properly with trusted iOS devices without signing out of your primary Apple ID requires a few steps, but once they're done the feature should work seamlessly.

Activating Two-Factor Authentication on an Alternate Apple ID


For this portion of the process, you'll need access to a Mac where you have permissions to create new user accounts.
  1. Open System Preferences and click on Users & Groups.

  2. Click the lock at the bottom left corner and enter your administrator password to allow changes.

  3. At the bottom of the user list on the left, click the + button and set up a new Standard user account, entering a name, account name, and password and clicking on "Create User."

  4. If you have fast user switching activated, click on your name or icon near the right side of the menu bar, and choose the new user account you just set up. If fast user switching is not active, you'll need to either turn it on in the Login Options section of Users & Groups in System Preferences or completely log out of your current account and then choose the new account.

  5. Enter the password to log into the new account, and skip through the setup steps as quickly as possible, unchecking options or selecting "set up later" for various features whenever possible.

  6. Once the user account is configured and you've reached the Mac desktop, head to System Preferences and click on iCloud.

  7. Sign in with the Apple ID you want to activate two-factor authentication for. Once you've entered the password, the system will ask if you want to set up two-factor authentication. Select Continue.

  8. Enter a phone number where you can receive a text message or phone call to verify your identity.

  9. When you receive a verification code at that number, enter it on your Mac and finish the setup steps, unchecking all options. Two-factor authentication is now up and running on your Mac for your desired Apple ID. Keep this user account open on your Mac for the next step unless you want to use a text message verification code to the phone number you entered as a fallback.

Setting Up an iPhone or iPad as a Trusted Device


You don't want to leave this unneeded user account up and running on your Mac as the only method for approving logins that doesn't require a text message, so you'll want to set up an iPhone or iPad as a trusted device for this Apple ID.
  1. Open the Settings app on your iOS device and tap on Passwords & Accounts

  2. Tap on Add Account and choose iCloud, then enter the Apple ID and password for the account you just set up two-factor authentication for on your Mac. You'll be prompted for verification, which should pop up on your Mac where you can allow the login and view the verification code to enter on your iOS device. (If you already logged out of or deleted the Mac user account, you can choose the "Didn't get a verification code" option and select "Text Me" to receive a code via SMS.)

  3. Once you're authenticated, the Apple ID login will finish and you'll be offered a list of iCloud features including Mail, Contacts, Calendars, and Reminders on your iOS device. Turn all of these toggles off and tap Save.

  4. Your Developer Apple ID account is now logged in on your iOS device and it can receive verification requests whenever you try to log into that Apple ID. It will show as "Inactive" in the account list on your device because all of the iCloud features of the account have been toggled off.
The final step of the process is to clean up the Mac you used to turn on two-factor authentication. Log out of the account on the Mac, switch to an account with administrator privileges, head back to the Users & Groups section of System Preferences, click on the lock to allow changes, highlight the temporary account you agreed, and hit the minus button. Choose to delete the account entirely rather than archiving it, and you're done.


This article, "How to Set Up Two-Factor Authentication for Multiple Apple IDs on One Device" first appeared on MacRumors.com

Discuss this article in our forums

Apple Sued Over Not Letting Customers Disable Two-Factor Authentication After Two Weeks

New York resident Jay Brodsky has filed a frivolous class action lawsuit against Apple, alleging that the company's so-called "coercive" policy of not letting customers disable two-factor authentication beyond a two-week grace period is both inconvenient and violates a variety of California laws.


The complaint alleges that Brodsky "and millions of similarly situated consumers across the nation have been and continue to suffer harm" and "economic losses" as a result of Apple's "interference with the use of their personal devices and waste of their personal time in using additional time for simple logging in."

In a support document, Apple says it prevents customers from turning off two-factor authentication after two weeks because "certain features in the latest versions of iOS and macOS require this extra level of security":
If you already use two-factor authentication, you can no longer turn it off. Certain features in the latest versions of iOS and macOS require this extra level of security, which is designed to protect your information. If you recently updated your account, you can unenroll for two weeks. Just open your enrollment confirmation email and click the link to return to your previous security settings. Keep in mind, this makes your account less secure and means that you can't use features that require higher security.
The complaint is riddled with questionable allegations, however, including that Apple released a software update around September 2015 that enabled two-factor authentication on Brodsky's Apple ID without his knowledge or consent. Apple in fact offers two-factor authentication on an opt-in basis.

