iMessage just got secure: Apple expands iCloud two-factor authentication

Since the embarrassing revelation that iCloud’s two-factor authentication didn’t actually cover many of Apple’s online services, partially responsible for a rash of leaked celebrity photos last year, Apple has been gradually adding the security setting to many of its other services. On Thursday, users with iCloud’s two-factor authentication enabled will need to complete extra steps when logging into iMessage and FaceTime, the Guardian reported. The feature is rolling out now, but may not be available for your specific devices yet.

For users who have two-factor turned on, when you log into iMessage on a new iPhone or Mac, your Apple ID password won’t be enough to gain access. According to MacRumors, FaceTime and iMessage are using app-specific passwords, in which you generate a unique code on Apple’s website, instead of having a four-digit PIN texted to your device.

Now, a miscreant with your Apple ID password — possibly gained through phishing, other social engineering, or even a lucky guess — won’t be able to set up iMessage or FaceTime and pretend to be you without your phone. Because of the way iMessage uses encryption, simply logging into a new device doesn’t recover old iMessages, even before Apple turned on the new two-factor authentication.

If you don’t have two-factor turned on for your iCloud account, you should do it. Here’s Apple’s guide. After all, even if you’re not a celebrity, you don’t want to get hacked and have your life turned upside down.

This post was updated on 2/13 to clarify that iMessage and FaceTime are using app-specific passwords, and not two-factor authentication with a PIN code.