Apple's new 2FA requirement for developer Apple IDs [closed]












4















According to various reports, Apple is imminently going to force developers to use 2FA with their Apple IDs, but it’s not easy to understand exactly how Apple’s implementation will work.



Please don’t waste time criticizing my use case requirements below. I work in and on data security tools and I know my requirements are unusual. Apologies in advance for the length, but I want to spell out everything and see if others can help fill me in on what is possible, or potentially what is impossible. I’d rather give as much info as possible right from the beginning. If more info is needed, please ask.



I have several iOS devices, none of which have “data”. Imagine that they are all iPads or iPod touches. They access the internet via Wi-Fi over VPN. Apple’s support document seems to say that you can manage their 2FA without data, but they seem to assume that you have SMS available or at least an active phone number — and that you’re okay giving it to them.





  1. I don’t use SMS. At all. Yes, really. It’s not secure in any way, shape or form, it certainly shouldn’t be a part of a security system. In fact, I don’t own a cell phone right now, and I don’t have regular access to a land line anymore, or at least not when I’m working. So when Apple speaks of a “trusted phone”, that’s not applicable to me during most of my development hours.



    If it was purely a one-off SMS verification sent, then one could simply buy a burner SIM, or even ask a friend (bad idea), but if a phone# gets entered into Apple’s 2FA system, I think we can presume that number will be needed on an ongoing basis, even if infrequently. I’m not going to back myself into an unrecoverable corner.




  2. I do not (will not) use iCloud. I don’t store any data in the cloud on servers owned by others, not even Apple. If this new 2FA requirement means that one cannot develop iOS apps and install on their own iDevices without having an iCloud account, that’s very troubling. Hopefully someone can confirm or deny this with certainty.



    The article: Get a verification code and sign in with two-factor authentication, seems to imply that one does not need iCloud, and you can get a Verification Code while offline, which I've done on my iDevice, but I have no way to test it, because I don't know how it integrates into Xcode.



  3. It doesn’t look like 2FA options that are actually relatively secure, like Yubikey, are available. Any info on this?


  4. Is this new 2FA requirement only for devs with published apps? Or will it affect the ability of those of us who write internal (not enterprise scope) apps to install on our own devices? The Apple ID email associated with this developer account has not received any email about this, the only way I knew is because it’s being discussed on various forums.


  5. When does a 2FA request kick in? If it’s triggered based on a new IP address that’s a problem. When my iOS devices connect to the Internet (infrequently) it’s always via VPN, so different public IP addresses all the time. My development laptop is usually fully disconnected from the public Internet, but when it is connected it will have a variety of IP addresses as well, though not necessarily via VPN. If 2FA is triggered based on some attribute of each device, then how is that stored/determined? I never allow my browsers to use local data storage, I don’t allow cookies except momentarily to sign into one of a couple sites, like https://appleid.apple.com/; then they’re deleted immediately.


  6. Xcode on my development laptop does get to talk to the Internet, but only to a few of Apple’s developer servers, and only when I need to update the provisioning certificate. If there’s a short lapse I can usually live with that because of the iOS simulator. So less than once/week on average.


  7. Like many devs, I use a personal Apple ID for my personal device/apps/music, but a different Apple ID for development. From what I’ve read, this 2FA requirement is going to be a huge PITA for many developers. Is there an easy way to deal with this? I’ve just updated one of our older devices to iOS 12 (didn’t want to, but this 2FA move kind of forced the issue), linked it to my developer AppleID. While this device is fully offline, I can go into Settings → AppleID → Password & Security to generate a “Verification Code”. If that’s all I need for this process, I’ll usually be okay, because I can try to keep that device with me at all times, even if it’s not particularly convenient.



So there are a several questions above that I’m looking for answers, but one more self-contained question is this: With the above constraints, will I be able to continue to use Xcode on my laptop and push apps to our own devices? If Xcode simply chokes when I request an updated provisioning certificate and I can generate an associated Verification Code on my offline mobile device, that’s not a problem. But I don’t see how I can even enable their terrible notion of 2FA on the laptop. Not that I want it anyway, my own security systems are better right now, so it will merely be an inconvenience at best, and if SMS is a hard requirement, then it would be a downgrade. For me anyway.



An aside; you might wonder how one can get any work done with my setup, but it’s not that bad, I only need to connect my dev laptop to the internet about once/week or so to reload provisioning certificates. The iDevices only need to connect to the open internet (via VPN) when Xcode is actually pushing the apps onto them.



Another reference, this post:



Ability to add non-SMS 2-factor auth to an Apple ID?



links to an Apple Support page that says SMS is required, but that’s for 2-step verification, not 2-factor authentication.



There are so many different related questions and articles, but they all seem incomplete and/or in conflict with each other.










share|improve this question















closed as too broad by fsb, Allan, nohillside Feb 24 at 15:53


Please edit the question to limit it to a specific problem with enough detail to identify an adequate answer. Avoid asking multiple distinct questions at once. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.



















  • Note: another minor annoyance. On iDevice, Settings -> AppleID. On that page it very clearly says iCloud: Off. And yet, tapping Password & Security brings up a dialog that says: Sign In to iCloud, and has a blank field for a password. This stuff doesn't seem like it's had a lot of QA.

