iosdev

Easiest way to enable 2FA for developer program accounts

A lot of grief would’ve been saved if particular support/guidance article was published before scaring 10000s of developers.

Feb 21, 2019 by Aleksandar Vacić 3 minute read

Ground rule: You should never, ever share your personal iCloud accounts with your business accounts. Always, always keep your personal and business life separate, as much as possible and reasonable.

A week ago, out of the blue, Apple sent email to each developer program account that it must have 2FA enabled by Feb 27 (thus about 2 weeks to do it). The initial email they sent was so brief and casual, it rightfully created quite a bit of storm in developer circles.

Main issue: Apple is not using TOTP for their 2FA; instead it’s handled through iCloud and at least one trusted device where you are logged in with that iCloud account.

This change came shortly after they merged App Store Connect and Developer Portal accounts and roles. In my case, I have two paying developer program accounts (from Dev Portal) and half a dozen (former) App Store Connect accounts of various roles (mostly App Manager role for client apps). All those emails were now AppleIDs.

On first reading of that email, I thought I would need about 7-8 new iOS/macOS devices where I would be logged-in into iCloud just to be able to access those various accounts. Freaking ridiculous.

Luckily, after what is probably 1000s of people emailing developer support for clarification, Apple did what they should have done in the first place: publish detailed support document about this.

First — only paying developer program account (so called Team Agent) must have 2FA enabled.

Second — you can have as many inactive iCloud accounts on either macOS or iOS device and you will still be able to receive 2FA codes for them.

You just need to enable 2FA for them, in the first place. This is what worked for me, done for both dev program accounts in about 5min each.1

  1. Create new dummy standard account on my macOS Mojave, user/name not important.
  2. Skip initial login into iCloud, until I got to the desktop.
  3. Go to System Preferences, then iCloud, then login with dev program account.
  4. Turn off all sync — Mail, Contacts, Calendar, Reminders — all of it should be off.
  5. Enable 2FA, using my phone number.
  6. Stay logged-in on Mac, with that account.
  7. On my iPhone, open Settings app, then Password & Accounts.
  8. Add new iCloud account, logging with the dev program account.
  9. Your Mac receives the 2FA prompt & code, enter it on iPhone, wait until the account appears in the list.
  10. Again turn off all switches (Contacts, Calendar etc). iOS will now show the account as “inactive”.
  11. Back on Mac, sign out of iCloud.
  12. Switch back to your actual macOS user, go to System Preferences, then into Internet Accounts and add new iCloud account using your dev program account.
  13. You will receive the prompt & code on your iPhone (despite the account being shown as inactive).
  14. Complete the procedure on Mac, again turning off all the toggles so the account is shown as “inactive”.
  15. Done.

Now both your iPhone and Mac are trusted devices for that account.

Repeat for as many paying dev program accounts you have. You can use the same dummy Mac user. When you are done, you can delete that dummy Mac account, it’s no longer needed.

  1. If I exclude 5 days of on and off reading various blogs and support documents. ↩︎