Two-Factor Authentication

Intro to 2FA

Two-factor authentication generally means that you have identified a secondary trusted device that you alone access and given it permission to help you connect to given online service, such as a secure website.

For example, when you log into a website with a username and password for the first time*, the site sends a message to the trusted device to verify it’s you.

*“First time” might confuse you if you thought you did this already, but in a web browser the occurrence is dependent on a saved “cookie” telling the website that it’s been done before. If the cookie is deleted, you’ll be prompted again.

Apple ID & iCloud

To enact two-factor authentication, Apple devices use some fancy technology, which has been praised by security experts. When 2FA is enabled and you try to log into a device or web browser (lacking an associated cookie), a verification request is sent to all devices that are already signed into the account.

The dialog shows an approximate geographical location of the attempt and, with your permission, provides a 6-digit code. The code is temporary, so there’s no need to save it. You enter the code on the screen where you’re signing in, if you wish, indicate whether to trust this application in the future.

You might be surprised to receive one of these verification requests on the same computer you are using to sign in. However, if you are signing into icloud.com in Safari, for example, keep in mind that the web browser is treated as a separate “device” from your Mac.

You may just need to drag the window containing the verification code out of the way so you can see the fields where you can enter the code.

Authenticator App

Some online services like Google and Salesforce offer their own mobile authentication app that you can use to complete 2FA verification. When you attempt login, you then open the app to retrieve the current code for the desired account. Most codes change frequently as a precaution.

Similarly, when logging into Facebook with 2FA enabled, you can open the Facebook app on a device, look for the request in your notifications (the bell icon), and indicate whether the sign-in attempt was made by you. Within a few seconds, your login succeeds without having to enter a code manually.

Text Message

A less secure but very popular method of sending 2FA verification codes is by text message (SMS). Often this requires looking at the Messages app or an associated notification to reference the verification code. However, Apple has developed an easier approach.

If you’re using an iPhone that is receiving the text message, or if your messages are forwarded to another Apple device where you are using Safari or an iOS app to sign in, take a look at the predictive text panel above the keyboard. It will likely offer the verification code just received in Messages and you tap that to input it.

2FA Contact

When you receive 2FA verification codes by text message, some services send them through standard phone numbers (10 digits in North America) while others use dedicated SMS numbers that are five digits long.

Either way, if you use 2FA with a lot of services, you’re likely to clutter your text messages with a lot of random, unknown numbers. Here’s a tip to clean them up:

1. Go to your Contacts and create a new contact record where you’ll store all 2FA numbers. I called mine 2FA.
2. In Messages, go to one such thread, show the contact info, and choose to add it to an existing contact—the record you just created—and save the record
3. Repeat step 2 for other message threads containing 2FA codes

As a result, future messages from all of these senders will appear in single message thread and you can search for the thread by name if you need to look up an unexpired code (some are good a while longer).