PDA

View Full Version : Can't disable "reset password with apple ID" backdoor through FileVault 2




SoldOnApple
Oct 10, 2012, 06:54 PM
So I decided to enable FileVault 2, but then I found out that anyone who has discovered my Apple ID can just slip right past it with the "Allow user to reset password using Apple ID" option that was selected in the Suer & Groups preferences pane.

So I unencrypt, reset the machine, and go to that pane to untick that option, but as soon as I enable the lock changes thing, or change tab or do anything else, it ticks itself again. I cannot seem to disable this backdoor at all. I've tried searching for how to untick this box but I cannot find a solution.

It is the Admin account, so it's not that. What's the point of FileVault if anyone can access my Mac with my Apple ID, either my seeing my password (which I enter multiple times per day), or just by calling Apple and pretending to be me.

All I want to do is permanently disable that option so I can turn FileVault on again.

I'm running retina MBP 10.8.2



SoldOnApple
Oct 11, 2012, 06:48 AM
I'm sorry about the rant, I was just frustrated after doing research into FileVault and seeing all the extra steps to keep it secure. It's been pretty concerning hearing about people being able to get your Apple ID just by calling Apple. This is the option I'm referring to, no matter what I do it reticks itself. http://i.imgur.com/hPjoZ.png

dcorban
Oct 11, 2012, 10:38 AM
It may be a conscious design decision to prevent the average user from unwittingly locking themselves out of their computer.

Weaselboy
Oct 11, 2012, 11:36 AM
All I want to do is permanently disable that option so I can turn FileVault on again.

Here is mine with FV2 on. I never put an AppleID in that field to begin with (before encrypting) and I wonder if that is your problem. Can you unencrypt then remove the AppleID from there altogether then encrypt again?

http://i.imgur.com/N43UD.png

SoldOnApple
Oct 11, 2012, 07:23 PM
The option disappears with FileVault 2 turned on, so once it's on there is no way to check what that option is set to once encryption is already on. The only way to tell is to unencrypt, restart, and then check. But if you didn't have an Apple ID set to begin with, does that mean that option is automatically disabled?

So the solution is to remove my Apple ID, then turn FileVault 2 on, then add the Apple ID again? Is there any way to be sure that the option hasn't automatically been ticked again after I add the Apple ID once FileVault 2 is on (as the ability to see what that option is set to disappears once FileVault 2 is on)?

SoldOnApple
Oct 11, 2012, 08:26 PM
Oh, the option is toggled off now. It may have just been a quirk. I'll restart again and see if it stays off.

Weaselboy
Oct 12, 2012, 03:46 PM
The option disappears with FileVault 2 turned on, so once it's on there is no way to check what that option is set to once encryption is already on. The only way to tell is to unencrypt, restart, and then check. But if you didn't have an Apple ID set to begin with, does that mean that option is automatically disabled?

So the solution is to remove my Apple ID, then turn FileVault 2 on, then add the Apple ID again? Is there any way to be sure that the option hasn't automatically been ticked again after I add the Apple ID once FileVault 2 is on (as the ability to see what that option is set to disappears once FileVault 2 is on)?

If you are not using the AppleID for password recovery there is no need to add your AppleID there at all that I can see.