    – peter.rando
    Feb 24 at 11:19













  • Continued follow-up on this. I went ahead and entered the password for the AppleID, even though it said iCloud. Brought me to the page where one can turn on two-factor-auth, I answered my "security questions" correctly (random 14-16 character strings), and then it prompts for a Phone Number, with what appears to be no other option. Either enter a phone number or cancel. This is appalling. I'm done for the night, again. Hopefully someone will have some helpful info here in the morning!

    – peter.rando
    Feb 24 at 11:27













  • It's probably best to approach Apple directly regarding your situation, there are some aspects in your question which will be difficult to get information on otherwise. Also, as written it's rather broad, making it hard to answer (even though I have to admit @jksoegaard did a great job below).

    – nohillside
    Feb 24 at 15:55













  • You need to re-think your threat model. How exactly is 2FA, implemented in a way that you think is less than perfect, less secure than no 2FA?

    – gnasher729
    Feb 24 at 15:58











  • If programmers who don't have a phone stop creating iOS software, then I don't think Apple cares about that too much.

    – gnasher729
    Feb 24 at 15:59
















4















According to various reports, Apple is imminently going to force developers to use 2FA with their Apple IDs, but it’s not easy to understand exactly how Apple’s implementation will work.



Please don’t waste time criticizing my use case requirements below. I work in and on data security tools and I know my requirements are unusual. Apologies in advance for the length, but I want to spell out everything and see if others can help fill me in on what is possible, or potentially what is impossible. I’d rather give as much info as possible right from the beginning. If more info is needed, please ask.



I have several iOS devices, none of which have “data”. Imagine that they are all iPads or iPod touches. They access the internet via Wi-Fi over VPN. Apple’s support document seems to say that you can manage their 2FA without data, but they seem to assume that you have SMS available or at least an active phone number — and that you’re okay giving it to them.





  1. I don’t use SMS. At all. Yes, really. It’s not secure in any way, shape or form, it certainly shouldn’t be a part of a security system. In fact, I don’t own a cell phone right now, and I don’t have regular access to a land line anymore, or at least not when I’m working. So when Apple speaks of a “trusted phone”, that’s not applicable to me during most of my development hours.



    If it was purely a one-off SMS verification sent, then one could simply buy a burner SIM, or even ask a friend (bad idea), but if a phone# gets entered into Apple’s 2FA system, I think we can presume that number will be needed on an ongoing basis, even if infrequently. I’m not going to back myself into an unrecoverable corner.




  2. I do not (will not) use iCloud. I don’t store any data in the cloud on servers owned by others, not even Apple. If this new 2FA requirement means that one cannot develop iOS apps and install on their own iDevices without having an iCloud account, that’s very troubling. Hopefully someone can confirm or deny this with certainty.



    The article: Get a verification code and sign in with two-factor authentication, seems to imply that one does not need iCloud, and you can get a Verification Code while offline, which I've done on my iDevice, but I have no way to test it, because I don't know how it integrates into Xcode.



  3. It doesn’t look like 2FA options that are actually relatively secure, like Yubikey, are available. Any info on this?


  4. Is this new 2FA requirement only for devs with published apps? Or will it affect the ability of those of us who write internal (not enterprise scope) apps to install on our own devices? The Apple ID email associated with this developer account has not received any email about this, the only way I knew is because it’s being discussed on various forums.


  5. When does a 2FA request kick in? If it’s triggered based on a new IP address that’s a problem. When my iOS devices connect to the Internet (infrequently) it’s always via VPN, so different public IP addresses all the time. My development laptop is usually fully disconnected from the public Internet, but when it is connected it will have a variety of IP addresses as well, though not necessarily via VPN. If 2FA is triggered based on some attribute of each device, then how is that stored/determined? I never allow my browsers to use local data storage, I don’t allow cookies except momentarily to sign into one of a couple sites, like https://appleid.apple.com/; then they’re deleted immediately.


  6. Xcode on my development laptop does get to talk to the Internet, but only to a few of Apple’s developer servers, and only when I need to update the provisioning certificate. If there’s a short lapse I can usually live with that because of the iOS simulator. So less than once/week on average.


  7. Like many devs, I use a personal Apple ID for my personal device/apps/music, but a different Apple ID for development. From what I’ve read, this 2FA requirement is going to be a huge PITA for many developers. Is there an easy way to deal with this? I’ve just updated one of our older devices to iOS 12 (didn’t want to, but this 2FA move kind of forced the issue), linked it to my developer AppleID. While this device is fully offline, I can go into Settings → AppleID → Password & Security to generate a “Verification Code”. If that’s all I need for this process, I’ll usually be okay, because I can try to keep that device with me at all times, even if it’s not particularly convenient.



So there are a several questions above that I’m looking for answers, but one more self-contained question is this: With the above constraints, will I be able to continue to use Xcode on my laptop and push apps to our own devices? If Xcode simply chokes when I request an updated provisioning certificate and I can generate an associated Verification Code on my offline mobile device, that’s not a problem. But I don’t see how I can even enable their terrible notion of 2FA on the laptop. Not that I want it anyway, my own security systems are better right now, so it will merely be an inconvenience at best, and if SMS is a hard requirement, then it would be a downgrade. For me anyway.



An aside; you might wonder how one can get any work done with my setup, but it’s not that bad, I only need to connect my dev laptop to the internet about once/week or so to reload provisioning certificates. The iDevices only need to connect to the open internet (via VPN) when Xcode is actually pushing the apps onto them.



Another reference, this post:



Ability to add non-SMS 2-factor auth to an Apple ID?



links to an Apple Support page that says SMS is required, but that’s for 2-step verification, not 2-factor authentication.



