Apple ID security overview
An Apple ID is the account used to sign in to Apple services. It’s important for users to keep their Apple IDs secure to help prevent unauthorised access to their accounts. To help with this, Apple IDs require strong passwords that:
Must be at least eight characters in length
Must contain both letters and numbers
Must not contain three or more consecutive identical characters
Can’t be a commonly used password
Users are encouraged to exceed these guidelines by adding extra characters and punctuation marks to make their passwords even stronger.
Apple also notifies users by email or push notifications, or both, when important changes are made to their account — for example, if a password or billing information has been changed or the Apple ID has been used to sign in on a new device. If anything looks unfamiliar, users are instructed to change their Apple ID password immediately.
In addition, Apple employs a variety of policies and procedures designed to protect user accounts. These include limiting the number of retries for sign-in and password reset attempts, active fraud monitoring to help identify attacks as they occur and regular policy reviews that allow Apple to adapt to any new information that could affect user security.
Note: The Managed Apple ID password policy is set by an administrator in Apple School Manager or Apple Business Manager.
Two-factor authentication
To help users further secure their accounts, by default Apple uses two-factor authentication — an extra layer of security for Apple IDs. It’s designed to ensure that only the account’s owner can access the account, even if someone else knows the password. With two-factor authentication, a user’s account can only be accessed on trusted devices, such as the user’s iPhone, iPad or Mac, or on other devices after completing a verification from one of these trusted devices or a trusted phone number. To sign in for the first time on any new device, two pieces of information are required — the Apple ID password and a six-digit verification code that’s displayed on the user’s trusted devices or sent to a trusted phone number. By entering the code, the user confirms that they trust the new device and that it’s safe to sign in. Because a password alone is no longer enough to access a user’s account, two-factor authentication improves the security of the user’s Apple ID and all the personal information they store with Apple. It’s integrated directly into iOS, iPadOS, macOS, tvOS, watchOS and the authentication systems used by Apple websites.
When a user signs in to an Apple website using a web browser, a second factor request is sent to all trusted devices associated with the user’s iCloud account, requesting approval of the web session. If the user is signing in to an Apple website from a browser on a trusted device, they see the verification code displayed locally on the device they’re using. When the user enters the code on that device, the web session is approved.
Password reset and account recovery
If an Apple ID account password is forgotten, a user can reset it on a trusted device. If a trusted device isn’t available and the password is known, a user can use a trusted phone number can be used to authenticate through SMS verification. In addition, to provide immediate recovery for an Apple ID, a previously used passcode can be used to reset in conjunction with SMS. If these options aren’t possible, the account recovery process must be followed. For more information, see the Apple Support article How to use account recovery when you can’t reset your Apple ID password.