Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Losing Two-Factor Recovery Key Could Permanently Lock Apple ID

rcalderoni said:
You don't need the recovery key to access the account, only the password. If the password was compromised it could not be changed. This seems less secure regardless of anyone having the recovery key.
Click to expand...

That's why you should have multiple trusted devices (as recommended by Apple)

Which SMS numbers should I verify for my account?
You're required to verify at least one SMS-capable phone number for your account. You should consider verifying all SMS-capable phone numbers that you normally use with your iPhone or another mobile phone. You should also consider verifying an SMS-capable phone number used by someone close to you, such as a spouse or other family member. You can use this number if you're temporarily without access to your own devices.
Click to expand...

you could then reset your recovery key and remove the stolen phone as a trusted device which would render the two things in the possession of the thief useless for accessing your account.

If, for some reason you can't register multiple devices then keep multiple copies of the recovery key in different places (which is a good idea anyway, as recommended by Apple)

Keep your Recovery Key in a secure place in your home, office, or other location. You should consider printing more than one copy, so that you can keep your key in more than one place. Your key will be easier to find if you ever need it, and you'll have a spare copy if one is ever lost or destroyed.

You shouldn't store your Recovery Key on your device or computer, because that could give an unauthorized user instant access to your key.
Click to expand...


and you can then use this key and your password to reset the trusted devices and recovery key and again render the stolen items useless for accessing your account.


Apple do give very clear warnings about this
What do I need to remember when I use two-step verification?
Two-step verification simplifies and strengthens the security of your Apple ID. After you turn it on, there's no way for anyone to access and manage your account other than by using your password, verification codes sent to your trusted devices, or your Recovery Key. Only you can reset your password, manage your trusted devices, or create a new Recovery Key. Apple Support can help you with other aspects of your service, but they aren't able to update or recover these three things for you. Therefore, when you use two-step verification, you are entirely responsible for:

Remembering your password
Keeping your trusted devices physically secure
Keeping your Recovery Key in a safe place
If you lose access to two of these three items at the same time, you could be locked out of your Apple ID permanently.
Click to expand...

All quotes from this page: http://support.apple.com/en-gb/HT5570
 
gnasher729 said:
McDonald's served their coffee undrinkable hot - they offered unlimited refills, and by serving the coffee very very hot they made sure that few people asked for a refill, so McDonald's would save money. McDonald's had also settled seven hundred cases where customers were injured before this happened. So they served coffee that they knew would injure people and had already injured at least 700 people, in order to save some money.

Accidents with coffee happen all the time. McDonald's deliberate actions changed the outcome from being painful to third degree burns. And that was entirely their fault.
Click to expand...

Point taken....

But my argument still holds of how people turn around everything to blame everything and everyone else, instead of their own stupidity....
 
phillipduran said:
Allow photo ID and perhaps even a second form of Identification shown in person at an Apple store to allow for the recovery of the account.

Rare is the chance that you will need this recovery key, and its importance is easily forgotten or the key misplaced over the years.

If you can prove who you are in person, why would you tell them no, you can't regain access to your account?
Click to expand...

That's the best idea yet.

Apple is one of the few companies who actually has a physical presence.

You could have a photo ID on file... walk into an Apple Store and show that photo ID... and maybe even a credit card they have on file too. There's almost no chance a bad guy can spoof all of that.

I like it. You win this thread :)
 
CB1234 said:
Point taken....

But my argument still holds of how people turn around everything to blame everything and everyone else, instead of their own stupidity....
Click to expand...

Some people in some situations. But I don't think this is one of them.

This is more a case of poor software design and poor communication design. Possibly both.

----------
Daveoc64 said:
I see a lot of smug people here ...
Click to expand...

Not half.
 
inscrewtable said:
I have my recovery key writtten in heavy black marker pen under my work desk at home. I did not want to put it on a piece of paper in a 'safe' place to lose. I've also tested the recovery key to make sure it works and that it was written down correctly.
Click to expand...
I keep mine on a yellow Post-It note on the side of my monitor. It says Recovery Key on it. I also put my password on it, just in case.
 
I happened to turn on the recovery thing a few weeks ago and they do ask you to type it in again after it disappears of the screen, just to make doubly sure that you have written it down. If the person then goes and loses it after that, theres not much Apple can do I suppose -- they did their best to get you to keep it
 
The warnings were all over the setup process.

