Losing Two-Factor Recovery Key Could Permanently Lock Apple ID

MacRumors

macrumors bot
Original poster
Apr 12, 2001
50,038
11,309



In March 2013, Apple introduced two-factor authentication to provide additional security for Apple IDs. It expanded the feature to several new countries earlier this year and introduced it to the company's iCloud.com website this September. This was after CEO Tim Cook promised to broaden use of its two-factor authentication system in the wake of a hacking incident that saw several celebrities' iCloud accounts hacked.

The system requires a user to have a second "trusted" device that is used to verify a user's identity in addition to an extra security code called the "Recovery Key". However, in a new account from The Next Web's Owen Williams, that Recovery Key also has the potential to completely lock a person out of their account if they're being hacked.

Williams found that someone had tried to hack his iCloud account. Apple's two-factor system kicked in and locked the account, denying entry to the would-be hacker while also denying entry to Williams. When he went to iForgot, Apple's account recovery service, he assumed two of his password, Recovery Key or trusted device would unlock his account, as he was led to believe by an Apple Support document.
When I headed to the account recovery service, dubbed iForgot, I discovered that there was no way back in without my recovery key. That's when it hit me; I had no idea where my recovery key was or if I'd ever even put the piece of paper in a safe place. I've moved since I set up two-factor on iCloud.
Williams contends he took a screenshot of the Recovery Key and printed that out as well as taking a photo on his iPhone to keep as a backup, but could not locate either and was on the verge of losing his "digital life". He called Apple customer support and was told  that he had forfeited his Apple ID by losing his Recovery Key and that there was no way Apple could help him. He called back a second time.
When she got back on the line, the story was just as bleak. "We take your security very seriously at Apple" she told me "but at this time we cannot grant you access back into your Apple account. We recommend you create a new Apple ID."
After a couple more days of talking to Apple customer support and even friends who worked at Apple, he continued to receive same responses: he was locked out of his account due to someone trying to hack into it and couldn't unlock it without a Recovery Key even though Apple's support document says it's possible with a trusted device. Eventually, Williams located his Recovery Key in what he calls the "depths" of his Time Machine backup, allowing him to finally unlock his account.

Williams concludes with a warning that anyone with two-factor authentication should take far greater care in protecting and remembering where they store their Recovery Keys, as losing it could permanently lock a user out of their Apple ID with Apple unable to do anything to help. The entire account, which is a fascinating and worthwhile read, can be read at The Next Web.

Article Link: Losing Two-Factor Recovery Key Could Permanently Lock Apple ID
 

Goldfrapp

macrumors 603
Jul 31, 2005
5,047
6,861
It's been this way since day 1. Hello!

Since the password has been entered wrong multiple times hence "forgotten", "hacked", "locked", "disabled", call it whatever you want, the system requires you to have the other 2 options:

recovery key + trusted device
 
Last edited:

Nevaborn

macrumors 65816
Aug 30, 2013
1,078
312
While I agree Apple needs to seriously look at their account recovery policies and that the website is innacurate, they do make it very clear when setting up two-step verification how important your recovery key is.

So in this case both parties have a degree of blame attached to them, something that didn't come over when reading the article last night.
 

Rainbow Evil

macrumors member
May 13, 2014
43
42
UK
So is there any way to find out my recovery key now? I set up 2 factor a little while ago and don't know where/if I saved my recovery key, and it would be nice not to lose everything in the unlikely event a hacker cares about me for 1 second...
 

oceanwest

macrumors newbie
Sep 7, 2005
16
7
I would make a pdf of the recovery key and then add the pdf in to a Secure Note inside KeyChain and then another in a Secure Note inside 1Password.
 

leman

macrumors G4
Oct 14, 2008
11,513
6,012
I am also confused how this is news. Apple explicitly states that losing the key will make the recovery impossible. And anyway, do you want secure accounts or not? If yes, then you are personally responsible for your stuff. Putting this silly article on MacRumours is entirely pointless.
 

AppleTools

macrumors member
Dec 12, 2009
71
7
That's what passwords are for don't they? Protect your accounts...

At the end your account wasn't hacked and you found the recovery key secured "In the deeps of your time machine" where it was supposed to be... so why didn't you look in your backup before making a scandal?

Please spare us from your foolishness and keep it to yourself...
 

Michael Scrip

macrumors 603
Mar 4, 2011
5,892
6,106
NC
So is there any way to find out my recovery key now? I set up 2 factor a little while ago and don't know where/if I saved my recovery key, and it would be nice not to lose everything in the unlikely event a hacker cares about me for 1 second...