There are so many different related questions and articles, but they all seem incomplete and/or in conflict with each other.










share|improve this question















closed as too broad by fsb, Allan, nohillside Feb 24 at 15:53


Please edit the question to limit it to a specific problem with enough detail to identify an adequate answer. Avoid asking multiple distinct questions at once. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.



















  • Note: another minor annoyance. On iDevice, Settings -> AppleID. On that page it very clearly says iCloud: Off. And yet, tapping Password & Security brings up a dialog that says: Sign In to iCloud, and has a blank field for a password. This stuff doesn't seem like it's had a lot of QA.

    – peter.rando
    Feb 24 at 11:19













  • Continued follow-up on this. I went ahead and entered the password for the AppleID, even though it said iCloud. Brought me to the page where one can turn on two-factor-auth, I answered my "security questions" correctly (random 14-16 character strings), and then it prompts for a Phone Number, with what appears to be no other option. Either enter a phone number or cancel. This is appalling. I'm done for the night, again. Hopefully someone will have some helpful info here in the morning!

    – peter.rando
    Feb 24 at 11:27













  • It's probably best to approach Apple directly regarding your situation, there are some aspects in your question which will be difficult to get information on otherwise. Also, as written it's rather broad, making it hard to answer (even though I have to admit @jksoegaard did a great job below).

    – nohillside
    Feb 24 at 15:55













  • You need to re-think your threat model. How exactly is 2FA, implemented in a way that you think is less than perfect, less secure than no 2FA?

    – gnasher729
    Feb 24 at 15:58











  • If programmers who don't have a phone stop creating iOS software, then I don't think Apple cares about that too much.

    – gnasher729
    Feb 24 at 15:59














4












4








4


1






According to various reports, Apple is imminently going to force developers to use 2FA with their Apple IDs, but it’s not easy to understand exactly how Apple’s implementation will work.



Please don’t waste time criticizing my use case requirements below. I work in and on data security tools and I know my requirements are unusual. Apologies in advance for the length, but I want to spell out everything and see if others can help fill me in on what is possible, or potentially what is impossible. I’d rather give as much info as possible right from the beginning. If more info is needed, please ask.



I have several iOS devices, none of which have “data”. Imagine that they are all iPads or iPod touches. They access the internet via Wi-Fi over VPN. Apple’s support document seems to say that you can manage their 2FA without data, but they seem to assume that you have SMS available or at least an active phone number — and that you’re okay giving it to them.





  1. I don’t use SMS. At all. Yes, really. It’s not secure in any way, shape or form, it certainly shouldn’t be a part of a security system. In fact, I don’t own a cell phone right now, and I don’t have regular access to a land line anymore, or at least not when I’m working. So when Apple speaks of a “trusted phone”, that’s not applicable to me during most of my development hours.



    If it was purely a one-off SMS verification sent, then one could simply buy a burner SIM, or even ask a friend (bad idea), but if a phone# gets entered into Apple’s 2FA system, I think we can presume that number will be needed on an ongoing basis, even if infrequently. I’m not going to back myself into an unrecoverable corner.




  2. I do not (will not) use iCloud. I don’t store any data in the cloud on servers owned by others, not even Apple. If this new 2FA requirement means that one cannot develop iOS apps and install on their own iDevices without having an iCloud account, that’s very troubling. Hopefully someone can confirm or deny this with certainty.



    The article: Get a verification code and sign in with two-factor authentication, seems to imply that one does not need iCloud, and you can get a Verification Code while offline, which I've done on my iDevice, but I have no way to test it, because I don't know how it integrates into Xcode.



  3. It doesn’t look like 2FA options that are actually relatively secure, like Yubikey, are available. Any info on this?


  4. Is this new 2FA requirement only for devs with published apps? Or will it affect the ability of those of us who write internal (not enterprise scope) apps to install on our own devices? The Apple ID email associated with this developer account has not received any email about this, the only way I knew is because it’s being discussed on various forums.


  5. When does a 2FA request kick in? If it’s triggered based on a new IP address that’s a problem. When my iOS devices connect to the Internet (infrequently) it’s always via VPN, so different public IP addresses all the time. My development laptop is usually fully disconnected from the public Internet, but when it is connected it will have a variety of IP addresses as well, though not necessarily via VPN. If 2FA is triggered based on some attribute of each device, then how is that stored/determined? I never allow my browsers to use local data storage, I don’t allow cookies except momentarily to sign into one of a couple sites, like https://appleid.apple.com/; then they’re deleted immediately.


  6. Xcode on my development laptop does get to talk to the Internet, but only to a few of Apple’s developer servers, and only when I need to update the provisioning certificate. If there’s a short lapse I can usually live with that because of the iOS simulator. So less than once/week on average.


  7. Like many devs, I use a personal Apple ID for my personal device/apps/music, but a different Apple ID for development. From what I’ve read, this 2FA requirement is going to be a huge PITA for many developers. Is there an easy way to deal with this? I’ve just updated one of our older devices to iOS 12 (didn’t want to, but this 2FA move kind of forced the issue), linked it to my developer AppleID. While this device is fully offline, I can go into Settings → AppleID → Password & Security to generate a “Verification Code”. If that’s all I need for this process, I’ll usually be okay, because I can try to keep that device with me at all times, even if it’s not particularly convenient.



