Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
I think you're missing the point of the article: by reading Apple's documentation a user might get the impression that as long as he remembers his passwords and has access to a trusted device he can authenticate himself, which is not the case.

It's true that you can use the recovery key if you forget your password or lose all your trusted devices, but what the documentation fails to mention is that according to the article if your account gets locked for security reasons you cannot login anymore with trusted device + password, you can only unlock the account with the recovery key.

This means e.g. that the following statement from Apple's documentation:

is not always correct.

Yeah, I understand that - I thought I was replying to the guy who had his phone and wallet stolen and had therefore lost his recovery key and trusted device. Apologies for any confusion!
 
Ha, this is hardly the only stupid apple problem. Get this. Last week I lost my decade old apple account because Apple would send some emails to my gmail account, but would not send the iCloud verification email to my actual gmail email address. The email it would not send to was set up like xxx.yyyy@gmail.com (note the period)

So, after viewing some forums, I tried xxxyyyy@gmail.com which as predicited sent verification email to my xxx.yyyy@gmail.com, but it also changed my primary email address (to one I don't own).

Great. My iCloud account was now verified (yay) but it was using an account I don't own and now I can't get my other Apple email.

So then, as per instructions I had found, I tried to switch back the account to xxx.yyyy@gmail.com but it's a backup email for a long lost apple ID, and because I no longer have the iPhone it's linked to, I can no longer get my account back.

TLDR - I am verified for an account I don't own, and locked out of an account I do own, and unable to change with Apple support. Thanks Apple.


.

Have you submitted this report to Apple?

This bug worries me, since the email account I have associated with my Apple ID also uses a period character to separate two words like yours. I've never tried to get iCloud alerts through it, my account is verified, and my regular iTunes / App Store receipts come as expected.
 
How do I know whether or not I have a two factor recovery key. I may, but I'm not sure. If I do have one, I have a feeling I know what it is, but now I'm worried that I may not have it and I could possibly be wrong . . . in which case I'd like to change it before it becomes necessary to use it. So, how do I know whether or not that's the security I have set up?
 
I don't think it's buggy. The problem is not (and has never been) the technical implementation, but the security policies. Before the "fappening" they were way too lax. Now the pendulum seems to have swung a bit too far in the other direction.

To the buggy direction.
 
How do I know whether or not I have a two factor recovery key. I may, but I'm not sure. If I do have one, I have a feeling I know what it is, but now I'm worried that I may not have it and I could possibly be wrong . . . in which case I'd like to change it before it becomes necessary to use it. So, how do I know whether or not that's the security I have set up?

You cannot enable two-factor authentication on your Apple account without creating a recovery key, so if you are using two-factor authentication the key exists. If you don't have it anymore or you are unsure the best thing to do is to create a new recovery key, which you can do as long as you are able to login to your account:

If you lost your Recovery Key
As long as you remember your Apple ID password and still have access to one of your trusted devices, you can sign in and create a new Recovery Key.

Go to My Apple ID, select "Manage your Apple ID," and sign in.
Under Edit your Apple ID, select "Password and Security."
Under Recovery Key, select Replace Lost Key and follow the onscreen instructions.
Note: Your old Recovery Key will be deactivated immediately and cannot be used to reset your password or access your account.

The procedure will automatically deactivate the old key so it doesn't matter what it was or whether someone finds it. Make sure to store the new key safely.
 
Breaking News!

System works as designed!

If so, then it is fundamentally defective by design.

The whole point of two-factor authentication is that you need two factors—your credentials and a trusted device. The recovery key is supposed to be required only if you don't have access to one of your two factors. If an event beyond the user's control can cause it to suddenly be necessary, that's seriously broken by design.

The proper approach to multiple failed attempts is to block access attempts from that IP address for an extended period of time (say a day initially, a week on the second attempt, a month on the third), and more importantly, to block access regardless of which account the attacker tries to use during that period. A proper policy should also recognize when lots of related IPs are being used for attacks, and should block the entire netblock. At that point (and maybe sooner), the attack should be escalated to a human, so that law enforcement can get involved.

By contrast, blocking access to a specific account regardless of location is a harmful security practice, for several reasons:

  1. It is quite likely that the attacker does not have the credentials, or else it would take fewer than five guesses. Therefore, the risk of the attacker trying again from another IP is fairly low.
  2. The attacker doesn't have the second factor, without which the attacker would have to have the recovery key anyway. Therefore, no number of failed authentication attempts will ever realistically succeed (unless the length of the recovery keys is inadequate).
  3. Blocking access to the account is in itself a denial of service vulnerability.

