Developer Apple ID’s to Require Two-Factor Authentication
Apple (via e-mail):
In an effort to keep your account more secure, two-factor authentication will be required to sign in to your Apple Developer account and Certificates, Identifiers & Profiles starting February 27, 2019. This extra layer of security for your Apple ID helps ensure that you’re the only person who can access your account. If you haven’t already enabled two-factor authentication for your Apple ID, please learn more and update your security settings.
I have two accounts — one for personal use, one for development use — and so do lots of developers.
I don’t know how to make this work. None of my devices are ever signed in to my developer account. That account exists purely for building and distributing apps.
It is possible, but Apple has not done a good job of explaining it.
To register an iOS device with two-factor authentication, you must sign out of your personal Apple ID at the system level, which means you’re signing out of iCloud. This is a highly disruptive action. On a Mac, it’s much easier, because you can associate different MacOS users with their own Apple ID. So, the best recourse to set up two-factor authentication is probably to create a separate user account on your Mac, set it up with your developer Apple ID, and then follow Apple’s directions.
So, if my developer Apple ID is going to require 2FA in two weeks, how is that going to work mixed with my personal Apple ID? Am I right that a device like a phone can only be the trusted device for one Apple ID?
It’s a great example of Apple not thinking things through. Custom system that doesn’t work with every other TFA system, no ability to get the prompts from multiple accounts, and no ability to merge accounts.
To put into perspective how much of a PITA Apple’s bad 2FA will be, I rec’d 14 of the “Teams and roles have been unified.” emails. I have a lot of developer accounts, tied to specific clients. I also often need to log in as the client because they have no clue how ASC works.
Here’s how you can add your developer account to your device to get authentication codes.
[…]
Despite the account being labeled as ‘inactive’ on that account screen, you have added your device as a “trusted” device capable of receiving two-factor authentication codes.
[…]
The one problem is enabling it in the first place - the easiest way is to create a temporary user on your Mac and enable it there, but damn if that isn’t a clunky solution.
I have not, as far as I recall, ever made a separate Mac account or used a dedicated device for my developer account, but somehow I was able, long ago, to enable 2FA using SMS. Some people are worried that Apple will stop allowing this and require an actual iOS device, but I haven’t seen any official indication of that. SMS is more convenient in a lot of situations but less secure.
Never use consumer phone numbers, they are easily stolen. Most telcos only require a name and DOB to port. Get a number that doesn’t have a sim allocated and can’t be ported, such as twilio or google voice.
1. get a dedicated google voice number on a dedicated google account
2. Disable text message forwarding
3. Put THAT account under U2F
4. Create a Mac VM
5. Sign in and activate with that numberI think this is the only decent approach
Lol what about company developer accounts that aren’t attached to any particular device, and thus, not tied to a phone number that can receive SMS?
See also: Cabel Sasser.
Update (2019-02-15): Simone Manganelli:
The SMS thing is “two-step” verification (as opposed to “two-factor”), and though it’s still supported, I dunno if you can activate it on newer devices.
This sudden requirement for 2FA on dev accounts feels rushed and ill-considered.
iCloud device-based 2FA doesn’t fit the way most iOS devs, big and small, use Apple IDs.
Apple should add support for TOTP (Authy, Authenticator, 1Password, etc.) before requiring 2FA.
I called dev support about it two days ago. They completely understood the problem and said they would look at my accounts and let me know the next day how to handle it. No response yet so I think they don’t have an answer yet.
Indie devs are now going to feel the pain us contractors have felt in last year. New dev accounts have been 2FA required for months. I use a google voice number to receive sms codes. Also reverse engineered the 2FA api calls to automate the process for my fastlane builds.
Marco, not publicized is that if you have no device to use for two factor auth, dev support can authorize your dev account to continue using Two Step auth, the 4 digit old method. Call dev support and explain the situation, you will get escalated to a sr. tech who has a process.
Dev support got back to me: “At this time, two-factor authentication is only a requirement for the account holder role”. So you could have a separate account just to be the “account holder”. Still a huge pain though.
Since,I’m the senior iOS dev, but not the account owner, and since there are tasks that only the account owner can do, I know need to go ordinate with the US west time zone (10 hours difference to me) to perform tasks that I would otherwise do in a couple of minutes.
Just removed an Apple ID from an old Mac mini and got a barrage of alerts on phones, watches, Macs about FaceTime being used on a new device that’s not new. Also signed out of the iTunes Store.
If anyone at Apple is wondering why developers are worried about 2FA, see above.
[…]
So let’s recap: I decided (stupidly) to do a little cleanup on my Apple ID. Now I can’t buy anything from Apple. I can’t renew my developer account, get a WWDC ticket, or buy some hardware.
We see fragility in Apple’s backend service a lot more than most customers. And worry.
My fear at this point is that all of these declines is going to trigger something that locks my account and really screws my business up.
See also: Scripting OS X.
Update (2019-02-18): See also: Reddit.
Apple’s forced 2FA is going to go really well. Here’s one of my dev accounts, now completely locked out (unrelated to 2FA). One site says I need to update the country associated with the account, the other says I can’t update it. Now what?…
Update (2019-02-20): Apple:
If your personal Apple ID is different from the Apple ID associated with your Apple Developer account, you can configure your device to allow verification codes to be received for both Apple IDs.
[…]
If your Apple ID has two-step verification enabled and two-factor authentication is available in your country or region, you will need to update to two-factor authentication for increased security.
[…]
You can assign the same trusted phone number to multiple Apple IDs that you use.
[…]
If you previously enabled two-step verification with a recovery key on your account and you sign in on a device running iOS 11 or macOS High Sierra, your Apple ID is automatically updated to two-factor authentication. After your account is updated, you have the option to generate a new recovery key. This option is only available if you are updating an account from two-step verification to two-factor authentication.
But their suggestion to set it up by signing out of iCloud on your phone is pretty nuts. That’s a painful process to go through when your phone starts trying to delete all of your synced iCloud content.
Update (2019-02-26): See also: Accidental Tech Podcast.
Update (2019-03-05): It turns out that my Apple ID did not have 2FA enabled, so today I was forced to choose between logging out of iCloud on my phone and creating a new dummy user.
