2FA - the Apple way 🍏

Lets just assume that by now we all know the importance of security,  well, 2FA is just another component in your armoury on this journey to saftey. Secure access to your corporate website or web app/service should be table stakes and to take this to the next level we want that to be secured by Two Factor Authentication or 2FA.

Now before we go to far lets touch on what 2FA is in this context. Also sometimes called OTP or a one-time password, 2FA is a second method of confirming a legitimate user on top of your username and password - generally this takes the form of a token (be it software or hardware), or a text message to a registed mobile. These generate a unique time-based one-time passcodes that validate legitimate users and essentially provide that added level of security.

Some examples of the most common apps used for 2FA include: Google Authenticator, Microsoft Authenticator, LastPass Authenticator, and Authy. These are all good but I think we can do better 😇

the Apple way 🍏

Let me introducing the iCloud Keychain - Apples somewhat secret password manager. It's a native component of macOS and as with all things iCloud synchronises across your devices (IPad, iPhone, Mac). It stores secure notes, can generate complex passwords, performs end to end encryption, reports on compromised passwords and will advise you when your password is weak😱💪🏼. More importantly, since macOS 12 (that's 'Monterey' people) and IOS 15 it can be your 2FA solution as well!

No need to install/maintain/and backup 3rd party apps when your mac can do it all natively, ooohh yeah!

Setups

To get this show on the road, the easiest thing to do is head over to a website that supports 2FA or even identify one you have already configured in your Google or Microsoft authenticator app - I chose Instagram as a starting point! Hopefully you've already saved your account details in Safari so you'll get straight in. From here you simply follow the vendors setup instructions:  for Instagram, click on your profile picture, then settings, tap privacy and security, then Two-Factor Authentication,  and choose get 'Login codes from a third party authentication app'.  Now its just a matter of scanning the QRCode or using the manual code to register. If you scan the QR Code on your iPhone it'll populate the Validation Code on the account and sync to your mac. Verify this code back to your website 2FA setup (instagram in this case) and your done!

So if you want to check it out, launch that Passwords app (System Preferences, Passwords in macOS or, Settings, Passwords in IOS) - tip for noobs, launch it via Spotlight i.e. command key + spacebar and type 'passwords' - it should be top of the list👍🏼.  Find your website and you'll see it auto-generating you 2FA verification code --> winning!

iCloud Keychain is the best, so get out there start clearing off those superfluous apps cluttering your iPhone (I'm thinking Google and Micosoft Authenticators here)! Just a note of caution, clearly you want to migrate your 2FA setups prior to hitting the delete button obviously! 🙌🏼

the Windows

I don't want to forget about all our Windows brothers and sisters out there who are still on the path to Apple future, we have some love for you as well ♥️. There is an iCloud Passwords Windows app which also supports 2FA, so you could actually start using this today! Get the good oil directly from the horses mouth 🐴 to see how its done.

Futures

Having said all that, passwords are hopeless and generally people are not good at managing them! Think about all the weak passwords out there, and how often people re-use the same ones over and over. Industry big names Microsoft, Google and Apple have all partnered to work towards password-less authentication systems across their various platform. Specifically on the Apple front it was recently announced in a WWDC keynote that their implementation  passkey will be here sooner rather than later .........  its coming in macOS Ventura and OS 16 which put it so sometime around September?? Think of passkeys as your secure next gen authentication method, even better than 2FA v2! Check it out here if your interested where my man Garrett walks you thought it ✌🏼