I haven't set up two-factor on my Apple account... but don't they make it VERY clear that you should NOT lose your recovery key? Did you simply ignore that?

All the other services that I use two-factor on have some pretty strong language upon signup. Basically they say:

"Don't f--- up... don't lose your keys..."

I hope Apple can help you.

I am also confused how this is news. Apple explicitly states that losing the key will make the recovery impossible. And anyway, do you want secure accounts or not? If yes, then you are personally responsible for your stuff. Putting this silly article on MacRumours is entirely pointless.

Yep... those are my thoughts exactly.

If you're gonna add extra security to your Apple account... you need to be extra responsible with the recovery keys.
 

Rigby

macrumors 603
Aug 5, 2008
5,307
6,447
San Jose, CA
So is there any way to find out my recovery key now? I set up 2 factor a little while ago and don't know where/if I saved my recovery key, and it would be nice not to lose everything in the unlikely event a hacker cares about me for 1 second...
You can create a new recovery key at appleid.apple.com under "Password and Security".
 

Block

macrumors 6502a
Jun 28, 2007
843
1
So if you put this key in something like 1Password, would it be a better idea to sync 1Password with Dropbox instead of iCloud?
 

Cloudsurfer

macrumors 65816
Apr 12, 2007
1,297
332
Netherlands
How is this news? Everyone with FileVault enabled knows the importance of storing your recovery key in a safe place. iCloud is no different. You want security or not?
 

psimac

macrumors member
Jan 22, 2011
41
39
Kirkland, WA
So is there any way to find out my recovery key now? I set up 2 factor a little while ago and don't know where/if I saved my recovery key, and it would be nice not to lose everything in the unlikely event a hacker cares about me for 1 second...

I think you can login into your AppleID and generate a new recovery key.
 

Apple blogger

macrumors 6502a
Feb 28, 2013
872
146
Ok how about this.. When we go for the 2 step verification, and register the device.. The recovery key could be our finger print.. It makes sense.. The finger print never leaves the chip.. If we forget our password or if we are hacked all we need is our finger print and the device registered which has our fingerprint info... So some alogortim, would just use the finger print from the chip, without giving it away.. Abd we would have a recovery key all the time..

But only 1 issue , a big one
suppose we lost our device.. We will lose the key.. Cause the fingerprint info was on the device and that device was registerd

In that case, we should have 2 registered devices which have our fingerprint info... It's good thought for a start.. Could work if someone polished the idea...
 

swingerofbirch

macrumors 68040
Almost all the posts in here are incorrect about the purpose of the Recovery Key.

The Recovery Key is required if you forget your Apple ID password or lose access to a trusted device.

According to this article, the person in question knew his password and had a trusted device. He shouldn't have needed the Recovery Key.

The only thing Apple says about an account being compromised is that you need to reset your Apple ID password. And it says nothing about needing a Recovery Key to do that.
 

iLeoMarc

macrumors regular
Jul 22, 2007
229
21
Two-Factor Authentication is just that:
A user will need 2 out of the 3;
1. Password
2. Device
3. Recovery Key

The name of service describes it. The recovery key is as important as each of the other 2 legs. You shouldn't activate Two-Factor Authentication thinking you can throw away the recovery key.

A pro tip though, I added a phone number also to the the Device Leg of my account. That way if a phone breaks, is lost or stolen; you will still have access to Leg #2. A new activated sim-card from your service provider can quickly be used.
 
Last edited:

ironman159

macrumors regular
Aug 30, 2008
193
0
Costa Rica
Shocker. When I activated 2-step verification and saw how SERIOUS Apple was about me losing my Recovery Key I printed out 3 copies and put them in each one of my closest relatives' bank deposits.

I think Apple is pretty clear about how important is your key. Nothing new here.
 

Rigby

macrumors 603
Aug 5, 2008
5,307
6,447
San Jose, CA
Two-Factor Authentication is just that:
A user will need 2 out of the 3;
1. Password
2. Device
3. Recovery Key

The name of service describes it.
Except that it apparently doesn't work that way if Apple decides to lock your account due to hack attempts. In that case you have to have the recovery key, even if you have the 2 other factors. I think it is a bit draconian to permanently lock the account like that, given the value attached to it (you could lose not only your iTunes purchases, email, cloud documents etc., but also effectively brick your devices if you use Find my iPhone and need to restore a device for some reason).

They could perhaps release the lock after 48 hours, or unlock the account if you supply password, trusted device, and some additional verification (like showing a photo ID at an Apple store or sending a verification code to an alternate email address).
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.