Update: While this method still works, Apple now offers a more secure method called two-factor authentication.
Apple, like many other companies, offers increased security for your Apple account by way two-step verification.
Two-step verification is a simple and proven technique for stopping hacks that take advantage of stolen passwords and other sensitive information. As it is virtually impossible to bypass, it is worth your time to secure every important account that you have.
Taking five minutes to setup verification and add trusted devices to your account is much quicker (and cheaper) than spending a month disputing charges with your bank or credit card provider.
What is Two-Step Verification and Why is it Better?
As its name says, two-step verification requires a user to verify two different pieces of information before accessing an account.
Up until now, Apple occasionally used a weaker form of two-step verification when it noticed a change in your usage or location.
If you tried to purchase something on a different Wi-Fi network or had not logged in recently, they might ask questions like "What is your mother's maiden name?, "What was your first pet's name?", "Who was your favorite teacher?" and so forth.
While this form of two-step verification might slow down basic hackers, it doesn’t do much to protect you from someone who has your personal information.
The new two-step verification is different.
Instead of using existing personal information, the system generates a short PIN and sends it to your trusted devices. This means that unless the would-be hacker or identity thief has access to your individual recovery key or Apple’s databases, you can count on a higher level of security.
You can even assign multiple trusted devices to your account to ensure you can verify purchases with whatever iOS device you have nearby.
How Does Two-Step Verification Work?
When two-step verification is enabled, you start by logging in the same way you always have.
Instead of being granted immediate access, Apple will ask for a PIN which is then sent to you in a text message.
In effect, the PIN is a temporary single-use password.
A bad guy can't look up a PIN sent only to your device or trick someone else into revealing it.
It is generated on-the-fly and right at the time you are logging in. It can be used only once! If it isn't used right away, it expires.
It's this ability to generate this temporary PIN and deliver it via a secure device that makes two-step verification so strong.