Apple sent an email to developers, stating that later this months, two-factor authentication will be required for Apple IDs used for developer accounts.
If you, like me, use separate Apple IDs for your personal iCloud and your developer accounts, this will pose some kind of challenge. There is a solution, however Apple does not document it very well.
Update: Apple now has a very detailed support page for this topic.
Two-factor authentication for the primary account
Assumption: you have two-factor authentication (2FA) enabled on your primary, personal Apple ID, and are logged in to that account on your Mac(s) and iOS devices. If you haven’t done that yet, do it now. 2FA does increase your account security significantly.
- Apple Support: Two-factor authentication for Apple ID
You can enable 2FA on any device logged in to the account in the iCloud Settings or preference pane. As part of the setup you can provide one or more phone numbers as a fall back mechanism. If no devices can be prompted through Apple’s built-in 2FA, it will send an SMS to the trusted phone numbers. You can use the same phone number for multiple Apple IDs, but there seems to be some limit on how often you can do that.
Enable 2FA for the secondary account
Assumption: The secondary account is your developer Apple ID, you don’t use it for iCloud storage, device backups, mail etc. You use it to log in to developer.apple.com and iTunes Connect, and to get all the certificates and other resources you need as a developer.
The challenge here is that you can only enable 2FA on the first account logged in to iCloud on a device. You could log out of your primary iCloud account, and the log in with the secondary, but this will disrupt a lot of things on your device. I’d rather avoid that.
On a Mac, you can have a separate iCloud account for each local user. So, it is easiest to create a second user account, log out of your first account, log in to the new second account and set up iCloud and 2FA for the developer Apple ID on this second local account.
You can sign in to the secondary Apple ID enable 2FA in System Preferences -> iCloud -> Account Details -> Security as described in Apple’s Support Article.
Follow the prompts to set up 2FA, you can re-use the same phone number as a trusted number. (There seem to be limits to how often you use the same phone number, but two accounts works fine for me.)
Once 2FA is set up, we don’t need the second user account on the Mac any more. Sign out of iCloud, log out of the second account and back in to your normal user account.
If you are ok with using SMS authentication (Apple calls this ‘two-step authentication’, rather than ‘two-factor authentication’) then you are done. However, many will argue codes over SMS are not good enough for secondary authentication, so we want go to ‘full’ 2FA.
Use the secondary Apple ID
As it turns out, you can be logged in to multiple iCloud accounts on the same device or account. Certain services, such as iCloud storage, or the Photo Library, will only work with the primary iCloud account, but other services, including 2FA, will work for all iCloud accounts.
On your iOS device go to Settings > Passwords & Accounts > Add Account, and choose to add another iCloud account. You probably want to turn off all services, like Mail, Calendar, etc. secondary account.
On the Mac you can do the same in System Preferences > Internet Accounts. You can use both your Mac and iOS devices for 2FA.
Now the secondary Apple ID will prompt the devices you are logged in as for 2FA.
Great hint! However, 2FA does not list my devices logged in on the secondary iCloud account since it requests Find My Phone to be active (and it can be active only with my main personal iCloud account).
I am not sure what to reply, other than ‘it works for me?’ Even with ‘Find my iPhone’ not shown for the second account, it does trigger 2FA prompts.
What a freaking terrible process. Every other company just uses TOTP, which is a easy process. Apple instead makes its extremely difficult.
While I share concerns about Apple’s process I would disagree that TOTP is “easy.” The user experience to set that up is not “easy” or “friendly” in any way. You’re just already familiar with it.
You must not log out of the second user you created on your Mac before adding the second account on your iPhone, as the former is needed to verify the latter.
When I set up the second account on my iPhone, it fell back to text message to authorize. But you can also use 2FA before logging out and deleting the user on the Mac, that makes sense, too.
Historically Apple forced many people who are not developers to have 2 accounts, I have them for iTunes and then iCloud facilities for syncing. They do not allow them to merge, they recommend having 2 factor authentication but provide no facilities to do so. For a so called company who supposed to thrive on integration this is about as joined up as an undone jigsaw puzzle. What a mess!
It is a surprise to find that for apple devices more people are searching for ways to disconnect 2fa than those looking to implement it. Hopefully thanks to guides like this the trend will change.