Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Interaction between "Allow iCloud to unlock FileVault" and "Allow user to reset password using Apple ID" options

K

kepano

macrumors newbie
Original poster
Dec 19, 2022
7
3
I had activated FileVault with recovery key on my Mac. As a result, activating the option "Allow user to reset password using Apple ID" under "Users and Groups" had virtually no effect: Even with this option activated, the Mac continued to offer only one password recovery function, namely via FileVault recovery key.

Now I have newly activated "Allow iCloud to unlock FileVault". I expected that the option "Allow user to reset password using Apple ID" would now be automatically activated under "Users and groups", but this is not the case. I don't understand this, because in practice there is no separate FileVault password, but after entering the user password the FileVault decryption is started automatically; i.e. a FileVault recovery using iCloud should practically also result in an iCloud recovery of the user password.

Can someone please tell me what the interaction of these two options is, or what happens in practice if "Allow iCloud to unlock FileVault" is activated but not "Allow user to reset password using Apple ID"?
 
Well, there really is two passwords. The password used to decrypt the drive is stored outside of the OS (where depends on T2/M or Intel) with a different hash value. So need to fix that password before can fix OS copy of the password as need to decrypt the drive.

Guessing for simplicity (Apple's) sake, instead of having the Apple ID option when FV is on, you go back to restart and setup a new password from there: changes the FV copy and then updates the OS copy. Also seems like a bit of a security hole to have Apple ID reset on a FV machine: a bit of a backdoor to bypass FV.
 
Last edited:
Thank you very much. I have now tested it in the setup described initially (FV password change through iCloud switched on, user password change through AppleID switched off) and I can practically change the user password through iCloud (if I forget it).

I have now found a description in an Apple help article according to which the activation of the "User password change through AppleID" should not actually be possible when "FV change through iCloud" is activated (which would confirm my original assumption that these two settings should not be different). The fact that this possibility still exists looks to me more like a bug in MacOS. Whether the setting of "User password change through AppleID" has any actual influence at all or not is still a mystery to me.

Allow user to reset password using Apple IDAllow a user to change their password for this Mac at login by entering their Apple ID and password.
To use this option, the user must have set up iCloud on this Mac. However, this option isn’t available if FileVault is turned on and set to allow the user to reset their password at startup using their Apple ID.

Change User settings on Mac

On your Mac, change the password and picture for users. Add and remove users, and allow other users to be an administrator for your Mac.
support.apple.com
 
  • Like
Reactions: Brian33
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back