Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Losing Two-Factor Recovery Key Could Permanently Lock Apple ID
- Thread starter MacRumors
- Start date
- Sort by reaction score
If you have security policies that are too rigid and strict, people won't want to use them properly.
I stopped using Apple's two factor auth because the limitations of it are just too scary - other companies like Google, Dropbox and Microsoft have better systems in place.
Exactly. You'll find various references like that all over the Apple ID website, telling you what should happen, but they neglect to tell you about fringe cases.
I am definitively not responsible for MR's editing policies. Its just a shame to see an excellent resource reposting cheap sensations.
Apple advised to keep the key in a safe place and not on any of your Apple hardware attached to your Apple ID.
How is this a Rumor? This site is MacRumors. An article about how you should keep your Recovery Key safe and secure belongs on MacAdvice! Why was it posted here? I want a refund of my subscription!
Just kidding. I know that MacRumors is a "Get" site, and that it sometimes posts words to the wise that aren't strictly rumors. I'm just making fun of all the other "how is this a rumor" comments from people who thing Mac Rumors shouldn't post news or anything else that isn't a pure rumor.
Just kidding. I know that MacRumors is a "Get" site, and that it sometimes posts words to the wise that aren't strictly rumors. I'm just making fun of all the other "how is this a rumor" comments from people who thing Mac Rumors shouldn't post news or anything else that isn't a pure rumor.
I've got several accounts with two factor authentication (Apple, Microsoft, Google) and make sure I keep copies of the recovery keys as below
1) Encrypted PDF in Dropbox
2) Encrypted PDF in Evernote
3) Encrypted PDF in OneNote
4) Copy in LastPass
5) Copy in Keychain
Personally, I much prefer the security of "no key, no access" for locked accounts - it may be inconvenient and force the user to be more responsible, but if that's the price of a secure account, then so be it IMO
1) Encrypted PDF in Dropbox
2) Encrypted PDF in Evernote
3) Encrypted PDF in OneNote
4) Copy in LastPass
5) Copy in Keychain
Personally, I much prefer the security of "no key, no access" for locked accounts - it may be inconvenient and force the user to be more responsible, but if that's the price of a secure account, then so be it IMO
Two-factor Recovery….. is not recommended for reckless, disorganized, absent-minded, forgetful, or senile people.
I would never recommend this to like a 74-year-old grampa who is forgetful.
The old fool is a lot more likely to lose his passwords or recovery codes (thus locking himself out of his Apple account) before any hacker could successfully break into his account.
I would never recommend this to like a 74-year-old grampa who is forgetful.
The old fool is a lot more likely to lose his passwords or recovery codes (thus locking himself out of his Apple account) before any hacker could successfully break into his account.
This would be my worst nightmare. I just wish everything online could be unlocked using Touch ID instead of passwords...
Or perhaps not, 99.9999% of people will never know.
I could put together something totally secure, locked down, and tell people sorry they have lost their data, it's so secure it can't be broken into.
Does not mean I don't know a way if I REALLY wanted to.
So let's be 100% honest with ourselves here, None of us know how secure it is.
Only when say national security or same mass child raping terrorist is stalking the streets and access is needed to stop the killer, would a way be found to get into the supposed impossible data.
We only know, NOW, what we are being told publicly
This happened to me
This exact issue happened to me (lost my recovery key and account was locked out), and was fixed just today in fact (funny coincidence?).
So initially my two-factor enabled account was locked out by someone else trying to log into it too many times. Unlike simple accounts, two-factor accounts won't unlock after 8 hours, and actually have to have the passport reset. Where the issue arises is that Apple only ever says you have to have 2 or the 3 "keys" to regain access to your account:
1. Password
2. Trusted Device (or mobile number)
3. Recovery Key
However, if your account gets locked out, the iforgot website only gives you the option to enter the recovery key. There is a link under the box to enter it "Lost Recovery Key" which leads you to the two-part authentication support page. It lists that to reset your recovery key, you simply need to login to manage your apple ID and regenerate a new one. However this simply leads you back to a locked out account, which leads back to iforgot (a big loop).
I raised this issue with Apple Support back in July/August 2014 and over 15 calls and emails back and forth and 4 different senior support specialists they were still "looking into it". Finally I got tired of the lack of effort on their side to resolve my issue so I emailed them back (first week of December 2015), this time copying Tim Cook and Eddy Cue. It's surprising how much faster things moved after that. I received a phone call from a representative from the executive support team who hooked me up on a call with an Apple Engineer and another support specialist (they seem to have many levels of these).
