With the release of iOS 9 Beta 3 to developers this week, Apple has released details on security changes that improve the way users verify their Apple ID from secondary, trusted devices, including better implementation of verification codes and elimination of the annoying Recovery Key. The current system in iOS 8 is known as “two-step verification,” while the new version will be called “two-factor authentication.” This new system is currently limited to select beta users, will be available to all when iOS 9 launches later this year.
One of the overall improvements for two-factor authentication is that adding and managing trusted devices is now directly built into both iOS 9 and OS X 10.11 El Capitan, instead of being handled by the Find My iPhone/Mac application. This means that any device running either iOS 9 or El Capitan that a user signs into with their Apple ID will become a trusted device, provided they also pass the two-factor authentication step.
Because of this integration into the operating systems, now when a user signs into a new device with their Apple ID (or to iCloud on the browser), the verification code is automatically pushed to all the trusted devices. This verification code has also been updated, now six-digits instead of the existing four.
The other great change has to do with the Recovery Key, a 14-character code used in the existing two-step verification process. Currently, when trying to login to an Apple ID on a new or different device, the only other way to gain access other than with a trusted device is with the Recovery Key. In the event of a trusted device also being lost or stolen, and users can’t provide the Recovery Key, their Apple ID account can become irretrievable, as even customer support is unable to help in this situation.
With the new two-factor authentication system, Recovery Keys are done away with, and users can turn to a customer support representative for help. The process will involve submitting a recovery request to Apple, after which they will contact users at verified phone numbers once the case has been reviewed. It is noted that account recovery can take a few days or longer, depending on how much information users can provide to verify they are the account owner.