How to set up two-factor authentication for iCloud

You may have heard that Apple is implementing two-factor authentication for some new iCloud services, and so today I wanted to show you how to set that up.

Two-factor authentication--called two-step verification in the Apple ecosystem--is a security system whereby you have to supply two things--instead of just a single password--to log in to an online (or other) service. Typically, those two factors are a password and a code that the service sends to your cell phone. Requiring those two factors, instead of just one, makes it a lot harder for online miscreants to pretend they're you.

Setting up two-factor authentication for iCloud is really simple, though it does require multiple steps. The first thing you do is log in to your iCloud account at You then open Account Settings by clicking on your name in the upper right corner, then on your Apple ID. That'll open a new tab in your browser and take you to the My Apple ID page.

There, you click on Manage Your Apple ID and sign in (once again). That done, open this Password and Security link. When you do so, you'll be asked to answer a couple of security questions; do that, then click on Continue. You'll then go through three instructional screens, explaining the risks and rewards of two-step verification. When you're ready, click on the Get Started button.

That'll take you to this screen, where you supply the phone number of a phone where you can receive SMS messages. (Apple is going to send you a code via SMS; that code is the second factor in the process.) Once you do so, you'll get to this Verify Phone Number screen.

Now switch over to your phone. You should have a new SMS message there, containing a four-digit code. Go back to your Mac browser and enter that code in the Verification Code boxes.

That done, you can now verify devices that you've already registered with Find My iPhone. (Among other things, this allows Apple to send you verification codes via push notification, rather than SMS.) To do that, select a device from the list and click on the Verify link. Once again, Apple will send you a verification code; go through the same process you did before to look up and enter that code.

When you lick on the Continue button, Apple will generate a Verification Key for you. This key can be used to unlock your account should you ever be without the phone you've just registered. Contrary to usual security practices, you actually want to print out this verification key and keep it stored somewhere safe, where you can get to it in an emergency.

After you re-enter this verification key, you'll get to the final step, at which point you actually enable two-step verification. You have to check a box acknowledging the consequences of doing so, then click the Enable Two-Step Verification button, then the Done button after that.

That's it. From now on, when you log in to to manage your account, make a purchase from a new device, get Apple ID-related support, or use one of Apple's Web apps on, Apple will check to make sure you are who you say you are by sending a verification code to the phone you registered with the service. You enter your usual password plus that code to get in.

Join the CSO newsletter!

Error: Please check your email address.

Tags iCloudsecurity

More about Apple

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Dan Miller

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place