You can add multiple trusted devices for recovery so you don't get locked out. You can even add your home landline phone. I also added my daughter's SMS number so I can always call her and get a code that way as a last resort.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
iOS Device Ransom Attacks Continue to Target Users in U.S. and Europe
- Thread starter MacRumors
- Start date
- Sort by reaction score
You can add multiple trusted devices for recovery so you don't get locked out. You can even add your home landline phone. I also added my daughter's SMS number so I can always call her and get a code that way as a last resort.
I know, but my nightmare scenario is that my bag gets stolen while traveling and I lose all trusted devices at once, and then it'd take me days to gain access again through Apple support. I really hate that they don't give you a recovery key anymore for 2-factor, not even as an option ...
PS: A "landline phone"? What's that?
That is why I added my daughter's SMS as a backup. You could even add a Google Voice number to get an SMS there if you want.I know, but my nightmare scenario is that my bag gets stolen while traveling and I lose all trusted devices at once, and then it'd take me days to gain access again through Apple support. I really hate that they don't give you a recovery key anymore for 2-factor, not even as an option ...
PS: A "landline phone"? What's that?
I have landline pretty cheap with Ooma.
OK, I just switched to the new two-factor scheme. And I still see the "find my iPhone" button on icloud.com without having to enter a verification code. So it does NOT protect against bad guys locating and locking your devices if they have your password. Now I regret switching from two-step, since there is no way back.
There is a way back. Turn off 2-factor then you can use the 2-step again. Of course you have to wait a few days because it makes you update your security questions again and Apple sees that as suspicious.OK, I just switched to the new two-factor scheme. And I still see the "find my iPhone" button on icloud.com without having to enter a verification code. So it does NOT protect against bad guys locating and locking your devices if they have your password. Now I regret switching from two-step, since there is no way back.
How does one get their phone number stolen? That isn't exactly a common scenario that is a mark against two step verification.
[doublepost=1468107829][/doublepost]
Apple allows you to make back up codes when you enable two step authentication that you can use in the event that something like that happens in place of verifying with a phone number. They're emergency codes if you don't have access to your phone. You'll want to keep those codes in a safe place.
Yeah thats for 2-step. I was referring to 2-factor where the recovery codes are no more. Only thing I can figure out is to add my wifes number or google number as the telephone and go through that way. Not sure if its worth the hassle actually.
Are you sure? I thought the option to use 2-step went away for new users when they introduced 2-factor!?
Yeah, I'll leave it alone for a while at least. I can't afford getting my account locked.
It would be really nice if Apple could (1) allow using standard TOTP code generators and (2) provide a recovery key again for 2-factor. But of course, Apple wouldn't be Apple if they used the standards that everyone else is using. They have to make everything extra convoluted.
OK, I just switched to the new two-factor scheme. And I still see the "find my iPhone" button on icloud.com without having to enter a verification code. So it does NOT protect against bad guys locating and locking your devices if they have your password. Now I regret switching from two-step, since there is no way back.
Just to back up what Rigby is saying. I've tried this with both 2-step and 2-factor, and you can always bypass the verification/authentication step simply by clicking the Find My iPhone button at the bottom of the page (it's under "Need to find your device? Get quick access to:").
So someone just needs your email address and password to be able to remotely lock your phone. Enabling 2-step or 2-factor does not protect you from this.
Yeah I did it the other day. Tried 2 -factor and decided to try 2- step and get the recovery key. So turned off then then 2-step option was there again. I tried it but it said to check back on x date since a password or questions were changed they had to wait like 3 days or something. From what I have read. The 2- factor is the best though.Are you sure? I thought the option to use 2-step went away for new users when they introduced 2-factor!?
Yeah, I'll leave it alone for a while at least. I can't afford getting my account locked.
It would be really nice if Apple could (1) allow using standard TOTP code generators and (2) provide a recovery key again for 2-factor. But of course, Apple wouldn't be Apple if they used the standards that everyone else is using. They have to make everything extra convoluted.
My bad. I always get the two confused.
No, they can't log into your iCloud page to do this without verification. So yes, it DOES protect you from this absolutely. Any new device requires authentication regardless of which method you choose to use. Either SMS only or device verification. When you have either of these on, people can't just log into your e-mail to access your Find My iPhone settings. So you are protected. If you don't have two step or two factor on, then yes ... someone can log in with your e-mail and password and access your Find My iPhone settings. So it's imperative that you use one of these two security options for your Apple ID.Just to back up what Rigby is saying. I've tried this with both 2-step and 2-factor, and you can always bypass the verification/authentication step simply by clicking the Find My iPhone button at the bottom of the page (it's under "Need to find your device? Get quick access to:").
