Back in September, Apple enabled a two-factor authentication (2FA) security option for iCloud in the wake of a celebrity photo hacking scandal. While this helped protect backups, photos, and other personal data stored using Apple's cloud service, it didn't extend to some other commonly used Apple services. According to a Guardian report, Apple is turning on 2FA for the iMessage and FaceTime services starting today.
If you've already enabled 2FA on your iCloud account, there's nothing else to do—signing into iMessage or FaceTime on a new device will now prompt you to generate an app-specific password on the AppleID management page. If you're unfamiliar, app-specific passwords are randomly generated passwords separate from your main account password that you typically use once to grant access to a specific app, and you can only generate these passwords using a device that has already been verified with your account. Once you've generated a password, you'll enter that into the password field along with your AppleID to sign in.
The experience isn't as good as it could be. Tap the "create" button on an iPhone, for example, and you'll be directed to the desktop version of a sign-in page to generate your password; ideally, Apple will come up with something a bit more mobile-friendly in the future. Several Apple services still aren't protected by two-factor authentication—you can sign in to iTunes, the App Store, or the online Apple Store without needing anything other than your account password—but it makes sense for Apple to focus first on services that are more likely to expose sensitive data.