So there are a several questions above that I’m looking for answers, but one more self-contained question is this: With the above constraints, will I be able to continue to use Xcode on my laptop and push apps to our own devices? If Xcode simply chokes when I request an updated provisioning certificate and I can generate an associated Verification Code on my offline mobile device, that’s not a problem. But I don’t see how I can even enable their terrible notion of 2FA on the laptop. Not that I want it anyway, my own security systems are better right now, so it will merely be an inconvenience at best, and if SMS is a hard requirement, then it would be a downgrade. For me anyway.



An aside; you might wonder how one can get any work done with my setup, but it’s not that bad, I only need to connect my dev laptop to the internet about once/week or so to reload provisioning certificates. The iDevices only need to connect to the open internet (via VPN) when Xcode is actually pushing the apps onto them.



Another reference, this post:



Ability to add non-SMS 2-factor auth to an Apple ID?



links to an Apple Support page that says SMS is required, but that’s for 2-step verification, not 2-factor authentication.



There are so many different related questions and articles, but they all seem incomplete and/or in conflict with each other.










share|improve this question
















According to various reports, Apple is imminently going to force developers to use 2FA with their Apple IDs, but it’s not easy to understand exactly how Apple’s implementation will work.



Please don’t waste time criticizing my use case requirements below. I work in and on data security tools and I know my requirements are unusual. Apologies in advance for the length, but I want to spell out everything and see if others can help fill me in on what is possible, or potentially what is impossible. I’d rather give as much info as possible right from the beginning. If more info is needed, please ask.



I have several iOS devices, none of which have “data”. Imagine that they are all iPads or iPod touches. They access the internet via Wi-Fi over VPN. Apple’s support document seems to say that you can manage their 2FA without data, but they seem to assume that you have SMS available or at least an active phone number — and that you’re okay giving it to them.





  1. I don’t use SMS. At all. Yes, really. It’s not secure in any way, shape or form, it certainly shouldn’t be a part of a security system. In fact, I don’t own a cell phone right now, and I don’t have regular access to a land line anymore, or at least not when I’m working. So when Apple speaks of a “trusted phone”, that’s not applicable to me during most of my development hours.



    If it was purely a one-off SMS verification sent, then one could simply buy a burner SIM, or even ask a friend (bad idea), but if a phone# gets entered into Apple’s 2FA system, I think we can presume that number will be needed on an ongoing basis, even if infrequently. I’m not going to back myself into an unrecoverable corner.




  2. I do not (will not) use iCloud. I don’t store any data in the cloud on servers owned by others, not even Apple. If this new 2FA requirement means that one cannot develop iOS apps and install on their own iDevices without having an iCloud account, that’s very troubling. Hopefully someone can confirm or deny this with certainty.



    The article: Get a verification code and sign in with two-factor authentication, seems to imply that one does not need iCloud, and you can get a Verification Code while offline, which I've done on my iDevice, but I have no way to test it, because I don't know how it integrates into Xcode.



  3. It doesn’t look like 2FA options that are actually relatively secure, like Yubikey, are available. Any info on this?


  4. Is this new 2FA requirement only for devs with published apps? Or will it affect the ability of those of us who write internal (not enterprise scope) apps to install on our own devices? The Apple ID email associated with this developer account has not received any email about this, the only way I knew is because it’s being discussed on various forums.


  5. When does a 2FA request kick in? If it’s triggered based on a new IP address that’s a problem. When my iOS devices connect to the Internet (infrequently) it’s always via VPN, so different public IP addresses all the time. My development laptop is usually fully disconnected from the public Internet, but when it is connected it will have a variety of IP addresses as well, though not necessarily via VPN. If 2FA is triggered based on some attribute of each device, then how is that stored/determined? I never allow my browsers to use local data storage, I don’t allow cookies except momentarily to sign into one of a couple sites, like https://appleid.apple.com/; then they’re deleted immediately.


  6. Xcode on my development laptop does get to talk to the Internet, but only to a few of Apple’s developer servers, and only when I need to update the provisioning certificate. If there’s a short lapse I can usually live with that because of the iOS simulator. So less than once/week on average.


  7. Like many devs, I use a personal Apple ID for my personal device/apps/music, but a different Apple ID for development. From what I’ve read, this 2FA requirement is going to be a huge PITA for many developers. Is there an easy way to deal with this? I’ve just updated one of our older devices to iOS 12 (didn’t want to, but this 2FA move kind of forced the issue), linked it to my developer AppleID. While this device is fully offline, I can go into Settings → AppleID → Password & Security to generate a “Verification Code”. If that’s all I need for this process, I’ll usually be okay, because I can try to keep that device with me at all times, even if it’s not particularly convenient.



So there are a several questions above that I’m looking for answers, but one more self-contained question is this: With the above constraints, will I be able to continue to use Xcode on my laptop and push apps to our own devices? If Xcode simply chokes when I request an updated provisioning certificate and I can generate an associated Verification Code on my offline mobile device, that’s not a problem. But I don’t see how I can even enable their terrible notion of 2FA on the laptop. Not that I want it anyway, my own security systems are better right now, so it will merely be an inconvenience at best, and if SMS is a hard requirement, then it would be a downgrade. For me anyway.



An aside; you might wonder how one can get any work done with my setup, but it’s not that bad, I only need to connect my dev laptop to the internet about once/week or so to reload provisioning certificates. The iDevices only need to connect to the open internet (via VPN) when Xcode is actually pushing the apps onto them.



Another reference, this post:



Ability to add non-SMS 2-factor auth to an Apple ID?



links to an Apple Support page that says SMS is required, but that’s for 2-step verification, not 2-factor authentication.



There are so many different related questions and articles, but they all seem incomplete and/or in conflict with each other.







apple-id xcode two-factor-authentication






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Feb 24 at 13:05









Nimesh Neema

15.3k64176




15.3k64176










asked Feb 24 at 11:09









peter.randopeter.rando

464




464




closed as too broad by fsb, Allan, nohillside Feb 24 at 15:53


Please edit the question to limit it to a specific problem with enough detail to identify an adequate answer. Avoid asking multiple distinct questions at once. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.









closed as too broad by fsb, Allan, nohillside Feb 24 at 15:53


Please edit the question to limit it to a specific problem with enough detail to identify an adequate answer. Avoid asking multiple distinct questions at once. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.















  • Note: another minor annoyance. On iDevice, Settings -> AppleID. On that page it very clearly says iCloud: Off. And yet, tapping Password & Security brings up a dialog that says: Sign In to iCloud, and has a blank field for a password. This stuff doesn't seem like it's had a lot of QA.

    – peter.rando
    Feb 24 at 11:19













  • Continued follow-up on this. I went ahead and entered the password for the AppleID, even though it said iCloud. Brought me to the page where one can turn on two-factor-auth, I answered my "security questions" correctly (random 14-16 character strings), and then it prompts for a Phone Number, with what appears to be no other option. Either enter a phone number or cancel. This is appalling. I'm done for the night, again. Hopefully someone will have some helpful info here in the morning!

    – peter.rando
    Feb 24 at 11:27













  • It's probably best to approach Apple directly regarding your situation, there are some aspects in your question which will be difficult to get information on otherwise. Also, as written it's rather broad, making it hard to answer (even though I have to admit @jksoegaard did a great job below).

    – nohillside
    Feb 24 at 15:55













  • You need to re-think your threat model. How exactly is 2FA, implemented in a way that you think is less than perfect, less secure than no 2FA?

    – gnasher729
    Feb 24 at 15:58











  • If programmers who don't have a phone stop creating iOS software, then I don't think Apple cares about that too much.

    – gnasher729
    Feb 24 at 15:59



















  • Note: another minor annoyance. On iDevice, Settings -> AppleID. On that page it very clearly says iCloud: Off. And yet, tapping Password & Security brings up a dialog that says: Sign In to iCloud, and has a blank field for a password. This stuff doesn't seem like it's had a lot of QA.

    – peter.rando
    Feb 24 at 11:19













  • Continued follow-up on this. I went ahead and entered the password for the AppleID, even though it said iCloud. Brought me to the page where one can turn on two-factor-auth, I answered my "security questions" correctly (random 14-16 character strings), and then it prompts for a Phone Number, with what appears to be no other option. Either enter a phone number or cancel. This is appalling. I'm done for the night, again. Hopefully someone will have some helpful info here in the morning!

    – peter.rando
    Feb 24 at 11:27













  • It's probably best to approach Apple directly regarding your situation, there are some aspects in your question which will be difficult to get information on otherwise. Also, as written it's rather broad, making it hard to answer (even though I have to admit @jksoegaard did a great job below).

    – nohillside
    Feb 24 at 15:55













  • You need to re-think your threat model. How exactly is 2FA, implemented in a way that you think is less than perfect, less secure than no 2FA?

    – gnasher729
    Feb 24 at 15:58











  • If programmers who don't have a phone stop creating iOS software, then I don't think Apple cares about that too much.

    – gnasher729
    Feb 24 at 15:59

















Note: another minor annoyance. On iDevice, Settings -> AppleID. On that page it very clearly says iCloud: Off. And yet, tapping Password & Security brings up a dialog that says: Sign In to iCloud, and has a blank field for a password. This stuff doesn't seem like it's had a lot of QA.

– peter.rando
Feb 24 at 11:19







Note: another minor annoyance. On iDevice, Settings -> AppleID. On that page it very clearly says iCloud: Off. And yet, tapping Password & Security brings up a dialog that says: Sign In to iCloud, and has a blank field for a password. This stuff doesn't seem like it's had a lot of QA.

– peter.rando
Feb 24 at 11:19















Continued follow-up on this. I went ahead and entered the password for the AppleID, even though it said iCloud. Brought me to the page where one can turn on two-factor-auth, I answered my "security questions" correctly (random 14-16 character strings), and then it prompts for a Phone Number, with what appears to be no other option. Either enter a phone number or cancel. This is appalling. I'm done for the night, again. Hopefully someone will have some helpful info here in the morning!

– peter.rando
Feb 24 at 11:27







Continued follow-up on this. I went ahead and entered the password for the AppleID, even though it said iCloud. Brought me to the page where one can turn on two-factor-auth, I answered my "security questions" correctly (random 14-16 character strings), and then it prompts for a Phone Number, with what appears to be no other option. Either enter a phone number or cancel. This is appalling. I'm done for the night, again. Hopefully someone will have some helpful info here in the morning!

– peter.rando
Feb 24 at 11:27















It's probably best to approach Apple directly regarding your situation, there are some aspects in your question which will be difficult to get information on otherwise. Also, as written it's rather broad, making it hard to answer (even though I have to admit @jksoegaard did a great job below).

– nohillside
Feb 24 at 15:55







It's probably best to approach Apple directly regarding your situation, there are some aspects in your question which will be difficult to get information on otherwise. Also, as written it's rather broad, making it hard to answer (even though I have to admit @jksoegaard did a great job below).

– nohillside
Feb 24 at 15:55















You need to re-think your threat model. How exactly is 2FA, implemented in a way that you think is less than perfect, less secure than no 2FA?

– gnasher729
Feb 24 at 15:58





You need to re-think your threat model. How exactly is 2FA, implemented in a way that you think is less than perfect, less secure than no 2FA?

– gnasher729
Feb 24 at 15:58













If programmers who don't have a phone stop creating iOS software, then I don't think Apple cares about that too much.

– gnasher729
Feb 24 at 15:59





If programmers who don't have a phone stop creating iOS software, then I don't think Apple cares about that too much.

– gnasher729
Feb 24 at 15:59










1 Answer
1






active

oldest

votes


















3














The new 2FA requirement is not concerning a new 2FA system - it is the same 2FA system that Apple ID users have had available for a very long time now. You can find tons of guides and information about this on the net.



You seem to be asking many different questions all revolving around the same theme. Therefore I will give you a general answer, but if you want specifics about each sub question then ask it as its own question.



Yes, you can use 2FA without using iCloud Drive, without syncing with iCloud Photos, without using iCloud mail, etc. You need nothing more than the Apple ID you already have.



Yes, you do need a working phone number. It does not have to be SMS, as you can request a voice message instead.



No, you will not need to use this method regularly. It is intended only for when you have forgotten your password or want to do account recovery.



Yes, 2FA devices work perfectly well offline. You are not suddenly requires to be online all the time. If you want to interact with Apples servers for downloading provisioning profiles you’ll need to be online, but that has always been the case.



No, you’re not going to be generating and entering 2FA codes all the time. You do this once per “system” and a token is stored that means you won’t have to do it again on that system until you change your password or otherwise revoke the token. A system could be a browser, Xcode or whatever you use to talk with Apple’s systems.



No, you cannot use Yubikeys or similar. You can use Apple devices such as for example a phone with a Secure Enclave. It is the same principles as the Yubikey using TOTP with a secret stored in the Secure Enclave.



The 2FA request is not initiated when you connect to the internet. It is only when you specifically tries to access something on Apple’s system without having a pre-stored token. Yes, you can use 2FA even though you’re connecting over VPN.



No, it doesn’t matter if you have published apps or not. It is a generic requirements for members of the developer program. You’ll know if you’re affected because Apple send you a direct email about this.



Yes, you can use your developer 2FA on a “private” device without having to remove your private 2FA account from the device.






share|improve this answer



















  • 1





    Yes, I was concerned about how many separate questions this ended up with, but it kind of grew organically as I was writing it and hard to break up. <br/> Thank you for your response here, it's helpful. I have some follow-up questions, but I need to consider whether it makes more sense to patch up this (on hold) question or split them off into new ones.

    – peter.rando
    Feb 24 at 19:11













  • I have to say this 2FA enforcement is poorly implemented. Every time I login to the developer account (same device) it asks me for the code. There is no way to "trust" a device. And the biggest problem of all, Xcode keeps complaining my 2FA is not enabled, so it doesn't let me do anything that needs authentication. What a mess!

    – obai
    yesterday











  • You seem to be very unlucky. It works for me - asking me if I want to trust or not, and Xcode works fine. As 2FA has been a requirement for new accounts for quite a while, and we haven’t heard any “horror stories” - this means your case is isolated.

    – jksoegaard
    yesterday


















1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









3














The new 2FA requirement is not concerning a new 2FA system - it is the same 2FA system that Apple ID users have had available for a very long time now. You can find tons of guides and information about this on the net.



You seem to be asking many different questions all revolving around the same theme. Therefore I will give you a general answer, but if you want specifics about each sub question then ask it as its own question.



Yes, you can use 2FA without using iCloud Drive, without syncing with iCloud Photos, without using iCloud mail, etc. You need nothing more than the Apple ID you already have.



Yes, you do need a working phone number. It does not have to be SMS, as you can request a voice message instead.



No, you will not need to use this method regularly. It is intended only for when you have forgotten your password or want to do account recovery.



Yes, 2FA devices work perfectly well offline. You are not suddenly requires to be online all the time. If you want to interact with Apples servers for downloading provisioning profiles you’ll need to be online, but that has always been the case.



No, you’re not going to be generating and entering 2FA codes all the time. You do this once per “system” and a token is stored that means you won’t have to do it again on that system until you change your password or otherwise revoke the token. A system could be a browser, Xcode or whatever you use to talk with Apple’s systems.



No, you cannot use Yubikeys or similar. You can use Apple devices such as for example a phone with a Secure Enclave. It is the same principles as the Yubikey using TOTP with a secret stored in the Secure Enclave.



The 2FA request is not initiated when you connect to the internet. It is only when you specifically tries to access something on Apple’s system without having a pre-stored token. Yes, you can use 2FA even though you’re connecting over VPN.



No, it doesn’t matter if you have published apps or not. It is a generic requirements for members of the developer program. You’ll know if you’re affected because Apple send you a direct email about this.



Yes, you can use your developer 2FA on a “private” device without having to remove your private 2FA account from the device.






share|improve this answer



















  • 1





    Yes, I was concerned about how many separate questions this ended up with, but it kind of grew organically as I was writing it and hard to break up. <br/> Thank you for your response here, it's helpful. I have some follow-up questions, but I need to consider whether it makes more sense to patch up this (on hold) question or split them off into new ones.

