Apple’s New Two-Factor Authentication For iTunes Explained

Apple’s New Two-Factor Authentication For iTunes Explained

We’ve always recommended setting up two-factor authentication to protect your personal data. Apple has finally added optional two-factor authentication to iTunes accounts, which gives you an extra level of protection. How does it work?

Picture: Stefan Gosatti/Getty Images

Two-factor authentication means that instead of purely using a password to sign into a service, you also need to supply an additional piece of information. The most common implementation (and the one Apple uses) is to send a one-time code as a text message to a specified phone number, which you need to then use on the device where you’re signing in on. That means that even if someone gets hold of or guesses your password, they still can’t log in unless they also have access to your phone.

Apple’s implementation doesn’t require you to get this code every time you sign into your account; it will ask for it whenever you sign in from a device that hasn’t been used before. That’s a common approach (Google, Dropbox and Microsoft all use it as well). You can set the notification to be sent either as an SMS message or as a Find My iPhone notification.

Fortunately, Australia is on the list of countries where Apple has begun supporting two-factor authentication. To set it up, go to the Apple ID sign-in page, head to the Password and Security section, and select ‘Getting Started’ under Two-Step Verification. (We’re sticking with two-factor, as that’s the more common term).

A common question about two-factor is: what happens if you lose the device which receives the messages? Apple’s approach is to provide a 14-digit ‘recovery key’ which you can use to sign back into the service. Don’t store that on any of your devices; printing it and locking it in a drawer is a more sensible approach.



  • The problem I have with iTunes accounts are around their password policies. It seems live every time I go to log in to iTunes I end up locking out my account for entering the wrong password, then I have to go an reset it, and realise why I always enter the wrong password, It keeps telling me not to use the same/older password.

    On a side note, where’s a better place to buy mp3s from?

  • That’s the first time I’ve ever heard it called two-factor. I’ve only ever seen it called Two Step Authentication/Verification.
    Still, any ways to further secure our accounts seems like a good idea.

    • Two-factor authentication is the industry standard name for it, but some companies word it differently when presenting it to users to make it easier to understand. They mean similar things in the end, though two-factor authentication doesn’t necessarily have to be done in two steps, the second factor (usually a time-seeded one-time password) can be asked for at the same time as the first factor (your normal password).

    • Examples of Factors of Authentication are:

      Something you KNOW.
      Username and Password (and DOB and Cats Name and Teachers Name) are all examples of things you know. information.

      Something you HAVE.
      A hardware token. A swipe-card. An RFID card. A card with your supplementary information. An old fashioned metal key. A software token on your smartphone (Google Authenticator, or Verisign, Vasco, DigiPass etc).

      Somethings you ARE.
      Voice recognition. Fingerprint or palm recognition. Iris scan recognition. DNA analysis. Blood type analysis. Facial recognition. Even as simple as the person doing the authenticating recognising you.. “Hello Mr Clarke… welcome back to the Mandalay Bay hotel”.

      Currently 99% of the “authenticating” we do online is single-factor. It only uses USERNAME and PASSWORD. And sometimes other so-called “seconday” factors like cat/dog/kid name, football team etc… we all know those horrible (useless) things. But just information. A single factor.

      By adding a second factor of authentication, even if a database is stolen and your USERNAME and PASSWORD get into the wrong hands… they cannot gain access to your account.

      eg: A hacker in Rockland, Virginia, USA who bought or stole a database of PayPal username/passwords and is trying to use them will not have your Galaxy S3 smartphone with the Verisign Token App that’s needed to access your PayPal account. It’s still in your pocket in Rockhampton, QLD, Australia.

      Multi Factor Authentication is a trade-off between user connivence and security. It works both for online and physical security applications. We need more of it.

  • What’s up with pic of the 2 girls? and damn she wears a lot of make up 😛

    I still don’t understand why girls wear so thick foundation on their face, do not look nice and natural at all.

  • Is anyone having the issue of not being able to set up the SMS security notification? Whenever I input my phone number the verification text never comes through. Does anyone know how to fix this?

  • Charlie, I had the same issue. As it turns out when you are entering an Australian mobile number the zero that is in front of Australian mobile numbers is not required.

    So for the SMS number, you select +61 as the dialling code for Australia, omit the zero from your mobile number and enter single digit “4” in the area code field.

    Then enter the remainder of your mobile phone number in the second field. Once I did this, I was sent the verification code via SMS pretty much instantly.

    Hope this helps.

Log in to comment on this story!