Switch from old two-step verification to new two-factor authentication?

My household has three Apple IDs.

The first never used anything two-factor, and it has new two-factor authentication available to set up. (I haven't set it up because the user prefers not to have the slight inconvenience and doesn't store anything of any value with that iCloud account.)

• The second uses two-factor verification, and has for some time. No two-factor authentication is offered on the iCloud security screen for this account, and even when I remove two-factor verification, no two factor authentication is offered. The account has never had any emails from Apple offering two-factor authentication.
  I called Apple directly about this. The AppleCare support folks didn't have any additional information. They just said it would probably be rolled out to me eventually. They weren't citing any internal knowledge. They just read me verbatim the public Apple support article on 2FA availability.
  
• The third is from an old iTunes account from a decade ago, and has all my iTunes purchases. Apple has never allowed merging this with an iCloud ID, so I still use it, but I don't have it as the iCloud account on any iOS device, so it can't use anything except SMS text messages for authentication.

I wish we could find an answer to when we will be allowed to use 2FA with situations like my second Apple ID.

I also wish Apple could come up with a better solution for the third Apple ID. I realize that content providers have contracts with Apple that limit or prohibit ID merging (sigh!), but that wouldn't preclude Apple from engineering this system to allow an iOS device to serve as an authenticator for an additional ID. iOS devices are considered single-user, but many people have multiple Apple IDs. Perhaps this will change for the better when iOS devices support multiple users, although I would not want to have to switch from one user to another continually.

I've used two-step for a long time and two-factor has not yet been available to me. I will switch when it is available but haven't been concerned about how soon that is as I haven't been able to see that it is a major improvement in security or ease of use.

Same here - have used two-step verification as two-factor authentication isn't available yet for my account, and like you will probably switch once it becomes available.

However, for curiosity, is one better than or over the other?

zinacef wrote:

Same here - have used two-step verification as two-factor authentication isn't available yet for my account, and like you will probably switch once it becomes available.

However, for curiosity, is one better than or over the other?

I haven't been able to find anything that clearly indicates that it is a major improvement in either security or ease of use.

I've seen that and a number of other similar articles. I'm sure two-factor is an improvement and I will switch to it when available, but I'm still feeling more than adequately protected with two-step.

It's really a matter of preference, but two-factor is better security than two-step, and shouldn't be dismissed lightly (not that you are, but just saying for all) ... I think Apple should be pressured to roll out two-factor at a (much) greater pace than it currently is.

To understand really why it's better, an explanation into the terminology. Two-factor means that two of the three factors of information are used to validate identity: What you know, what you have, and what you are. A password is what you know. A trusted device (phone, etc) is what you have. A fingerprint or retina scan is what you are. A trusted device can be an authenticator or key fob, basically something you must have possession of.

Two-step is lesser security insofar as - for example - I can know my wife's information (what you know) and answer her password and security questions, and I'm in. If she had two-factor installed, the devices she has would be used to authenticate, and I couldn't use her account without also having a device AND knowing the information.

Apple will use the devices themselves as trusted authentication mechanisms - obviously behind keycode / fingerprint scan - which qualifies for the "what you have" element of the two-factor.

Now really, lets not split hairs here: I agree that it's probably just as hard to get your password AND THEN get your security questions. If were a nefarious person and had your password, without two factor I could try to determine your security question responses and hope you weren't reading your email (Apple does send notification of logging into services from new locations, which is good). If you're not monitoring email however, I could keep bashing away at your answers, and hope they were simple. Or do it ad nauseum in hopes you weren't really watching your account notifications. This is bad because unless you're watching mail, you could miss this.

On the other hand, if you had two-factor, all your trusted devices would immediately be notified of a new login attempt, and you'd be aware of one factor of your authentication being overrun and you could fix it safely and immediately.

Sorry for the long response but this is mostly for Apple and everyone else -- yes two-step is decent security but two-factor is preferred. I am among the many who are waiting (impatiently) for my account to be able to go to two-factor.

And Apple, if you're listening, please make it so you can see if your account can go to two-factor without having to disable two-step ... that's really not a good thing. Currently the only way you can enable two-factor is by disabling two-step. Backwards to go forwards... it would be nice to at least have some sort of notification on appleid.apple.com (upon logging in of course) that your account has the viability for two-factor.

m.ramsay wrote:

...

Two-step is lesser security insofar as - for example - I can know my wife's information (what you know) and answer her password and security questions, and I'm in. If she had two-factor installed, the devices she has would be used to authenticate, and I couldn't use her account without also having a device AND knowing the information.

...

Two-step verification does not use security questions. It is very similar to two-factor authentication. Both two-step verification and two-factor authentication require a trusted device.

See the information below from Frequently asked questions about two-step verification for Apple ID - Apple Support

With two-step verification, you don't need to create or remember any security questions. Your identity is verified exclusively using your password, verification codes sent to your trusted devices, and your Recovery Key.

2FA is now available to everyone.

1. Go to applied.apple.com and turn off 2SV.

2. Use an iOS device running iOS 9.3 to go to iCloud in settings, log in, go to your account and security, and switch on 2FA.

Linda Custer wrote:

2FA is now available to everyone.

1. Go to applied.apple.com and turn off 2SV.

2. Use an iOS device running iOS 9.3 to go to iCloud in settings, log in, go to your account and security, and switch on 2FA.

How'd you like it so far? Is it better than 2SV? I'm hesitant because now I have to attach a credit to my account.

I was able to activate it yesterday after upgrading to iOS 9.3 and turning off 2-step verification.

zinacef wrote:

How'd you like it so far? Is it better than 2SV? I'm hesitant because now I have to attach a credit to my account.

One major difference is that when you (or someone) else attempts to log in, it automatically puts up a notice on all of your trusted Apple devices with a map giving the approximate location (doesn't automatically text devices that you have registered for that option). Maybe that's a security improvement -- but on the other hand if you are protected (and you are) not sure there is a huge benefit of just knowing of attempts. I like it but I also think I was fully protected with the way that 2 step worked.