Two-Factor Authentication and One-Time Passwords
MacMAD Meeting Topic for June 20, 2017
Your Apple ID is your single set of credentials for everything from Apple, including:
- iCloud files, calendars, contacts, etc.
- purchases on the iTunes store
- buying hardware on the Apple Store
This is pretty important stuff, right? You don’t want your credentials to fall into the wrong hands! Until recently, those credentials consisted of only your username and password, which seldom change. If a bad guy got hold of those, he’d have complete access to your Apple identity.
To help prevent that, Apple set up Two-Factor Authentication (2FA). With 2FA, in addition to username and password, you must also give a verification code. Verification codes are sent to your phone or other trusted device. The verification code is different each time you log on.
Two-Factor Authentication is optional for users. However, you may now be forced to use it if you use certain apps — those which access your iCloud account.
Some apps require access to your files in iCloud, and therefore need your iCloud credentials to do so. This is fine, but you don’t want them to have the keys to your entire kingdom, do you? You don’t want a calendar app to order a new Macintosh, or delete your photos.
To control such apps, Apple now requires them to access iCloud using a One-Time password. This allows them to bypass 2FA, but using a special password which is only useable by that app for limited purposes. Once you give a one-time password to an app, and it uses it, it can never be used again for any other purpose.
You do not need to store or remember one-time passwords. If for some reason you need to re-authorize an app, you can simply generate a new one-time password for it. Dennis explains how to do all this in these slides from this month’s meeting: