It's the back end of having sold millions of devices attached to a cloud. Apple would need a separate division solely devoted to helping out the million or so a year who lock themselves out.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Losing Two-Factor Recovery Key Could Permanently Lock Apple ID
- Thread starter MacRumors
- Start date
- Sort by reaction score
It would be great if people who complain about too much or too little security could then also propose how the problem should be fixed in their opinion. For example, what should Apple have done in this case?
"Oh, you lost your key? Well, we trust you to be who you say you are, so we unlocked your account. Your new password is 'password'. Have a good day, sir." Something like that?
Some years ago, I forgot the password for my account at work. Three mistypes - locked out forever. We didn't have a local IT support, so I had to scan in my name badge and some ID document (driver's license, passport, etc.) and I had to fax(!) it to the IT support to prove my identity. After a couple of hours, they called me and gave me a new password over the phone. Is that an acceptable process? Or will people complain then that they had to provide sensitive documents to Apple?
"Oh, you lost your key? Well, we trust you to be who you say you are, so we unlocked your account. Your new password is 'password'. Have a good day, sir." Something like that?
Some years ago, I forgot the password for my account at work. Three mistypes - locked out forever. We didn't have a local IT support, so I had to scan in my name badge and some ID document (driver's license, passport, etc.) and I had to fax(!) it to the IT support to prove my identity. After a couple of hours, they called me and gave me a new password over the phone. Is that an acceptable process? Or will people complain then that they had to provide sensitive documents to Apple?
The problem is that Owen hadn't forgotten his password - he knew his password. Someone else had locked him out of his account.
Apple is in the wrong here. They need to make it clearer - or allow you (via email, maybe) to reset the "lock" on your own account. That would be the most sensible thing to do. How hard is it to send an email: "You have been locked out of your account, please click here to reactivate it."
----------
Again, he didn't forget his password. Apple says you need two pieces of info, he had his password, and he had a trusted device. However once someone has locked you out of your own account, you *need* a recovery key because of Apple's flawed process. Apple don't tell you that.
What did we learn? Don't lose your recovery key. I have mine in Notes. Since my iPhone and iPad are locked with a pass code, and both of my Macs are setup with File Vault, no one will be able to (easily) get into my devices and discover the recovery keys to my Apple IDs. I also labeled the note containing the keys with a totally random title so that anyone who sees the recovery keys has no idea what they're looking at. Apple takes our security seriously, but why is it that a lot of Apple's customers don't? Laziness and ignorance will bite you in the ass eventually.
And if Apple were more lenient and gave him the recovery key, your post would bash Apple for having poor security. Because you're part of the anti-Apple herd mentality where every decision Apple makes is wrong, even if it would be the right decision by another company.
Instead of waiting for the site to ban you, why not ban yourself from this site?
If they lock your account, it doesn't matter if you downloaded purchases or stored in the cloud. Once the account is locked, they will eventually deauthorize your computers and the purchases will no longer be able to be used except for your music of course.
I know this from past experience. I once had an account with thousands of TV show purchases and over 100 movies purchased. They locked it and after several months, the computer was deauthorized by Apple and all my purchases no longer worked.
I wouldn't fret too much over it... People on here are 'ray of sunshine'. They will always find a way to turn things around and blame it on everyone else, except their own stupidity or laziness or ineptness or irresponsibility....
Reminds me of the woman who sued McDonald's for serving her 'hot coffee'... apparently it was McDonald's fault for serving her 'hot coffee', which was too hot...
Did you even read the article to see what his issue was? According to the article Apple's documentation says you can use a trusted device to unlock. That documentation is apparently wrong.
The solution has been pointed out numerous times already. He had two factors of his authentication, and Apple never states anywhere that you will need anything else. There is no reason they need to permanently lock your password if the wrong one is entered too many times. Locking for a few hours to a couple of days is more than secure enough to prevent brute force hacking.
With the system the way it is, all someone needs to do to make life really inconvenient for a lot of people is write a script that tries random Appleid's and purposefully exceeds the password attempt limit. They could wreak havoc because in the real world, most people will have trouble accessing their keys quickly, and as far as Apple's documentation states, they only need two factors, of which they actually have them!
The root of the issue is that Apple either needs to change the wording of their documentation or the way password lockout is handled, perhaps both.
Actually it might do you good thread up on the McDonald's case. You might be surprised how it wasn't such a black and white issue. One point was that the coffee coming from that store was particularly hotter than coffee from other stores.
I know it is fun to use it as an example. But you can't usually boil issues down to one or two sentences and expect to do the issue justice.
Actually, I want to remind other readers that this was an article about the journalist himself. I am always suspect when the writer writes about himself and treats it like he is interviewing someone impartially. It is much more of an opinion piece for my taste.
They didn't know it was you. You should applaud them for not randomly wiping your data from some hearsay anonymous phone call.
Seriously? If I forget my password or get locked out of my ONLINE BANKING I can call up and provide some basic info proving who I am and have a password reset. I don't forfeit all my money in my account.
If you can provide enough info to basically steal your own identity anyway, they should be able to reset your acct.
Maybe you misunderstand, even if they had verified my identity they could not have deleted the data. They also said that if the iTunes match got charged (it was due to happen in a day or two) they would not be able even to refund me because they cannot do that if an account is locked !
Everything you say, sounds like good positive things.
I wouldn't want some stranger calling in, social engineering, and resetting my Match data or CC charges.
While reading of instances like this may give some cause for concern, I would rather secure my recovery key in several manners, versus not having two-step turned on and taking the risk of someone hacking into my account.
