Apple Account security overview
An Apple Account is the account used to sign in to Apple services. Itβs important for users to keep their Apple Accounts secure to help prevent unauthorized access to their accounts. To help with this, Apple Accounts require strong passwords that:
Must be at least eight characters in length
Must contain both letters and numbers
Must not contain three or more consecutive identical characters
Canβt be a commonly used password
Users are encouraged to exceed these guidelines by adding extra characters and punctuation marks to make their passwords even stronger.
Apple also notifies users in email or push notifications or both when important changes are made to their accountβfor example, if a password or billing information has been changed or the Apple Account has been used to sign in on a new device. If anything looks unfamiliar, users are instructed to change their Apple Account password immediately.
In addition, Apple employs a variety of policies and procedures designed to protect user accounts. These include limiting the number of retries for sign-in and password reset attempts, active fraud monitoring to help identify attacks as they occur, and regular policy reviews that allow Apple to adapt to any new information that could affect user security.
Note: The Managed Apple Account password policy is set by an administrator in Apple School Manager or Apple Business Manager.
Two-factor authentication
To help users further secure their accounts, by default Apple uses two-factor authenticationβan extra layer of security for Apple Accounts. Itβs designed to ensure that only the accountβs owner can access the account, even if someone else knows the password. With two-factor authentication, a userβs account can be accessed on only trusted devices, such as the userβs iPhone, iPad, or Mac, or on other devices after completing a verification from one of these trusted devices or a trusted phone number. To sign in for the first time on any new device, two pieces of information are requiredβthe Apple Account password and a six-digit verification code thatβs displayed on the userβs trusted devices or sent to a trusted phone number. By entering the code, the user confirms that they trust the new device and that itβs safe to sign in. Because a password alone is no longer enough to access a userβs account, two-factor authentication improves the security of the userβs Apple Account and all the personal information they store with Apple. Itβs integrated directly into iOS, iPadOS, macOS, tvOS, watchOS, and the authentication systems used by Apple websites.
When a user signs in to an Apple website using a web browser, a second factor request is sent to all trusted devices associated with the userβs iCloud account, requesting approval of the web session. If the user is signing in to an Apple website from a browser on a trusted device, they see the verification code displayed locally on the device theyβre using. When the user enters the code on that device, the web session is approved.
Password reset and account recovery
If an Apple Account password is forgotten, a user can reset it on a trusted device. If a trusted device isnβt available and the password is known, a user can use a trusted phone number can be used to authenticate through SMS verification. In addition, to provide immediate recovery for an Apple Account, a previously used passcode can be used to reset in conjunction with SMS. If these options arenβt possible, the account recovery process must be followed. For more information, see the Apple Support article How to use account recovery when you canβt reset your Apple Account password.