    – peter.rando
    Feb 24 at 19:11













  • I have to say this 2FA enforcement is poorly implemented. Every time I login to the developer account (same device) it asks me for the code. There is no way to "trust" a device. And the biggest problem of all, Xcode keeps complaining my 2FA is not enabled, so it doesn't let me do anything that needs authentication. What a mess!

    – obai
    yesterday











  • You seem to be very unlucky. It works for me - asking me if I want to trust or not, and Xcode works fine. As 2FA has been a requirement for new accounts for quite a while, and we haven’t heard any “horror stories” - this means your case is isolated.

    – jksoegaard
    yesterday
















3














The new 2FA requirement is not concerning a new 2FA system - it is the same 2FA system that Apple ID users have had available for a very long time now. You can find tons of guides and information about this on the net.



You seem to be asking many different questions all revolving around the same theme. Therefore I will give you a general answer, but if you want specifics about each sub question then ask it as its own question.



Yes, you can use 2FA without using iCloud Drive, without syncing with iCloud Photos, without using iCloud mail, etc. You need nothing more than the Apple ID you already have.



Yes, you do need a working phone number. It does not have to be SMS, as you can request a voice message instead.



No, you will not need to use this method regularly. It is intended only for when you have forgotten your password or want to do account recovery.



Yes, 2FA devices work perfectly well offline. You are not suddenly requires to be online all the time. If you want to interact with Apples servers for downloading provisioning profiles you’ll need to be online, but that has always been the case.



No, you’re not going to be generating and entering 2FA codes all the time. You do this once per “system” and a token is stored that means you won’t have to do it again on that system until you change your password or otherwise revoke the token. A system could be a browser, Xcode or whatever you use to talk with Apple’s systems.



No, you cannot use Yubikeys or similar. You can use Apple devices such as for example a phone with a Secure Enclave. It is the same principles as the Yubikey using TOTP with a secret stored in the Secure Enclave.



The 2FA request is not initiated when you connect to the internet. It is only when you specifically tries to access something on Apple’s system without having a pre-stored token. Yes, you can use 2FA even though you’re connecting over VPN.



No, it doesn’t matter if you have published apps or not. It is a generic requirements for members of the developer program. You’ll know if you’re affected because Apple send you a direct email about this.



Yes, you can use your developer 2FA on a “private” device without having to remove your private 2FA account from the device.






share|improve this answer



















  • 1





    Yes, I was concerned about how many separate questions this ended up with, but it kind of grew organically as I was writing it and hard to break up. <br/> Thank you for your response here, it's helpful. I have some follow-up questions, but I need to consider whether it makes more sense to patch up this (on hold) question or split them off into new ones.

    – peter.rando
    Feb 24 at 19:11













  • I have to say this 2FA enforcement is poorly implemented. Every time I login to the developer account (same device) it asks me for the code. There is no way to "trust" a device. And the biggest problem of all, Xcode keeps complaining my 2FA is not enabled, so it doesn't let me do anything that needs authentication. What a mess!

    – obai
    yesterday











  • You seem to be very unlucky. It works for me - asking me if I want to trust or not, and Xcode works fine. As 2FA has been a requirement for new accounts for quite a while, and we haven’t heard any “horror stories” - this means your case is isolated.

    – jksoegaard
    yesterday














3












3








3







The new 2FA requirement is not concerning a new 2FA system - it is the same 2FA system that Apple ID users have had available for a very long time now. You can find tons of guides and information about this on the net.



You seem to be asking many different questions all revolving around the same theme. Therefore I will give you a general answer, but if you want specifics about each sub question then ask it as its own question.



Yes, you can use 2FA without using iCloud Drive, without syncing with iCloud Photos, without using iCloud mail, etc. You need nothing more than the Apple ID you already have.



Yes, you do need a working phone number. It does not have to be SMS, as you can request a voice message instead.



No, you will not need to use this method regularly. It is intended only for when you have forgotten your password or want to do account recovery.



Yes, 2FA devices work perfectly well offline. You are not suddenly requires to be online all the time. If you want to interact with Apples servers for downloading provisioning profiles you’ll need to be online, but that has always been the case.



No, you’re not going to be generating and entering 2FA codes all the time. You do this once per “system” and a token is stored that means you won’t have to do it again on that system until you change your password or otherwise revoke the token. A system could be a browser, Xcode or whatever you use to talk with Apple’s systems.



No, you cannot use Yubikeys or similar. You can use Apple devices such as for example a phone with a Secure Enclave. It is the same principles as the Yubikey using TOTP with a secret stored in the Secure Enclave.



The 2FA request is not initiated when you connect to the internet. It is only when you specifically tries to access something on Apple’s system without having a pre-stored token. Yes, you can use 2FA even though you’re connecting over VPN.



No, it doesn’t matter if you have published apps or not. It is a generic requirements for members of the developer program. You’ll know if you’re affected because Apple send you a direct email about this.



Yes, you can use your developer 2FA on a “private” device without having to remove your private 2FA account from the device.






share|improve this answer













The new 2FA requirement is not concerning a new 2FA system - it is the same 2FA system that Apple ID users have had available for a very long time now. You can find tons of guides and information about this on the net.