I have my recovery key stored in a secure note in LastPass and in an encrypted file in my Dropbox account.
 
xdhd350 said:
[url=http://i128.photobucket.com/albums/p176/martygras9/Recover.jpg]Image[/URL]

Not clearly written at all. Note the use of the word "if", rather then "when". The writer who is the subject of this article, points out that exact thing. The wording leads one to believe that the recovery key is necessary ONLY IF you forget your password and a don't have a trusted device. The "IF" scenario did not apply in the original article because the account owner DID know his password and DID have access to a trusted device. Therefore, he correctly believed that in his case, the recovery key was not required.

One sentence on Apple's page could clear this all up. "If your account is LOCKED due to multiple access attempts with the wrong password, your recovery key WILL BE REQUIRED TO UNLOCK your account, regardless of all other factors."
Click to expand...

Ah, you are absolutely correct, sir/m'am. Must've been my paranoia that brought me to hold onto that code. Thanks!
 
Ha, this is hardly the only stupid apple problem. Get this. Last week I lost my decade old apple account because Apple would send some emails to my gmail account, but would not send the iCloud verification email to my actual gmail email address. The email it would not send to was set up like xxx.yyyy@gmail.com (note the period)

So, after viewing some forums, I tried xxxyyyy@gmail.com which as predicited sent verification email to my xxx.yyyy@gmail.com, but it also changed my primary email address (to one I don't own).

Great. My iCloud account was now verified (yay) but it was using an account I don't own and now I can't get my other Apple email.

So then, as per instructions I had found, I tried to switch back the account to xxx.yyyy@gmail.com but it's a backup email for a long lost apple ID, and because I no longer have the iPhone it's linked to, I can no longer get my account back.

TLDR - I am verified for an account I don't own, and locked out of an account I do own, and unable to change with Apple support. Thanks Apple.


.
 
Last edited:
Rigby said:
I don't think it's buggy. The problem is not (and has never been) the technical implementation, but the security policies. Before the "fappening" they were way too lax. Now the pendulum seems to have swung a bit too far in the other direction.
Click to expand...

Yes, read my post above. It is buggy.

iCloud and the rest of Apple appear to be using different email protocols that treat "." differently.
 
And this is one of the reasons why I won't use two factor authentication, I'd be more worried about losing access to my account than a hacker getting access.
 
thirumalkumaran said:
Hurrah!!!!
Now I can lose my house key and blame my landlord....
Click to expand...

Did you read the article at all? According to this Link you just need 2 of the 3 items to get in, which he had.
With two-step verification turned on for your Apple ID, you will always need at least two of the following to sign in:

  • Your Apple ID password
  • Access to one of your trusted devices
  • Your Recovery Key

He has his password and a trusted device, and that is 2 of the 3 needed according to Apple.
 
pacalis said:
Yes, read my post above. It is buggy.

iCloud and the rest of Apple appear to be using different email protocols that treat "." differently.
Click to expand...
I'm not sure I understand your post. It seems you entered an address that you don't own (the one without dot) and are now surprised that you can't receive emails sent to that account?

Anyway, I've used several (Gmail and Outlook.com) addresses with dots as my Apple ID and never had a problem.
 
Primejimbo said:
Did you read the article at all? According to this Link With two-step verification turned on for your Apple ID, you will always need at least two of the following to sign in:

  • Your Apple ID password
  • Access to one of your trusted devices
  • Your Recovery Key
He has his password and a trusted device, and that is 2 of the 3 needed according to Apple.
Click to expand...

Correct.

Apple's documentation says you need two of the three to get into your account.

However... they say nothing about getting into a "locked" account due to hackers or whatever. That's the disconnect.

I agree that Apple needs to update that page to describe what you need to do to recover a "locked" account.

And guess what that solution is: your Recovery Key.

But Owen Williams lost his Recovery Key.

Even if Apple's support page said "You need your Recovery Key to access a locked account"... he didn't have it. He would have still been in the same situation.

Yes... Apple needs to rewrite that page to make it easier to understand. But this point still remains:

DON'T LOSE YOUR RECOVERY KEY

On the page you linked... it mentions "Recovery Key" nine times.

On Apple's two-step verification page... it mentions "Recovery Key" 16 times.

Seems like the Recovery Key is something that is equally important as your password and device.

While I don't use two-factor authentication on my AppleID... I do use it on LastPass, Google, Facebook and my Microsoft accounts.

And I make damn sure I know where those recovery keys are.
 
Phil A. said:
That's why you should have multiple trusted devices (as recommended by Apple)



you could then reset your recovery key and remove the stolen phone as a trusted device which would render the two things in the possession of the thief useless for accessing your account.

If, for some reason you can't register multiple devices then keep multiple copies of the recovery key in different places (which is a good idea anyway, as recommended by Apple)




and you can then use this key and your password to reset the trusted devices and recovery key and again render the stolen items useless for accessing your account.


