Thursday, February 14, 2019

Developer Apple ID’s to Require Two-Factor Authentication

Apple (via e-mail):

In an effort to keep your account more secure, two-factor authentication will be required to sign in to your Apple Developer account and Certificates, Identifiers & Profiles starting February 27, 2019. This extra layer of security for your Apple ID helps ensure that you’re the only person who can access your account. If you haven’t already enabled two-factor authentication for your Apple ID, please learn more and update your security settings.

Brent Simmons:

I have two accounts — one for personal use, one for development use — and so do lots of developers.

I don’t know how to make this work. None of my devices are ever signed in to my developer account. That account exists purely for building and distributing apps.

It is possible, but Apple has not done a good job of explaining it.

Nick Heer:

To register an iOS device with two-factor authentication, you must sign out of your personal Apple ID at the system level, which means you’re signing out of iCloud. This is a highly disruptive action. On a Mac, it’s much easier, because you can associate different MacOS users with their own Apple ID. So, the best recourse to set up two-factor authentication is probably to create a separate user account on your Mac, set it up with your developer Apple ID, and then follow Apple’s directions.

James Thompson:

So, if my developer Apple ID is going to require 2FA in two weeks, how is that going to work mixed with my personal Apple ID? Am I right that a device like a phone can only be the trusted device for one Apple ID?

Ryan Booker:

It’s a great example of Apple not thinking things through. Custom system that doesn’t work with every other TFA system, no ability to get the prompts from multiple accounts, and no ability to merge accounts.

Dave Wood:

To put into perspective how much of a PITA Apple’s bad 2FA will be, I rec’d 14 of the “Teams and roles have been unified.” emails. I have a lot of developer accounts, tied to specific clients. I also often need to log in as the client because they have no clue how ASC works.

Kyle Seth Gray (tweet):

Here’s how you can add your developer account to your device to get authentication codes.

[…]

Despite the account being labeled as ‘inactive’ on that account screen, you have added your device as a “trusted” device capable of receiving two-factor authentication codes.

[…]

The one problem is enabling it in the first place - the easiest way is to create a temporary user on your Mac and enable it there, but damn if that isn’t a clunky solution.

I have not, as far as I recall, ever made a separate Mac account or used a dedicated device for my developer account, but somehow I was able, long ago, to enable 2FA using SMS. Some people are worried that Apple will stop allowing this and require an actual iOS device, but I haven’t seen any official indication of that. SMS is more convenient in a lot of situations but less secure.

Maxwell Swadling:

Never use consumer phone numbers, they are easily stolen. Most telcos only require a name and DOB to port. Get a number that doesn’t have a sim allocated and can’t be ported, such as twilio or google voice.

Maxwell Swadling:

1. get a dedicated google voice number on a dedicated google account
2. Disable text message forwarding
3. Put THAT account under U2F
4. Create a Mac VM
5. Sign in and activate with that number

I think this is the only decent approach

Tanner Bennett:

Lol what about company developer accounts that aren’t attached to any particular device, and thus, not tied to a phone number that can receive SMS?

See also: Cabel Sasser.

Update (2019-02-15): Simone Manganelli:

The SMS thing is “two-step” verification (as opposed to “two-factor”), and though it’s still supported, I dunno if you can activate it on newer devices.

Marco Arment:

This sudden requirement for 2FA on dev accounts feels rushed and ill-considered.

iCloud device-based 2FA doesn’t fit the way most iOS devs, big and small, use Apple IDs.

Apple should add support for TOTP (Authy, Authenticator, 1Password, etc.) before requiring 2FA.

Andrew Mayers:

I called dev support about it two days ago. They completely understood the problem and said they would look at my accounts and let me know the next day how to handle it. No response yet so I think they don’t have an answer yet.

Matthew Dicembrino:

Indie devs are now going to feel the pain us contractors have felt in last year. New dev accounts have been 2FA required for months. I use a google voice number to receive sms codes. Also reverse engineered the 2FA api calls to automate the process for my fastlane builds.

Gardner von Holt:

Marco, not publicized is that if you have no device to use for two factor auth, dev support can authorize your dev account to continue using Two Step auth, the 4 digit old method. Call dev support and explain the situation, you will get escalated to a sr. tech who has a process.

Nate Petersen:

Dev support got back to me: “At this time, two-factor authentication is only a requirement for the account holder role”. So you could have a separate account just to be the “account holder”. Still a huge pain though.

Konstantinos Kontos:

Since,I’m the senior iOS dev, but not the account owner, and since there are tasks that only the account owner can do, I know need to go ordinate with the US west time zone (10 hours difference to me) to perform tasks that I would otherwise do in a couple of minutes.

Craig Hockenberry:

Just removed an Apple ID from an old Mac mini and got a barrage of alerts on phones, watches, Macs about FaceTime being used on a new device that’s not new. Also signed out of the iTunes Store.

If anyone at Apple is wondering why developers are worried about 2FA, see above.

[…]

So let’s recap: I decided (stupidly) to do a little cleanup on my Apple ID. Now I can’t buy anything from Apple. I can’t renew my developer account, get a WWDC ticket, or buy some hardware.

