Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Losing Two-Factor Recovery Key Could Permanently Lock Apple ID

I kinda feel his pain.

A few years back when PSN got hacked and forced me to change my password, they sent the email to my gmail account. Then gmail said my password is not correct even though it is. I gave them everything to verify the account and I am still locked out.

Lost all the trophies and friends......
 
It's a timely reminder for everyone to back up their recovery keys. Don't just store it in one location. If you save it in a PDF or text document on your computer maybe your hard drive will die. If you only print one copy maybe your house will burn down!

Back up back up back up!
 
I never thought I’d see the day when a MacRumors discussion thread would have almost unanimous agreement that the user in question has no legitimate complaint against Apple.

The security paranoia is coming home to roost for some. Those with security OCD have been pounding away at Apple for better security. Well, you have it in spades now. Deal with it.
 
Um Duh

That's the whole point of two factor authentication. If they said, ok you don't have your recovery key but we'll just reset it for you over the phone anyway, that means that anyone could do that and thus there would be 0 security.

Ultimately this 'article' shows the system is working perfectly and the user disregarded the instructions required for using this enhanced security. If they are uncapable of keeping the recovery key, then they shouldn't enable this extra level of security, which is exactly what it says when you enable it.

While MacRumors is full of link bating and dumb articles on slow news days, this seems a little too dumb even for them. More likely the article was planted by Apple to get people to ultimately say that Apple security is working well.
 
I have this problem!

I was physically robbed of my iPhone and wallet once. The iPhone was the trusted device, and per the suggestion on the recovery key creation page "put it in a safe place like your wallet"... well, now I am locked out of two-factor authentication and cannot change my password or make new purchases (OR change the e-mail on the account, meaning I can't re-use my primary e-mail on another account).

I can however still access the media (iTunes/App Store).

This means that if someone figures out my password they would be able to access my media (and iCloud in certain ways), but I would not be able to change the password!

Worst is I have years of music/app purchases on that account dating back to the original iPhone.

I had to make a new one :(

Of course I realize I should have put a copy somewhere else, and that's my bad. But the turn of events leaving the account LESS secure due to two-factor authentication seems like a flaw in the design.

EDIT: Less secure meaning anyone who compromises the password has access and the password can not be changed, this doesn't have to be the person with the recovery key!
 
Last edited:
TechRemarker said:
That's the whole point of two factor authentication. If they said, ok you don't have your recovery key but we'll just reset it for you over the phone anyway, that means that anyone could do that and thus there would be 0 security.

Ultimately this 'article' shows the system is working perfectly and the user disregarded the instructions required for using this enhanced security. If they are uncapable of keeping the recovery key, then they shouldn't enable this extra level of security, which is exactly what it says when you enable it.

While MacRumors is full of link bating and dumb articles on slow news days, this seems a little too dumb even for them. More likely the article was planted by Apple to get people to ultimately say that Apple security is working well.
Click to expand...

Reading comprehension FTL. :rolleyes:
 
I have two factor authentication set up on both of my iCloud accounts (the wonderful world of MobileMe making me set up a new AppleID), the recovery key is written down inside my passport, on a sheet of paper in my wallet and another copy is stored with my parents. I would also have a safe deposit box, were they not slowly vanishing as an option in the UK.

It isn’t difficult to lose this information, so it makes sense to make several secure copies of it. Redundancy is a benefit in this situation after all.
 
Michael Scrip said:
I haven't set up two-factor on my Apple account... but don't they make it VERY clear that you should NOT lose your recovery key? Did you simply ignore that?
Click to expand...

Yes, after they show it to you, they make you type it to verify that you have it correctly. It's 12 or 16 characters (I don't remember which), and says that if you lose it there is no way for Apple to recover it.

This is a non-story that has been posted.

----------
rcalderoni said:
I was physically robbed of my iPhone and wallet once. The iPhone was the trusted device, and per the suggestion on the recovery key creation page "put it in a safe place like your wallet"... well, now I am locked out of two-factor authentication and cannot change my password or make new purchases (OR change the e-mail on the account, meaning I can't re-use my primary e-mail on another account).

I can however still access the media (iTunes/App Store).

This means that if someone figures out my password they would be able to access my media (and iCloud in certain ways), but I would not be able to change the password!

Worst is I have years of music/app purchases on that account dating back to the original iPhone.

I had to make a new one :(

Of course I realize I should have put a copy somewhere else, and that's my bad. But the turn of events leaving the account LESS secure due to two-factor authentication seems like a flaw in the design.
Click to expand...

It's not less secure. You had the authentication stolen. Putting it in your wallet is NOT a safe place.
 
How would one find out if a recovery key has been generated for their Apple ID? Is it a universal process, part of initial setup?
 
Nevaborn said:
While I agree Apple needs to seriously look at their account recovery policies and that the website is innacurate, they do make it very clear when setting up two-step verification how important your recovery key is.

So in this case both parties have a degree of blame attached to them, something that didn't come over when reading the article last night.
Click to expand...