That last one is worth further explanation. And given that a lot of companies (particularly banks) have started doing this, apparently the foolishness of these policies isn't quite as obvious as I would have hoped.

When you allow an attack to lock out access to an account, rather than locking out access from a specific source IP, malicious individuals can trivially use (deliberately) failed logins to harass the accountholder by locking him or her out of the account. Instead of punishing the attacker, it punishes the attackee.

And because Apple IDs are the same as your email address, every single person who has your email address has the ability to trivially lock you out of your account just to mess with you. Sure, if you have your recovery key, you can get back in, but then an hour later, they can do it again. The potential for mischief is almost unlimited when you have a system that blocks the account rather than blocking the attacker.

Worse, people use two-factor because they assume their account is a high-profile target. Attacks on those accounts are more likely, both because they are high profile and because more people have their email addresses, making this policy a perfect storm for abuse.

And the policy looks even more broken once you factor in the psychology element. When most people have trouble remembering a password, they write it down. When people know that they might have to suddenly provide that recovery key at a moment's notice, what are they going to do? Yup, you guessed it.

This policy decision effectively encourages people to keep a copy of their recovery keys on their phones, so that they won't lose access to their accounts if someone tries to break in. As a result, Apple's fundamental security design flaw effectively encourages users to collapse the two-factor security model back into a single factor, and in many cases, arguably into the weaker of the two factors (possession of the device, rather than a password).

Sorry, but Apple needs to hire someone with a solid understanding of computer security and human psychology, and give that person absolute authority to basically rethink every iCloud security policy from the ground up, and authority to order engineers to rip out and replace any code necessary in order to make that happen. Because as designed, iCloud's security policies are just about as broken as you can feasibly get, short of adding mandatory password rotation....
 
And if Apple were more lenient and gave him the recovery key, your post would bash Apple for having poor security. Because you're part of the anti-Apple herd mentality where every decision Apple makes is wrong, even if it would be the right decision by another company.

Instead of waiting for the site to ban you, why not ban yourself from this site?
If you lost the keys to your house, would you be okay with Apple destroying it, what am I saying of course you would.
 
If you lost the keys to your house, would you be okay with Apple destroying it, what am I saying of course you would.


So instead of actually respond to my post, you come up with a bizarre, contrived scenario.

How (and why) on earth would Apple ever be in a position to destroy my house? How can you even begin to compare such a childishly outrageous situation to the one mentioned in the article?

No, I would not be okay with it. Because there would never, ever be a reason for Apple to do such a thing.

Check your bias at the door before accusing others of bias.
 
Have you submitted this report to Apple?

This bug worries me, since the email account I have associated with my Apple ID also uses a period character to separate two words like yours. I've never tried to get iCloud alerts through it, my account is verified, and my regular iTunes / App Store receipts come as expected.

This is a gmail issue as they recognise that both forms are the same as an alias.

----------

How do I know whether or not I have a two factor recovery key. I may, but I'm not sure. If I do have one, I have a feeling I know what it is, but now I'm worried that I may not have it and I could possibly be wrong . . . in which case I'd like to change it before it becomes necessary to use it. So, how do I know whether or not that's the security I have set up?

Try signing in at AppleID.apple.com

----------

Haven't seen a 2 factor account locked out.

If one tries to login repeatedly, it routes you to iForgot, which then asks for recovery key.

So correct password is assumed OR key plus device.
 
Re-read this post

Excellent Post.

If so, then it is fundamentally defective by design.

The whole point of two-factor authentication is that you need two factors—your credentials and a trusted device. The recovery key is supposed to be required only if you don't have access to one of your two factors. If an event beyond the user's control can cause it to suddenly be necessary, that's seriously broken by design.

The proper approach to multiple failed attempts is to block access attempts from that IP address for an extended period of time (say a day initially, a week on the second attempt, a month on the third), and more importantly, to block access regardless of which account the attacker tries to use during that period. A proper policy should also recognize when lots of related IPs are being used for attacks, and should block the entire netblock. At that point (and maybe sooner), the attack should be escalated to a human, so that law enforcement can get involved.

By contrast, blocking access to a specific account regardless of location is a harmful security practice, for several reasons:

  1. It is quite likely that the attacker does not have the credentials, or else it would take fewer than five guesses. Therefore, the risk of the attacker trying again from another IP is fairly low.
  2. The attacker doesn't have the second factor, without which the attacker would have to have the recovery key anyway. Therefore, no number of failed authentication attempts will ever realistically succeed (unless the length of the recovery keys is inadequate).
  3. Blocking access to the account is in itself a denial of service vulnerability.