So someone just needs your email address and password to be able to remotely lock your phone. Enabling 2-step or 2-factor does not protect you from this.
Last edited:
Who's to say 1password can't be hacked gaining someone access too all your passwords at once?
And a simple solution would be to NEVER use your Apple ID password anywhere else
globalmatt and Rigby are correct and I was wrong. When I was discussing this with Rigby earlier, I thought he was saying the same thing... that is logging in to the iCloud account to make FMM changes. I have 2FA on and playing with it this morning I see what Rigby means.
If you go to icloud.com in an untrusted browser and enter your AppleID and password you get this screen asking for a six digit code that was sent to your trusted device (like an iPhone). If you just ignore that and click Find my iPhone at the bottom it takes you straight to the FMM screen where you can select a device and lock it down. No 2FA verification code is needed.
I guess it makes sense if you think about it. If your iPhone is stolen you would not have the trusted device to receive the code, so would need to be able to login to FMM without it.
@Rigby > I apologize for the confusion I caused yesterday.
globalmatt and Rigby are correct and I was wrong. When I was discussing this with Rigby earlier, I thought he was saying the same thing... that is logging in to the iCloud account to make FMM changes. I have 2FA on and playing with it this morning I see what Rigby means.
If you go to icloud.com in an untrusted browser and enter your AppleID and password you get this screen asking for a six digit code that was sent to your trusted device (like an iPhone). If you just ignore that and click Find my iPhone at the bottom it takes you straight to the FMM screen where you can select a device and lock it down. No 2FA verification code is needed.
I guess it makes sense if you think about it. If your iPhone is stolen you would not have the trusted device to receive the code, so would need to be able to login to FMM without it.
@Rigby > I apologize for the confusion I caused yesterday.
View attachment 639741
A quick question,
Even with the 2FA, what if somebody logged into Find My iPhone app from any iDevice and locked your devices.
I think all Find My iPhone app requires is just the Apple ID and password and you can control all the devices
Yep... I just checked on my iPhone and I can login to the app and lock whatever I want. So if someone had your iPhone, and your iPhone passcode, and your AppleID password, they could lock down other devices.
In my opinion, if you're ever locked out of your device, then the first thing would be to use a different device to log in Find My iPhone and remove your device. Not sure if putting a device in lost mode can be undone.
Next is to rush to https://appleid.apple.com/en_NL/ and change your password.
Yes. At least this issue is mitigated by three things:
1) You do get push notifications and email alerts if someone uses an untrusted browser to log in. So at least nobody can surreptitiously track your location without you knowing.
2) Besides using Find my iPhone and removing credit cards from Apple Pay, there isn't much the bad guy can do on icloud.com without verification code. Most importantly, they cannot change the password and lock you out of your account.
3) I did some testing today (put a spare iPhone in lost mode), and it is possible for the real owner to unlock the device on icloud.com (for this you do need a verification code).
So, if some hacker in China somehow gains access to your password and locks your phone, you can always unlock it yourself on icloud.com as long as you can still receive verification codes via some other device. Since the hacker can lock all your registered iOS devices, it's important to have some backup way to receive codes that does not require one of your own iOS devices ...
No worries. I'm actually beginning to like the new 2-factor scheme. I found that the verification codes that you can get in the iOS settings are actually offline codes, i.e. it still works if you have no data connectivity (which can come in handy if you need to log on to a computer while traveling internationally). I still wish it had a recovery key like the 2-step scheme though for peace of mind. I read somewhere that it can take up to 2 weeks to get back into an account with 2-factor if you lose access to all your trusted devices ...@Rigby > I apologize for the confusion I caused yesterday.
Last edited:
Yeah, because Tim Cook forced us to use easily guessed passwords. Try again.
Last edited:
If you back up your phone regularly as you should, shouldn't be an issue. Take it to an Apple store and explain what happened?
In this case the network were tricked into transferring the number to a different phone.
Two step is better than just a password, but it shouldn't be treated as a panacea to prevent hacks and needs to be used in conjunction with other options, e.g. not allow a password change unless it's confirmed first (unlike most scenarios I've seen where you can only do something after a hack).
They would have to physically compromise my machine first (there's an option to store on something like dropbox but you can keep it completely local if you'd like) and then they'd have to break the very strong password I have to decrypt the database. If that's a concern for you then you're better off just staying off any network and building a Faraday cage in your home.