Specifically, which part of this scenario can be blamed on Apple?
 
llarc84 said:
I can tell you as a former Apple employee who worked directly in the department that handles these kinds of issues...
Click to expand...
If this is true, the rest of your quote points directly to why there is a problem.
llarc84 said:
...it is completely normal that if numerous attempts to access your account are made and unsuccessful that the account will be locked automatically for the protection of the account holder.
Click to expand...
This makes sense. I 100% agree.
llarc84 said:
You will have to enter your recovery key to move any further as Apple is correctly assuming that if your password has been compromised your trusted device may have been also.
Click to expand...
This is where you and I diverge in opinion. If numerous incorrect attempts are made to access your account, wouldn't the natural assumption be your password has not been compromised? Further, how is the leap in logic made to assume your trusted device might be compromised as well?:confused: 5 bad attempts... welp, trusted devices probably bad too. Hmmm. Not logical.
llarc84 said:
This article also makes Apples security look bad when it is actually working as advertised. This is the fault of the user and not Apple.
Click to expand...
As advertised, the security says you need 2 out 3 factors to access your locked account. It doesn't say the RK has to be one of them. Also, Apple provides an avenue for remedy if you forget your RK. If Ksix's post 63 is accurate, that remedy is an infinite loop (intended) of frustration. You should read post 63.

I personally think the fault lies with both parties. The user primarily, since it's his responsibility to keep his Recovery Key. Apple for providing a remedy that really isn't a remedy. A lot of the posts I've read conveniently overlook the fact that the guy 1. Had his password and 2. Had trusted devices. That should have been enough to regain access to his account... at least according to this:

As long as you remember your Apple ID password and still have access to one of your trusted devices, you can sign in and create a new Recovery Key.
 
Last edited:
What!!????

You mean if you lose the thing Apple warns you NOT to lose or you will be unable to access your account, you will be unable to access your account? WTF? :D
 
tooloud10 said:
Specifically, which part of this scenario can be blamed on Apple?
Click to expand...

Read Apple's page on two-factor authentication here. http://support.apple.com/en-us/HT202649

Exactly where on that page does it address the situation where you have not forgotten your password, merely that the password has been locked because a hacker or someone else has tried your password too many times?

Again, locking the password component permanently is NEVER addressed, and offers effectively no additional security over a temporary lock which is sufficient to thwart brute-force attacks.
 
69Mustang said:
If this is true, the rest of your quote points directly to why there is a problem.

This makes sense. I 100% agree.

This is where you and I diverge in opinion. If numerous incorrect attempts are made to access your account, wouldn't the natural assumption be your password has not been compromised? Further, how is the leap in logic made to assume your trusted device might be compromised as well?:confused: 5 bad attempts... welp, trusted devices probably bad too. Hmmm. Not logical.

As advertised, the security says you need 2 out 3 factors to access your locked account. It doesn't say the RK has to be one of them. Also, Apple provides an avenue for remedy if you forget your RK. If Ksix's post 63 is accurate, that remedy is an infinite loop (intended) of frustration. You should read post 63.

I personally think the fault lies with both parties. The user primarily, since it's his responsibility to keep his Recovery Key. Apple for providing a remedy that really isn't a remedy. A lot of the posts I've read conveniently overlook the fact that the guy 1. Had his password and 2. Had trusted devices. That should have been enough to regain access to his account.
Click to expand...

It appears, that if the wrong password is entered one too many times, Apple is going to assume someone is trying to hack the account. And it is at that point, that one needs to make use of the RK, unless I have misunderstood.

I do think that Apple should revamp their material to make it more accurate and clear.
 
Just made a new recovery key cause I realized I didn't even have my old one.

Then I went to open my laptop box and found the print-out ><
 
It's not less secure. You had the authentication stolen. Putting it in your wallet is NOT a safe place.
Click to expand...

You don't need the recovery key to access the account, only the password. If the password was compromised it could not be changed. This seems less secure regardless of anyone having the recovery key.
 
Quoted in case anyone needs their recovery key, and watches TV. Or, you know, lives in a house with other people...


mrfrosty said:
I was in the exact same situation as this guys last week....my account was locked, I had two of the three things needed but could still not access my account...........For me it was a little worse, I have iTunes match and an icloud storage plan.

When I became resigned to the fact that I had lost everything I asked them to cancel my iTunes match (which was about to renew) and my storage....their response was that they could not even do that !!!! Their only solution was to ask me to cancel my credit cards !!! I asked them to delete my data (200Gb of icloud storage) and they said they could not do that either but wanted time to look at it...............a few hours later i switched on the AppleTV and the recovery key floated across the screen ! It was a good job i think as a company refusing to delete 200Gb of my data, well there must be laws against that !!!

I still love apple though, and still have two step enabled !!
Click to expand...
 
Clickbait

The entire account is neither fascinating nor a worthwhile read. Basically the guy admits that he went on a Twitter rampage because he lost his key and blamed Apple for being as secure as they said they would. He is still bitter even after he found his key via Time Machine (ironically he didn't praise Apple for Time Machine!)

The whole thing is click bait. Apparently Macrumors has sunk so low as to post click bait. Sad. Sad. Sad.
 
If someone wants to post nude photos of me, let them. I disabled two-factor this week....not worth the trouble.
 
So Apple has no "customer service" way of verifying a user and then letting them in? I would think that two factor authentication works as designed, but there should always be an option for a legit user to call Apple Support and go through a rigorous verification process to identify themselves and get back their access.
 
I remember when I signed up for this, it was CLEARLY written. Gotta be careful with this stuff.

 
Just realised that I couldn't recall my recovery key as well. Just requested for a new one and recorded it down, just to be safe.

Thanks for putting up this article - it at least raised some awareness of the safeguards we need to have. :)
 
I've had an apple ID for about 8 years now, I've never been prompted to create this thing.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back