Pixel Envy

Written by Nick Heer.

Apple Starts Requiring Two-Factor Authentication for Developer Accounts

Apple sent this email to developers today:

In an effort to keep your account more secure, two-factor authentication will be required to sign in to your Apple Developer account and Certificates, Identifiers & Profiles starting February 27, 2019. This extra layer of security for your Apple ID helps ensure that you’re the only person who can access your account. If you haven’t already enabled two-factor authentication for your Apple ID, please learn more and update your security settings.

Brent Simmons:

I have two accounts — one for personal use, one for development use — and so do lots of developers.

I don’t know how to make this work. None of my devices are ever signed in to my developer account. That account exists purely for building and distributing apps.

I also have separate personal and developer Apple IDs, and my personal ID is already set up with two-factor authentication. Unlike two-factor verification, one device can be associated with multiple Apple IDs for authentication purposes. However, as far as I can tell, this quickly becomes complicated.

To register an iOS device with two-factor authentication, you must sign out of your personal Apple ID at the system level, which means you’re signing out of iCloud. This is a highly disruptive action. On a Mac, it’s much easier, because you can associate different MacOS users with their own Apple ID. So, the best recourse to set up two-factor authentication is probably to create a separate user account on your Mac, set it up with your developer Apple ID, and then follow Apple’s directions.

But then what? Two-factor authentication codes are sent to trusted devices signed into a particular Apple ID. So you can receive two-factor authentication codes for your developer Apple ID on your Mac when you’re logged into that specific account, but that account won’t be logged into your personal Apple ID’s features, like iMessage or Apple Music. Most solo or small team developers probably have a setup similar to Simmons’, where the developer Apple ID is just for development and nothing else. And that still doesn’t answer the question of how this is supposed to work for iOS devices, where switching between iCloud accounts is more-or-less a destructive action.

Apple is giving developers just two weeks to get two-factor authentication enabled on that account. If you, like me, are required to make other Apple ID account changes prior to setting up two-factor authentication, you should be aware that there is a three day waiting period after making those changes before you can enable two-factor authentication.

I’ve asked Apple about some of this and hope to hear back shortly. So far, I don’t think this requirement has been communicated very well, and I think it’s going to cause a lot of developers some headaches over the next two weeks.

Update: Jonathan Tarud points out that signing out of the Apple ID on the developer MacOS user account created to set this up will cause two-factor authentication to fall back to SMS verification. That isn’t elegant at all.