That last one is worth further explanation. And given that a lot of companies (particularly banks) have started doing this, apparently the foolishness of these policies isn't quite as obvious as I would have hoped.

When you allow an attack to lock out access to an account, rather than locking out access from a specific source IP, malicious individuals can trivially use (deliberately) failed logins to harass the accountholder by locking him or her out of the account. Instead of punishing the attacker, it punishes the attackee.

And because Apple IDs are the same as your email address, every single person who has your email address has the ability to trivially lock you out of your account just to mess with you. Sure, if you have your recovery key, you can get back in, but then an hour later, they can do it again. The potential for mischief is almost unlimited when you have a system that blocks the account rather than blocking the attacker.

Worse, people use two-factor because they assume their account is a high-profile target. Attacks on those accounts are more likely, both because they are high profile and because more people have their email addresses, making this policy a perfect storm for abuse.

And the policy looks even more broken once you factor in the psychology element. When most people have trouble remembering a password, they write it down. When people know that they might have to suddenly provide that recovery key at a moment's notice, what are they going to do? Yup, you guessed it.

This policy decision effectively encourages people to keep a copy of their recovery keys on their phones, so that they won't lose access to their accounts if someone tries to break in. As a result, Apple's fundamental security design flaw effectively encourages users to collapse the two-factor security model back into a single factor, and in many cases, arguably into the weaker of the two factors (possession of the device, rather than a password).

Sorry, but Apple needs to hire someone with a solid understanding of computer security and human psychology, and give that person absolute authority to basically rethink every iCloud security policy from the ground up, and authority to order engineers to rip out and replace any code necessary in order to make that happen. Because as designed, iCloud's security policies are just about as broken as you can feasibly get, short of adding mandatory password rotation....
 
If they lock your account, it doesn't matter if you downloaded purchases or stored in the cloud. Once the account is locked, they will eventually deauthorize your computers and the purchases will no longer be able to be used except for your music of course.

I know this from past experience. I once had an account with thousands of TV show purchases and over 100 movies purchased. They locked it and after several months, the computer was deauthorized by Apple and all my purchases no longer worked.

Well that sucks. Bottom line is, don't get locked out.
 
So instead of actually respond to my post, you come up with a bizarre, contrived scenario.

How (and why) on earth would Apple ever be in a position to destroy my house? ...

No, no. He's actually on the right lines.

What's the difference between a destroyed house and a house you ABSOLUTELY can't get into?

And breaking a window is not an option, BTW.
 
No, no. He's actually on the right lines.

What's the difference between a destroyed house and a house you ABSOLUTELY can't get into?

And breaking a window is not an option, BTW.

But again, why would Apple have my house keys in the first place? Is that not the implication he made?

If I were crazy enough to put myself in a position where Apple could choose to lock me out of my house forever, then I shouldn't be surprised when that scenario happens. I'll take the remote chance that my Apple ID is locked forever, but I wouldn't do the same for my house. Which in the end, is the false claim that RockSpider made.
 
wow...

This is the wrong way ... Apple just doesn't learn here do they..

"Recovery key" is "just that", its used to "recover" the account, not keep it locked.

The the account wasn't hacked because two factor prevented this.. the hacker can keep try over and over if they wanted to, with no effort.

The only thing I could see if Apple locks your account simply because the user is being constant spammed with verification codes to the cell. :apple:

Thank you Apple..... :p This is why i don't use this. I dunno why Apple forces you to add a "trusted" device anyway..... Google's implementation works just as well with a trusted device being "optional", not "required"

My guess is better security, but requires the user to to have Find My Phone app (weather they use it or not), just to have this...

Outcome ?? not worth it. Just have a complex password and only use it once
 
Did no one see my previous message?

This exact issue happened to me (lost my recovery key and account was locked out), and was fixed just today in fact (funny coincidence?).

So initially my two-factor enabled account was locked out by someone else trying to log into it too many times. Unlike simple accounts, two-factor accounts won't unlock after 8 hours, and actually have to have the passport reset. Where the issue arises is that Apple only ever says you have to have 2 or the 3 "keys" to regain access to your account:

1. Password
2. Trusted Device (or mobile number)
3. Recovery Key

However, if your account gets locked out, the iforgot website only gives you the option to enter the recovery key. There is a link under the box to enter it "Lost Recovery Key" which leads you to the two-part authentication support page. It lists that to reset your recovery key, you simply need to login to manage your apple ID and regenerate a new one. However this simply leads you back to a locked out account, which leads back to iforgot (a big loop).