We see fragility in Apple’s backend service a lot more than most customers. And worry.

My fear at this point is that all of these declines is going to trigger something that locks my account and really screws my business up.

See also: Scripting OS X.

Update (2019-02-18): See also: Reddit.

Dave Wood:

Apple’s forced 2FA is going to go really well. Here’s one of my dev accounts, now completely locked out (unrelated to 2FA). One site says I need to update the country associated with the account, the other says I can’t update it. Now what?…

Update (2019-02-20): Apple:

If your personal Apple ID is different from the Apple ID associated with your Apple Developer account, you can configure your device to allow verification codes to be received for both Apple IDs.

[…]

If your Apple ID has two-step verification enabled and two-factor authentication is available in your country or region, you will need to update to two-factor authentication for increased security.

[…]

You can assign the same trusted phone number to multiple Apple IDs that you use.

[…]

If you previously enabled two-step verification with a recovery key on your account and you sign in on a device running iOS 11 or macOS High Sierra, your Apple ID is automatically updated to two-factor authentication. After your account is updated, you have the option to generate a new recovery key. This option is only available if you are updating an account from two-step verification to two-factor authentication.

Eric Slivka:

But their suggestion to set it up by signing out of iCloud on your phone is pretty nuts. That’s a painful process to go through when your phone starts trying to delete all of your synced iCloud content.

Update (2019-02-26): See also: Accidental Tech Podcast.

Update (2019-03-05): It turns out that my Apple ID did not have 2FA enabled, so today I was forced to choose between logging out of iCloud on my phone and creating a new dummy user.

14 Comments RSS · Twitter

I thought it already used 2FA. At least whenever I log into developer.apple.com I have to do the 2FA code tango.

Typically this means getting a 2FA code on the same device I'm logging in with, which seems.... suboptimal.

Got the note. Did the Mac dance. Specifically, I used the backup Admin account (first created on first boot) and logged into iCloud using my developer account. Somewhere along the line I created yet another iCloud mail account for the (non-iCloud.com) Apple ID. This was followed by the usual drill of login to my developer account from multiple devices and establishing trust where appropriate. After disposing of the flurry of emails about my actions, everything works as expected. I must have spent most of a half hour on the process.

I still dislike having to use SMS for receiving 2FA codes. SS7 has been know to be insecure for a decade or two.

Jon H: Could it be that what you're using is not 2FA but Two Step Verification (2SV)? See here: https://support.apple.com/en-us/HT204152

I, too, have several developer accounts, none of which are tied to my iCloud account. I contacted dev support the other day, explaining the same troubles the others have done above. Still waiting for a response.

The only thing I could find myself thru Apple's documentation was that instead of 2FA, I could use 2SV - but I could not enable that immediately - they add a 3 day wait period between requesting it and being able to use it.

However, the best solution seems to be what Kyle Seth Gray describes. Thanks for posting this. Now, if only Apple would have considered and explained this in the first place.

Will Notbepublished

@Thomas: No, it's how 2FA works occasionally when logging from a Mac and Safari. It has been a known issue for at least the last 3 years. It has been reported. What did Apple do to solve this? Well, apparently nothing. As usual.

Years ago, realizing that having two Apple IDs was going to be an increasing pain in the neck, I de facto merged my accounts. It required having a long talk on the phone with Apple Support but I got it done. I recommend doing that. (Unfortunately they can't literally merge them; I picked one and had them give it all the privileges the other one had and closed the one I didn't want.)

I get a 4 digit SMS message when I log into my developer account. I know that is what Apple calls 2SV, which is different from what they call 2FA. Does that still match having 2SV on meet the 2FA requirement for developer accounts as Michael has implied?

@Matt I’m not 100% sure, but my guess is that you will need to enable 2FA and that after that, if a trusted device isn’t available, it will fall back to SMS as a backup.

Thanks Michael. From the FAQ, it doesn't seem like that is enough. This process is so confusing. It talks about adding it to a computer, but it also talks about signing out to enable 2FA. Its a mess.

I have an email into Apple Developer support right now. Maybe they can either help me or just let me continue to use 2SV.

[…] Tips, tricks, and horror stories: Developer Apple ID’s to Require Two-Factor Authentication […]

This was a really poorly thought through requirement by Apple. Our dev account owner is not our developer, nor is our account tied to any one device. The account was not being monitored so Apple's notices regarding 2fa weren't seen. At this point we're essentially locked out of our account because the answers to our security questions are apparently incorrect.

When we tried to reset the questions we're unable to and get a message that we're unable to provide enough information to process the request. Our case was escalated beyond the sr dev team, who apparently have no insight into how long it may be before Apple contacts us with a resolution It's been nearly two weeks at this point, I've been calling for a status update several times a week but have only gotten a vague assurance we'll be contacted at some point.

This entire process has caused a lot of pain as we're unable to deploy app updates which are affecting business ops. It'd be nice if we at least could some get some transparency and insight into how long this process will take because at this point we have no idea.

[…] Developer Apple ID’s to Require Two-Factor Authentication […]

[…] Developer Apple ID’s to Require Two-Factor Authentication […]

Leave a Comment