Brodsky also claims that two-factor authentication is required each time you turn on an Apple device, which is false, and claims the security layer adds an additional two to five minutes or longer to the login process when it in fact only takes seconds to enter a verification code from a trusted device.

The complaint goes on to allege that Apple's confirmation email for two-factor authentication enrollment containing a "single last line" alerting customers that they have a two-week period to disable the security layer is "insufficient."


Brodsky accuses Apple of violating the U.S. Computer Fraud and Abuse Act, California's Invasion of Privacy Act, and other laws. He, on behalf of others similarly situated, is seeking monetary damages as well as a ruling that prevents Apple from "not allowing a user to choose its own logging and security procedure." Read the full document.


This article, "Apple Sued Over Not Letting Customers Disable Two-Factor Authentication After Two Weeks" first appeared on MacRumors.com

Discuss this article in our forums

YubiKey Gains iOS SDK to Enable Secure 2FA Logins in Select Apps Using NFC

Yubico is a company that sells the "YubiKey," a small piece of hardware that protects access to computers and online accounts by providing strong two-factor authentication in lieu of receiving a text message code on a smartphone or other 2FA steps. With the NFC-equipped YubiKey NEO, Android users have been able to authenticate their log-ins with a tap, and this week Yubico announced that ability has launched for iPhone users as well (via The Next Web).


With the launch of the YubiKit 1.0.0 iOS SDK, the company is allowing developers to add support for the YubiKey NEO into their iOS apps, starting with sole support from LastPass. Once set up with a LastPass account, the YubiKey NEO generates a one-time password, and when the user gets to the 2FA log-in screen, they simply tap the NEO near the back of the iPhone to authenticate.

It has been possible for developers to integrate with YubiKey NEO since iOS 11 launched in September, but the debut of the SDK should lead to wider adoption since it will be far easier for developers to introduce support for the device's NFC abilities.

The NEO does not require a battery to function, nor does it need network connectivity, and Yubico says that it is "four times faster" than typing a traditional one-time passcode. In addition to NFC, the device has a dongle for USB-A connectivity so it can double as an authenticator on laptop and desktop computers, and Yubico says that it's crush resistant and waterproof.


The YubiKey NEO is supported on iPhone 7 devices and newer, and for LastPass the feature is supported under the Premium, Families, Teams, and Enterprise subscription tiers. Yubico hasn't yet revealed which apps might next launch support for the YubiKey NEO on iOS devices. YubiKey can already securely log users in on macOS 10.12 or later, and the product integrates with hundreds of services and applications online.

Those interested can purchase the YubiKey NEO from the company's website for $50.


Discuss this article in our forums

How to Secure Your Apple ID Using Two-Factor Authentication

Apple introduced two-factor authentication (2FA) in 2015 to provide an enhanced level of security when accessing Apple ID accounts. With 2FA enabled, you'll be the only person who can access your account, regardless of whether someone learns your password – as the result of a hack or a phishing scam, for example – so it's well worth taking the time to enable the feature. In this article, we'll show you how.

How Two-Factor Authentication Works


2FA offers hardened security during login attempts by requesting that the user provides an extra piece of information only they would know.


With 2FA enabled on your Apple ID account, the next time you try to log in you will be automatically sent a six-digit verification code to all the Apple devices you have registered to that Apple ID. If you try to access the account from an unknown device or on the web, 2FA also displays a map on all registered devices with an approximate location of where the Apple ID login attempt occurred.

In basic terms, this is an improved version of Apple's older two-step verification method, which prompted users to send a four-digit code to a registered SMS-capable device. Apple automatically upgraded most two-step verification users to 2FA as of iOS 11 and macOS High Sierra, but if you're still on two-step verification for some reason, follow the steps below to manually upgrade to 2FA.