Apple do give very clear warnings about this


All quotes from this page: http://support.apple.com/en-gb/HT5570
Click to expand...
I think you're missing the point of the article: by reading Apple's documentation a user might get the impression that as long as he remembers his passwords and has access to a trusted device he can authenticate himself, which is not the case.

It's true that you can use the recovery key if you forget your password or lose all your trusted devices, but what the documentation fails to mention is that according to the article if your account gets locked for security reasons you cannot login anymore with trusted device + password, you can only unlock the account with the recovery key.

This means e.g. that the following statement from Apple's documentation:
As long as you remember your Apple ID password and still have access to one of your trusted devices, you can sign in and create a new Recovery Key.
Click to expand...
is not always correct.
 
Michael Scrip said:
Correct.

Apple's documentation says you need two of the three to get into your account.

However... they say nothing about getting into a "locked" account due to hackers or whatever. That's the disconnect.

I agree that Apple needs to update that page to describe what you need to do to recover a "locked" account.

And guess what that solution is: your Recovery Key.

But Owen Williams lost his Recovery Key.

Even if Apple's support page said "You need your Recovery Key to access a locked account"... he didn't have it. He would have still been in the same situation.

Yes... Apple needs to rewrite that page to make it easier to understand. But this point still remains:

DON'T LOSE YOUR RECOVERY KEY

On the page you linked... it mentions "Recovery Key" nine times.

On Apple's two-step verification page... it mentions "Recovery Key" 16 times.

Seems like the Recovery Key is something that is equally important as your password and device.

While I don't use two-factor authentication on my AppleID... I do use it on LastPass, Google, Facebook and my Microsoft accounts.

And I make damn sure I know where those recovery keys are.
Click to expand...
agree 100%, my point was to the person who I quoted that I don't blame the user on this one.

Apple needs to do something, like you said, because this can be an issue.
I have 2 step verification set up everywhere, including my Apple ID. I also have the recovery key in a safe place too in case of an emergency, but I might print them out and hide them in my house now to be extra safe.
 
Primejimbo said:
agree 100%, my point was to the person who I quoted that I don't blame the user on this one.
Click to expand...

Well.... you can blame the user a little bit ;)

Whether or not the Apple page said you needed the Recovery Key to access his "locked" account.... he did NOT have his Recovery Key at all.

That's totally on the user at that point.

After failing to print out and safely maintain the Recovery Key... I'd blame the user. :D
 
Rigby said:
I don't see why. Apple already has some pieces of information on file about the user, including the name, DOB, and in most cases a credit card number. If the user can produce 2 out of 3 authentication factors (password and trusted device), and can *additionally* produce a photo ID with matching name/DOB and perhaps the physical credit card registered in the iTunes account in an Apple store, that should be more than enough verification to allow the user to regain access to a locked account.
Click to expand...

Then don't use 2 factor authentication. Stick with the security questions and be happy that you can recover. Me, I want the full power of 2 factor security and no way for someone to social engineer Apple to give them control of my account.
 
Rigby said:
I'm not sure I understand your post. It seems you entered an address that you don't own (the one without dot) and are now surprised that you can't receive emails sent to that account?

Anyway, I've used several (Gmail and Outlook.com) addresses with dots as my Apple ID and never had a problem.
Click to expand...

It's confusing as hell, and is utterly nonsensical, but I received iCloud verification emails ONLY by using the WRONG email address.

It's a strange but regular problem, and there are a variety of forums describing it, but for some email addresses you will never be able to verify because it seems that Apple literally sends your verification email somewhere else. So everything worked fine until I needed to be verified for iCloud and the verification emails weren't coming to my account.

I jimmied the email address to get verification, and viola! It arrived in my inbox. But then I could not restore access to the original account because of some weird security snag.

So as things stand today, most of my apple email is going to someone else, but that person can't change it because they can't log in and all the verifications are coming to me (through their email address)... And I can't return to my original email address because of some weird security policy that my email is a secondary email on another account... But even if I could return, I still wouldn't be able to verify it because the verifications are going somewhere else.

Fortunately, I'm not a major iTunes user or this would have been a real problem.

So, ya, I don't think two factor recovery is the only problem Apple has in security.

----------
Arran said:
Might want to save your hurrahas.

What if your landlord says, "Who are you? Clear off!"
Click to expand...

My situation is closer to my landlord saying your keys are in the house, then changing the locks when I tried to break in to get the keys.
 
The statement on Apple's two step system setup page was enough for me.

It's a trade off. Convenience vs security. Pick as you feel is appropriate for your account.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back