Apple has announced that from 27 February, 2019, two-factor authentication (2FA) will be compulsory for boss developers.
“In an effort to keep accounts more secure, developers with the Account Holder role in a developer program will need to enable two-factor authentication to sign in to their Apple Developer account and Certificates, Identifiers & Profiles,” the company announced today.
Apple’s announcement was typically brief, so offers no information about why it’s added the requirement. But it is not hard to surmise the reasons: as explained here, the account holder role has powers that even admins don’t possess, including the ability to create and revoke distribution certificates with which apps are signed.
Gaining access to an account holder’s account is therefore a ticket to potential App Store mass-scale mischief and mayhem for miscreants. 2FA will reduce the likelihood of that happening.
The indecent haste of the new policy’s introduction is a case of better late than never: Account Holder creds are surely a known target for attackers and the lack of 2FA makes them vulnerable.
You’d hope that folks with account holder status would understand the need for strong passwords, but myriad incidents show it’s seldom hard to find someone who thinks an attack would never happen them.
Account holders will need a device running iOS, or a Mac running OS X El Capitan or later, as their second source of authentication.