I raised this issue with Apple Support back in July/August 2014 and over 15 calls and emails back and forth and 4 different senior support specialists they were still "looking into it". Finally I got tired of the lack of effort on their side to resolve my issue so I emailed them back (first week of December 2015), this time copying Tim Cook and Eddy Cue. It's surprising how much faster things moved after that. I received a phone call from a representative from the executive support team who hooked me up on a call with an Apple Engineer and another support specialist (they seem to have many levels of these).

Long story short, the Apple Engineer was able to "unlock" my account temporarily which allowed me to login to my Apple ID management account page and reset my account. I was able to use my existing password and a text message sent to my phone to resolve the two-step authentication part. The engineer was a bit of a dick about it and was blaming me for having lost the Recovery Key, but I don't see how thats my problem as they said I could use "any" 2 not my "Recovery Key" then "any" 2.

So there is hope if you think they can't do it. You might have to wait 3-4 months like me, but all is not lost :).

Did no one see this? Apple can and will fix this problem.
 
So instead of actually respond to my post, you come up with a bizarre, contrived scenario.

How (and why) on earth would Apple ever be in a position to destroy my house? How can you even begin to compare such a childishly outrageous situation to the one mentioned in the article?

No, I would not be okay with it. Because there would never, ever be a reason for Apple to do such a thing.

Check your bias at the door before accusing others of bias.
If you can't get in, you have to destroy it and build another one. Use a car as an example if it makes it any easier.
I own Apple stuff and know what this guy has been through, I had to sell( destroy)my iPad Mini because I couldn't use it on the same account.
 
"was on the verge of losing his "digital life"."

Who the ***** would trust their "digital life" to iCloud anyway?
There is level of stupidness that...
 
But again, why would Apple have my house keys in the first place? Is that not the implication he made?

No. That's not the implication RockSpider made at all.

But, anyway, it's an analogy. And while analogies are useful at quickly communicating the essence of complex ideas, all analogies collapse if over-scrutinized. But that's not their purpose.

I think the post that mkldev took considerable time and trouble to write sums it up rather well (without the locked-house analogy).

----------

I'll take the remote chance that my Apple ID is locked forever, but I wouldn't do the same for my house.

Re-reading your post, I think this is the key to your dissent here (And it's entirely reasonable, btw.)

You would be okay abandoning your current AppleID, but others (who have more at stake and tied-up in their current Apple ID) would not. To them, it is their house (or at least their electronic home)
 
If you can't get in, you have to destroy it and build another one. Use a car as an example if it makes it any easier.

I own Apple stuff and know what this guy has been through, I had to sell( destroy)my iPad Mini because I couldn't use it on the same account.


My sincerest apologies, RockSpider. I wasn't even thinking about activation lock when I read your first comment. Your analogy makes much more sense to me now.

Looking at the bigger picture, I think Apple's two-factor authentication is one of the most secure in the industry. However, will anybody want to use it? I remember trying to set it up, and it wasn't a good experience. It's not supposed to be easy, but if it's too hard, people won't want to use it. Still, when you sign up for rock-solid security... don't be surprised if that's what you get. I sympathize with the guy that was locked out of his account, but it's not exactly shocking either.

No. That's not the implication RockSpider made at all.

But, anyway, it's an analogy. And while analogies are useful at quickly communicating the essence of complex ideas, all analogies collapse if over-scrutinized. But that's not their purpose.

I think the post that mkldev took considerable time and trouble to write sums it up rather well (without the locked-house analogy).

----------



Re-reading your post, I think this is the key to your dissent here (And it's entirely reasonable, btw.)

You would be okay abandoning your current AppleID, but others (who have more at stake and tied-up in their current Apple ID) would not. To them, it is their house (or at least their electronic home)


As I told RockSpider above, the analogy actually makes a lot of sense when considering the activation lock. With that in mind, I wouldn't be okay abandoning my Apple ID because that would mean abandoning all my devices as well. Going forward, people considering two-factor authentication need to decide whether or not account security is so important to them that they're willing to potentially be locked out of their devices forever in order to keep their information secure. Most people won't be willing to do that, so Apple might want to look at that if they intend for more people to enable it.
 
This happened to me...

...while I was traveling internationally, I foolishly decided to upgrade my iPhone to iOS 8.

What I didn't realize was that once one has upgraded to iOS 8, you must perform two factor auth to access iCloud on your iPhone.

I had my password but all my "trusted devices" were old products I no longer own, and I had no idea where my recovery key was (and if it were anywhere, I knew it'd be at home...not with me on my trip).

Since my MacBook and iPad were not upgraded to the newest OS, I still had access to my email through them.

