iOS 9 two-factor authentication teaser 001

Two-Factor Authentication strengthens the security of your Apple ID by preventing anyone from accessing or using it, even if they know your password. With Two-Factor Authentication, one of your trusted devices generates a one-time code when you make a purchase or sign in to your Apple ID, iCloud,, iMessage, FaceTime or Game Center account on a new device. Two-Factor Authentication is also required for Auto Unlock so you can unlock your Mac by wearing an Apple Watch.

In this tutorial we’ll show you how to protect your Apple ID with Two-Factor Authentication or, if you’re still using the older and less secure Two-Step Verification, upgrade to Two-Factor Authentication.

Two-Factor Authentication vs. Two-Step Verification

Two-Factor Authentication is the preferred protection system for Apple IDs.

It replaces Two-Step Verification and is more secure because it’s integrated deeply into the bowels of iOS and macOS. The older, less reliable Two-Step Verification system relies on different methods to trust devices and deliver verification codes.

With Two-Factor Authentication enabled, a six-digit code is required to verify your identity using one of your devices or another approved method before you can:

  • Sign in to your Apple ID account page on the web
  • Sign in to iCloud on a new device
  • Sing in at in a web browser
  • Sign in to iMessage, Game Center or FaceTime or a new device
  • Make an iTunes, iBooks or App Store purchase from a new device
  • Get Apple ID related support from Apple

See Apple’s support document for more information about Two-Factor Authentication, including an up-to-date list of countries where this feature is available.

System requirements for Two-Factor Authentication

In order to use Two-Factor Authentication, you must own one of the following devices:

  • iPhone, iPad or iPod touch with iOS 9 or later
  • Mac with OS X El Capitan or later and iTunes 12.3 or newer
  • Apple Watch with watchOS 2 and up
  • Windows PC with iCloud for Windows v5.0 or later and iTunes 12.3.3 and up

Logging into your Apple ID on a device that has software earlier than specified above may yield a message saying Two-Factor Authentication is unavailable so make sure your gadgets meet the requirements and run the latest software.

Protecting Apple ID with Two-Factor Authentication

If your Apple ID is protected with the older Two-Step Verification method, you must first disable it before you can opt in to Two-Factor Authentication, Unfortunately, Apple does not provide a direct upgrade path for Two-Factor Authentication.

If you already use the newer Two-Step Verification system, skip this section and proceed with the steps outlined in the section titled “Enabling Two-Factor Authentication”.

Disabling Two-Step Verification

1) Sign in to your Apple ID account page using a desktop web browser.

2) Click Edit under the Security heading.

3) Click Turn Off Two-Step Verification, then create three new security questions and verify your birth date and phone number when asked.

Apple ID two-factor authentication web screenshot 001

You will receive an email from Apple confirming that Two-Step Verification for your Apple ID account has been turned off and the Apple ID account page will reflect the change.


You can now protect your Apple ID with Two-Factor Authentication.

Enabling Two-Factor Authentication

1) Go to System Preferences → iCloud → Account Details → Security on your Mac. Alternatively, open Settings → iCloud → your Apple ID → Password & Security on your iPhone, iPad or iPod touch.

2) Click Set Up Two-Factor Authentication and follow the onscreen instructions.

OS X El Capitan System Preferences iCloud two-factor authentication Mac screenshot 001

You must provide three security questions and answers, verify your birth date, add a rescue email and verify a mobile phone number where Apple will send you verification codes when your trusted devices are unavailable.

If you see a message that some of your devices are incompatible with Two-Factor Authentication, hit Turn On Anyway to continue. Enrolling in Two-Factor Authentication will replace your iCloud Security Code with your device passcode.

To enable Two-Factor Authentication on the web: log into the Apple ID account page, click Edit under the Security heading, hit the link “Get Started…” below the Two-Step Verification heading and follow the onscreen instructions.


The Apple ID account page lists under the Trusted Devices heading all your Apple devices which are capable of generating Two-Factor Authentication codes. Any iOS device with Find My iPhone enabled can generate these codes.

RELATED: how to add or remove trusted devices for Two-Factor Authentication.

Now all that’s left for you to do is double-check that Two-Factor Authentication has really been enabled by following the instructions below.