Long story short, the Apple Engineer was able to "unlock" my account temporarily which allowed me to login to my Apple ID management account page and reset my account. I was able to use my existing password and a text message sent to my phone to resolve the two-step authentication part. The engineer was a bit of a dick about it and was blaming me for having lost the Recovery Key, but I don't see how thats my problem as they said I could use "any" 2 not my "Recovery Key" then "any" 2.
So there is hope if you think they can't do it. You might have to wait 3-4 months like me, but all is not lost
.
This exact issue happened to me (lost my recovery key and account was locked out), and was fixed just today in fact (funny coincidence?).
So initially my two-factor enabled account was locked out by someone else trying to log into it too many times. Unlike simple accounts, two-factor accounts won't unlock after 8 hours, and actually have to have the passport reset. Where the issue arises is that Apple only ever says you have to have 2 or the 3 "keys" to regain access to your account:
1. Password
2. Trusted Device (or mobile number)
3. Recovery Key
However, if your account gets locked out, the iforgot website only gives you the option to enter the recovery key. There is a link under the box to enter it "Lost Recovery Key" which leads you to the two-part authentication support page. It lists that to reset your recovery key, you simply need to login to manage your apple ID and regenerate a new one. However this simply leads you back to a locked out account, which leads back to iforgot (a big loop).
I raised this issue with Apple Support back in July/August 2014 and over 15 calls and emails back and forth and 4 different senior support specialists they were still "looking into it". Finally I got tired of the lack of effort on their side to resolve my issue so I emailed them back (first week of December 2015), this time copying Tim Cook and Eddy Cue. It's surprising how much faster things moved after that. I received a phone call from a representative from the executive support team who hooked me up on a call with an Apple Engineer and another support specialist (they seem to have many levels of these).
Long story short, the Apple Engineer was able to "unlock" my account temporarily which allowed me to login to my Apple ID management account page and reset my account. I was able to use my existing password and a text message sent to my phone to resolve the two-step authentication part. The engineer was a bit of a dick about it and was blaming me for having lost the Recovery Key, but I don't see how thats my problem as they said I could use "any" 2 not my "Recovery Key" then "any" 2.
So there is hope if you think they can't do it. You might have to wait 3-4 months like me, but all is not lost
.
"I had no idea where my recovery key was or if I'd ever even put the piece of paper in a safe place."
For that you deserve a medal for stupidity. I have a really good tip for you. Write the bloody key down somewhere. I'm glad this guy was locked out, serves him right.
For that you deserve a medal for stupidity. I have a really good tip for you. Write the bloody key down somewhere. I'm glad this guy was locked out, serves him right.
As far as I understand once your account gets locked only the recovery key will be able to unlock it, so if you lost the key you cannot unlock the account even if you have the password and the device.
Not sure about the phone number: I have it registered too but never had to unlock my account...
Just pulled out my safely stored recovery password printout and it states.
" Keep this printout stored in a safe place."
"If you lose your Recovery Key and forget your password, you will not be able to access your Apple ID. To learn more, visit https://appleid.apple.com/us."
Seem pretty straight forward.
" Keep this printout stored in a safe place."
"If you lose your Recovery Key and forget your password, you will not be able to access your Apple ID. To learn more, visit https://appleid.apple.com/us."
Seem pretty straight forward.
I was in the exact same situation as this guys last week....my account was locked, I had two of the three things needed but could still not access my account...........For me it was a little worse, I have iTunes match and an icloud storage plan.
When I became resigned to the fact that I had lost everything I asked them to cancel my iTunes match (which was about to renew) and my storage....their response was that they could not even do that !!!! Their only solution was to ask me to cancel my credit cards !!! I asked them to delete my data (200Gb of icloud storage) and they said they could not do that either but wanted time to look at it...............a few hours later i switched on the AppleTV and the recovery key floated across the screen ! It was a good job i think as a company refusing to delete 200Gb of my data, well there must be laws against that !!!
I still love apple though, and still have two step enabled !!
When I became resigned to the fact that I had lost everything I asked them to cancel my iTunes match (which was about to renew) and my storage....their response was that they could not even do that !!!! Their only solution was to ask me to cancel my credit cards !!! I asked them to delete my data (200Gb of icloud storage) and they said they could not do that either but wanted time to look at it...............a few hours later i switched on the AppleTV and the recovery key floated across the screen ! It was a good job i think as a company refusing to delete 200Gb of my data, well there must be laws against that !!!
I still love apple though, and still have two step enabled !!