If you haven’t enabled Two-Factor Authentication (2FA) protection for your Apple account yet, you’re wholeheartedly recommended to do so at your earliest convenience.

Just to be clear right from the start, Two-Factor Authentication is different from Two-Step Verification, which is the older, less secure method built directly into iOS 9 and OS X El Capitan.

Without 2FA active, a nefarious party that manages to get hold of your Apple ID password can access your contacts, calendars, notes, emails and other private information, see your synced photos, browse your iCloud files and so forth.

And believe me, those Apple ID security questions are not bullet-proof: a rogue user might be able to figure out your Apple ID password relatively easily through social engineering and by other means.

TUTORIAL: How to turn on and use 2FA

With 2FA, your Apple ID user name and password (something you know) are not enough to access Apple services: every login from a new device must be authorized further with the ephemeral six-digit code that gets automatically pushed and displayed on your trusted devices (something you own).

With 2FA enabled, your Apple ID account, iCloud data and other Apple services can only be accessed on devices you own and trust, like your iPhone, iPad, Mac, Apple TV and so forth.

Because your password alone is no longer enough to access your account, 2FA dramatically improves the security of your Apple ID and all the personal information you store with Apple.

You can turn on 2FA on iOS 10.3 or later in Settings → [your name] → Password & Security → Turn On Two-Factor Authentication or in Settings → iCloud → your Apple ID → Password & Security → Turn On Two-Factor Authentication If you’re using iOS 10.2 or earlier.

To turn on 2FA on your Mac, go to System Preferences → iCloud → Account Details → Security → Turn on Two-Factor Authentication.

You might be asked to answer your Apple ID security questions.

2FA gives your Apple ID an extra layer of security

2FA requires that you provide your Apple ID user name, password and a verification code every time you log in to iCloud and other Apple services like iMessage on a new device or browser.

But what if  you no longer have access to any of your trusted devices and/or your 2FA Recovery Key? Wouldn’t that lock you out of your Apple ID forever? Not quite because 2FA can also authorize your identity with a verification code sent to a trusted phone number.

TROUBLESHOOTER: Unable to sign in or reset your Apple ID password when using 2FA

Using a trusted number, 2FA can verify your identity with a test message or phone call.

When setting up 2FA for the first time, you’ll need to verify at least one phone number to enroll in it. If you already use 2FA, you can easily verify additional phone numbers for 2FA.

Having a trusted phone number on your Apple ID gives you a fallback for those situations when all of your trusted devices might be temporarily offline (or, worse, stolen or destroyed).

“You should also consider verifying other phone numbers you can access, such as a home phone or a number used by a family member or close friend,” Apple advises. “You can use these numbers if you temporarily can’t access your own devices.”

How to add a trusted phone number for 2FA

You can easily manage your trusted phone numbers, as well as trusted devices for 2FA and other account information, right from the Apple ID account page.

To add a trusted phone number to your Apple ID for 2FA verification, do the following:

1) In your browser, go to appleid.apple.com.

2) Sign in with your Apple ID user name and password.

3) In the Security section, click the Edit button.

4) Click the option labeled Add a Trusted Phone Number.

5) Choose your country from a popup menu.

6) Type in the mobile phone number you’d like to use with 2FA.

Avoid prefixing your phone number with a country code because you already chose your country in the previous step. As an example, if your US phone number is (408) 974-2042, just type it in as-is without using the international variant +1 (408) 974-2042.

7) Choose how you’d like to be verified.

  • SMS: Click the radio button Text Message to verify the number with a text message
  • Phone call: If you did not provide a phone number that can receive SMS, click the radio button Phone Call to have the system verify it with automated phone call.

To avoid complications, you’re wholeheartedly recommended to avoid registering your Skype number or your Google number (as part of the Google Voice service) with 2FA.

8) Click Continue to proceed.

9) Type in the six-digit verification code sent via SMS or automated phone call to the number you provided in the previous step. If you haven’t received this code yet, click the button labeled Send a new code. To abort the operation, click Cancel.

10) With your phone number gets verified, click Done in the upper-right corner of the Security section to save your changes.

TIP: You can easily remove one or more trusted numbers at any time. To remove a trusted number from your Apple ID, click the “x” icon next to the phone number you want to remove.

2FA and SMS security

Unless all of your trusted devices are unavailable or offline, you’re advised to avoid having your 2FA verification code sent to your phone number via SMS or automated phone call. That’s because sending security codes through text messages has been proved to be vulnerable to hijack attacks and spoofing stemming from social engineering.

“SMS is just not the best way to do this,” warns security researcher and forensics expert Jonathan Zdziarski. “It’s depending on your mobile phone as a means of authentication in a way that can be socially engineered out of your control.”

SMS is the weakest link in two-step logins. For instance, a rogue party might call up your carrier and impersonate you to convince support to redirect your text messages to their SIM card.

Zdziarski explains:

SMS has turned that ‘something you have’ into ‘something they sent you. If that transaction is happening, it can be intercepted. And that means you’re potentially at some level of risk.

Besides, various authoritarian governments might be tempted to hijack the SMS messages that a political dissident might need to verify their identity with Apple’s 2FA system.

Need help? Ask iDB!

If you like this how-to, pass it along to your support folks and leave a comment below.

Got stuck? Not sure how to do certain things on your Apple device? Let us know via help@iDownloadBlog.com and a future tutorial might provide a solution.

Submit your how-to suggestions via tips@iDownloadBlog.com.