Verifying that Two-Factor Verification is enabled

To double check that you’re using Two-Factor Authentication or that you’ve successfully upgraded your Apple ID from the older Two-Step Authentication system to the more secure Two-Factor Verification, do the following:

1) On your Mac, open System Preferences → iCloud, click the Account Details button, then click the Security tab and make sure Two-Factor Authentication is on.

2) On your iPhone, iPad or iPod touch, go to Settings → iCloud, tap your name to reveal account details, then tap Password and Security and make sure that Two-Factor Authentication is on.


3) If you own an Apple Watch, open the companion Watch app, go to My Watch → General → Apple ID and verify your Apple ID is showing.


That’s it, your Apple ID account is now protected with Two-Step Verification.

How to use Two-Factor Authentication

With Two-Factor Authentication enabled, you’ll verify your identity by entering both your Apple ID password and a six-digit verification code any time you sign in to the Apple ID page or, make an iTunes, iBooks or App Store purchase from a new device or sign in to iMessage, FaceTime or Game Center on a new device.


A prompt that goes up on your trusted devices includes a mini-map showing you where the sign-in attempt is coming from. Tap Allow to get a one-time six-digit verification code that you must type into your other device to verify the login attempt.

How to manually generate Two-Factor Authentication codes

You can also manually generate a verification code at any time:

On your iOS device, go to Settings → iCloud, tap on your account name at the top, then hit Password & Security and select Get Verification Code.


On your Mac, click the Account Details button in System Preferences → iCloud, then click the button labeled Get A Verification Code found under the Security tab.


Now enter your six-digit verification code into your other device to sign in.

With Two-Step Verification enabled, your Apple ID account will be more secure than ever and you will be able to use advanced features like Auto Unlock in macOS Sierra and watch OS 3 which lets you get into your Mac simply by wearing an authenticated watch.

  • Agneev Mukherjee

    Thanks, Christian for pointing out the difference between two-factor and two-step…

  • Agneev Mukherjee

    Is there a lock screen notification when the login is requested?

  • Agneev Mukherjee

    You sure can afford all of em’…

  • Ninja Ass

    To enable this does you need more then one apple product?? I have only one iPhone 5c.

    • No, you can have just one device and you’ll receive verification codes on it or, if you cannot receive verification codes there, you can get them via SMS

      • Ninja Ass

        Ohk thanks christian and great tutorials.

  • LanceTX

    The section referencing the Apple Watch isn’t accurate though. My Apple ID was showing up in the Watch app as illustrated above, but it was not yet a trusted device. I could not find any way to get it to become trusted, so I had to resort to unpairing it from my iPhone and then immediately turning around pairing it back up again. After that it was finally listed as trusted and it now works to unlock my iMac.

  • Vanasian

    I enabled the 2FA when I upgraded to iOS 10. I restored my phone as new yesterday because my battery drained pretty fast. After restoring, I was stuck on the setup stage because I couldn’t receive 2FA verification code. End up I had to restore it from the backup and skipped Apple ID during the setup. I wonder if there is any better way to setup my phone as new?

    • Guido Amani

      with the good old two-step, you would be able to use the recovery key.
      i still don’t get it, how is TFA any better tthan TSV? tsv use find iPhone to deliver the code, which as secure as tfa. they both use sms as an optional delivery mechanism, which is a weak point if someone is resourceful enough and you are a high value target. but most importantly, if you don’t have any of the two things required in tsv, you will be locked out forever, apple won’t help you, they made it crystal clear…to me, this is more secure. you have total control of your account.

  • becoolyolanda

    still unclear as to what happens when logging on to unsupported hardware/software. Until thats explained, no can do…

  • Galaxy_Surfer_007

    Does this mean that one would have to sign in *twice * to access iCloud *email*? That is, password and authentication code?! That would be a huge hassle!

  • Jeff Laing

    I enabled this and then had the ludicrous situation where logging on to an iCloud service on my phone, prompted me for the six digit code, and then displayed a notification ON THE SAME DEVICE telling me what the code was.

    That’s not “two factor” authentication. They should not be sending the code to any device that is currently trying to log on to a TFA protected service.

  • CanAmSteve

    Just went through this awful process (just look at all the steps required!) so that I could read my Mac Mail on my Android phone. I then turned the awful Apple 2FA off and – you guessed it – the app-specific password stopped working on Android.

    Bye-bye Mac Mail – hello GMail