How to Turn Off Two-Step Verification



  1. Open a browser and go to appleid.apple.com

  2. Enter your Apple ID and password in the login fields.

  3. In the Security section of your account page, click the Edit button on the right.

  4. Check to make sure two-step verification is enabled rather than two-factor authentication, and click Turn off two-step verification.

How to Turn On Two-Factor Authentication in iOS


To turn on 2FA using an iPhone or iPad, it needs to be running iOS 9 or later. Note that if you're running iOS 10 or later and you have any other, older devices tied to your Apple ID that aren't compatible with 2FA, you'll receive a compatibility warning during the setup process.

On top of that, you'll also be asked to append a six-digit code to the end of your password whenever you authenticate a login on your older devices in future. You can potentially avoid this hassle by updating those devices to the latest version of iOS or macOS where possible.

With that in mind, perform the following steps on your iOS device:

  1. Open the Settings app and tap your Apple ID banner at the top of screen.

  2. Tap Password & Security.

  3. Tap Turn On Two-Factor Authentication, and then tap Continue on the next screen.

  4. Tap Turn On Anyway if you see a compatibility warning about older devices.

  5. Check your phone number is correct. (If it isn't, tap Use a Different Number at the bottom of the screen and input a new number.)

  6. Select Text message or Phone call for verification, and then tap Next.

  7. Enter your Passcode.

How to Turn On Two-Factor Authentication on a Mac


If it's a Mac you're using to enable two-factor authentication then make sure it's running OS X El Capitan or later. To turn on 2FA on Mac, follow these steps:
  1. Click the Apple () symbol in the menu bar at the top left of the desktop, and select System Preferences.

  2. Click the iCloud preferences pane.

  3. Click the Account Details button and select the Security tab.

  4. Click Turn on Two-Factor Authentication, and then click Continue in the drop-down pane.

  5. Check your phone number is correct and click Continue.

Verification Codes


With 2FA enabled, you'll be prompted to enter a new verification code every time you log in to your Apple ID account using iCloud.com or another Mac or iOS device. These codes will automatically appear on devices that are already logged into your Apple ID, but you can also request them manually using an iPhone or iPad, like so:
  1. Open the Settings app and tap on your Apple ID banner at the top of the screen.

  2. Tap Password & Security.

  3. Tap Get Verification Code.



Discuss this article in our forums

Developer Demonstrates iOS Phishing Attack That Uses Apple-Style Password Request

Developer Felix Krause today shared a proof of concept phishing attack that's gaining some traction as it clearly demonstrates how app developers can use Apple-style popups to gain access to an iPhone user's Apple ID and password.

As Krause explains, iPhone and iPad users are accustomed to official Apple requests for their Apple ID and password for making purchases and accessing iCloud, even when not in the App Store or iTunes app.


Using a UIAlertController that emulates the design of the system request for a password, developers can create an identical interface as a phishing tool that can fool many iOS users.
Showing a dialog that looks just like a system popup is super easy, there is no magic or secret code involved, it's literally the examples provided in the Apple docs, with a custom text.

I decided not to open source the actual popup code, however, note that it's less than 30 lines of code and every iOS engineer will be able to quickly build their own phishing code.
Though some of the system alerts would require a developer to have a user's Apple ID email address, there are also popup alerts that do not require an email and can recover a password.


The phishing method that Krause describes is not new, and Apple vets apps that are accepted to the App Store, but it's worth highlighting for iOS users who may not be aware that such a phishing attempt is possible.

As Krause says, users can protect themselves by being wary of these popup dialogues. If one pops up, press the Home button to close the app. If the popup goes away, it's tied to the app and is a phishing attack. If it remains, it's a system request from Apple.

Krause also recommends users dismiss popups and enter their credentials directly within the Settings app.

Krause has reported the issue to Apple and recommends a fix that would include Apple asking customers to enter their credentials into the Settings app rather than directly through a popup that can be easily mimicked. Alternatively, he suggests credential requests could include an app icon to indicate that an app is asking rather than the system.

As extra protection from attacks like this, Apple customers should enable two-factor authentication as it prevents attackers from being able to log into an Apple ID account without a code from a verified device.


Discuss this article in our forums