You seem to be asking many different questions all revolving around the same theme. Therefore I will give you a general answer, but if you want specifics about each sub question then ask it as its own question.



Yes, you can use 2FA without using iCloud Drive, without syncing with iCloud Photos, without using iCloud mail, etc. You need nothing more than the Apple ID you already have.



Yes, you do need a working phone number. It does not have to be SMS, as you can request a voice message instead.



No, you will not need to use this method regularly. It is intended only for when you have forgotten your password or want to do account recovery.



Yes, 2FA devices work perfectly well offline. You are not suddenly requires to be online all the time. If you want to interact with Apples servers for downloading provisioning profiles you’ll need to be online, but that has always been the case.



No, you’re not going to be generating and entering 2FA codes all the time. You do this once per “system” and a token is stored that means you won’t have to do it again on that system until you change your password or otherwise revoke the token. A system could be a browser, Xcode or whatever you use to talk with Apple’s systems.



No, you cannot use Yubikeys or similar. You can use Apple devices such as for example a phone with a Secure Enclave. It is the same principles as the Yubikey using TOTP with a secret stored in the Secure Enclave.



The 2FA request is not initiated when you connect to the internet. It is only when you specifically tries to access something on Apple’s system without having a pre-stored token. Yes, you can use 2FA even though you’re connecting over VPN.



No, it doesn’t matter if you have published apps or not. It is a generic requirements for members of the developer program. You’ll know if you’re affected because Apple send you a direct email about this.



Yes, you can use your developer 2FA on a “private” device without having to remove your private 2FA account from the device.







share|improve this answer












share|improve this answer



share|improve this answer










answered Feb 24 at 12:46









jksoegaardjksoegaard

18.1k1949




18.1k1949








  • 1





    Yes, I was concerned about how many separate questions this ended up with, but it kind of grew organically as I was writing it and hard to break up. <br/> Thank you for your response here, it's helpful. I have some follow-up questions, but I need to consider whether it makes more sense to patch up this (on hold) question or split them off into new ones.

    – peter.rando
    Feb 24 at 19:11













  • I have to say this 2FA enforcement is poorly implemented. Every time I login to the developer account (same device) it asks me for the code. There is no way to "trust" a device. And the biggest problem of all, Xcode keeps complaining my 2FA is not enabled, so it doesn't let me do anything that needs authentication. What a mess!

    – obai
    yesterday











  • You seem to be very unlucky. It works for me - asking me if I want to trust or not, and Xcode works fine. As 2FA has been a requirement for new accounts for quite a while, and we haven’t heard any “horror stories” - this means your case is isolated.

    – jksoegaard
    yesterday














  • 1





    Yes, I was concerned about how many separate questions this ended up with, but it kind of grew organically as I was writing it and hard to break up. <br/> Thank you for your response here, it's helpful. I have some follow-up questions, but I need to consider whether it makes more sense to patch up this (on hold) question or split them off into new ones.

    – peter.rando
    Feb 24 at 19:11













  • I have to say this 2FA enforcement is poorly implemented. Every time I login to the developer account (same device) it asks me for the code. There is no way to "trust" a device. And the biggest problem of all, Xcode keeps complaining my 2FA is not enabled, so it doesn't let me do anything that needs authentication. What a mess!

    – obai
    yesterday











  • You seem to be very unlucky. It works for me - asking me if I want to trust or not, and Xcode works fine. As 2FA has been a requirement for new accounts for quite a while, and we haven’t heard any “horror stories” - this means your case is isolated.

    – jksoegaard
    yesterday








1




1





Yes, I was concerned about how many separate questions this ended up with, but it kind of grew organically as I was writing it and hard to break up. <br/> Thank you for your response here, it's helpful. I have some follow-up questions, but I need to consider whether it makes more sense to patch up this (on hold) question or split them off into new ones.

– peter.rando
Feb 24 at 19:11







Yes, I was concerned about how many separate questions this ended up with, but it kind of grew organically as I was writing it and hard to break up. <br/> Thank you for your response here, it's helpful. I have some follow-up questions, but I need to consider whether it makes more sense to patch up this (on hold) question or split them off into new ones.

– peter.rando
Feb 24 at 19:11















I have to say this 2FA enforcement is poorly implemented. Every time I login to the developer account (same device) it asks me for the code. There is no way to "trust" a device. And the biggest problem of all, Xcode keeps complaining my 2FA is not enabled, so it doesn't let me do anything that needs authentication. What a mess!

– obai
yesterday





I have to say this 2FA enforcement is poorly implemented. Every time I login to the developer account (same device) it asks me for the code. There is no way to "trust" a device. And the biggest problem of all, Xcode keeps complaining my 2FA is not enabled, so it doesn't let me do anything that needs authentication. What a mess!

– obai
yesterday













You seem to be very unlucky. It works for me - asking me if I want to trust or not, and Xcode works fine. As 2FA has been a requirement for new accounts for quite a while, and we haven’t heard any “horror stories” - this means your case is isolated.

– jksoegaard
yesterday





You seem to be very unlucky. It works for me - asking me if I want to trust or not, and Xcode works fine. As 2FA has been a requirement for new accounts for quite a while, and we haven’t heard any “horror stories” - this means your case is isolated.

– jksoegaard
yesterday



Popular posts from this blog

How to change which sound is reproduced for terminal bell?

Title Spacing in Bjornstrup Chapter, Removing Chapter Number From Contents

Can I use Tabulator js library in my java Spring + Thymeleaf project?