Set up two-factor authentication for iCloud
If you aren’t using two-factor authentication to protect your Apple ID and iCloud account, you really should do it today. Using two-factor authentication should protect you completely. It’s simple to set up, so take a minute and do it now.
You used to be able to set up two-factor on the account settings page at appleid.apple.com, but now this has to be done on a Mac or iOS device. (Apple ID users who don’t have a compatible device can still use an older two-step verification system – see below for more.)
iOS
Follow these steps on a device running iOS 9 or later. The iOS device must be protected with a passcode (Settings > Touch ID and Passcode).
Launch the Settings app, and go to iCloud. Obviously you need to be signed in with the account you want to protect with two-factor authentication
Tap your Apple ID. It doesn’t really look like a button, but it is. Then tap Password & Security in the next menu
Tap Turn on two-factor authentication. You’ll see an explanation screen, and tap Continue
You may be asked to verify your identity by answering the security questions you set up when you created your Apple ID
Next, enter a phone number where you can receive a text message or a phone call with a two-factor code. You can also specify if you want a text or a call. Then you’ll get that text message or call, and enter the six-digit verification code on the next screen
That’s it. Two-factor is on, and this is your official Trusted Device. The next time you sign on to iCloud.com, or set up your iCloud account on a new device, you’ll have to first enter your username and password, and then be prompted to enter a code. That code will come in a pop-up on your trusted device, texted/phoned to the number you provided, or, you can come back to this screen and tap Get Verification Code
What if my device is too old?
If your iOS device isn’t running iOS 9, you can still use two-step verification, which is slightly different than twofactor authentication, mostly because it relies on a text message being sent to a phone number, while the newer ‘authentication’ is baked more seamlessly into the OSes. Plus, the older verification method requires you to hold onto a Recovery Key in case you ever lose your password.