updated 07:00 pm EDT, Mon June 30, 2014
Four-digit passcode identifies device on top of user credentials
Apple is either testing or in the process of rolling out two-step verification for its iCloud.com portal, optionally allowing users who want to use the two-factor authentication to enter a random four-digit passcode on their device in order to add it to a list of "trusted" devices. The option is not yet available to Apple ID accounts that have previously set the preference for using two-step verification, but improves security over the default "Apple ID password only" method.
iCloud portal when two-step verification is required
For those unfamiliar with two-factor authentication, it adds one extra step of verification if a device accesses a site that requires it. In addition to having the login and password information, the user must also verify a four-digit random code, which can be texted or sent to a different device. The user enters the four-digit code on the original machine seeking access, and the device gains "trusted" status that won't require re-verification under normal circumstances.
Apple began implementing the option in order to protect Apple ID users over a year ago, and has since expanded the program across Europe, Canada, the UK, Ireland, Australia and New Zealand. The "Find My iPhone" portion of the site (and its companion apps) are deliberately excluded from using two-factor authentication so that owners can track and recover missing or stolen "trusted" devices.
At present, the two-step verification appears to work inconsistently, reports AppleInsider. In some cases, re-verification of the secondary code was required each time the user logged in, in other cases it wasn't. Users can set up the extra security measure by turning on the option at MyAppleID.