I decided to archive several years worth of email at that point so if I ended up locked out of my Apple ID forever, at least I'd have my history to take with me.

Once I was home, I searched everywhere I could, physically and electronically and could not find the recovery key. Until, I searched one spot again and found the one and only physical copy.

Like the author of the story featured in this post, I called Apple as well and basically they couldn't help me.

I turned off two factor auth initially, but have reactivated it and now have copies of my recovery key in more than one place, and updated my trusted devices.

Close call.
 
I never had one to start with. I just have a password, that's all.

I really think you missed it.


Go to My Apple ID, select "Manage your Apple ID," and sign in.
Under Edit your Apple ID, select "Password and Security."
Under Recovery Key, select Replace Lost Key and follow the onscreen instructions.
 
If so, then it is fundamentally defective by design.

The whole point of two-factor authentication is that you need two factors—your credentials and a trusted device. The recovery key is supposed to be required only if you don't have access to one of your two factors. If an event beyond the user's control can cause it to suddenly be necessary, that's seriously broken by design.

The proper approach to multiple failed attempts is to block access attempts from that IP address for an extended period of time (say a day initially, a week on the second attempt, a month on the third), and more importantly, to block access regardless of which account the attacker tries to use during that period. A proper policy should also recognize when lots of related IPs are being used for attacks, and should block the entire netblock. At that point (and maybe sooner), the attack should be escalated to a human, so that law enforcement can get involved.

By contrast, blocking access to a specific account regardless of location is a harmful security practice, for several reasons:

  1. It is quite likely that the attacker does not have the credentials, or else it would take fewer than five guesses. Therefore, the risk of the attacker trying again from another IP is fairly low.
  2. The attacker doesn't have the second factor, without which the attacker would have to have the recovery key anyway. Therefore, no number of failed authentication attempts will ever realistically succeed (unless the length of the recovery keys is inadequate).
  3. Blocking access to the account is in itself a denial of service vulnerability.

That last one is worth further explanation. And given that a lot of companies (particularly banks) have started doing this, apparently the foolishness of these policies isn't quite as obvious as I would have hoped.

When you allow an attack to lock out access to an account, rather than locking out access from a specific source IP, malicious individuals can trivially use (deliberately) failed logins to harass the accountholder by locking him or her out of the account. Instead of punishing the attacker, it punishes the attackee.

And because Apple IDs are the same as your email address, every single person who has your email address has the ability to trivially lock you out of your account just to mess with you. Sure, if you have your recovery key, you can get back in, but then an hour later, they can do it again. The potential for mischief is almost unlimited when you have a system that blocks the account rather than blocking the attacker.

Worse, people use two-factor because they assume their account is a high-profile target. Attacks on those accounts are more likely, both because they are high profile and because more people have their email addresses, making this policy a perfect storm for abuse.

And the policy looks even more broken once you factor in the psychology element. When most people have trouble remembering a password, they write it down. When people know that they might have to suddenly provide that recovery key at a moment's notice, what are they going to do? Yup, you guessed it.

This policy decision effectively encourages people to keep a copy of their recovery keys on their phones, so that they won't lose access to their accounts if someone tries to break in. As a result, Apple's fundamental security design flaw effectively encourages users to collapse the two-factor security model back into a single factor, and in many cases, arguably into the weaker of the two factors (possession of the device, rather than a password).

Sorry, but Apple needs to hire someone with a solid understanding of computer security and human psychology, and give that person absolute authority to basically rethink every iCloud security policy from the ground up, and authority to order engineers to rip out and replace any code necessary in order to make that happen. Because as designed, iCloud's security policies are just about as broken as you can feasibly get, short of adding mandatory password rotation....

This is spot on!
 
Have you submitted this report to Apple?

This bug worries me, since the email account I have associated with my Apple ID also uses a period character to separate two words like yours. I've never tried to get iCloud alerts through it, my account is verified, and my regular iTunes / App Store receipts come as expected.

This is a gmail issue as they recognise that both forms are the same as an alias.

Actually, I think this has to be an Apple issue because that's where the inconsistency is occurring. Gmail is receiving different address information from Apple services. Also, as gmail recognizes xxx.yyyy and xxxyyyy as the same, both should end up in my inbox (both do, I've just been not getting xxx.yyyy icloud verifications... and yes, I have checked all the folders and filters on my account - I only get verifications to xxxyyyy).
 
OMG

THE CELB ACCOUNTS WERE NOT HACKED!!!

A password compromise due to ****** passwords and obvious secret questions is not HACKING!:eek:
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.