If you're new to AirPods, considering buying a pair, or just want to pick up some new tips.
Losing Two-Factor Recovery Key Could Permanently Lock Apple ID
In March 2013, Apple introduced two-factor authentication to provide additional security for Apple IDs. It expanded the feature to several new countries earlier this year and introduced it to the company's iCloud.com website this September. This was after CEO Tim Cook promised to broaden use of its two-factor authentication system in the wake of a hacking incident that saw several celebrities' iCloud accounts hacked.
The system requires a user to have a second "trusted" device that is used to verify a user's identity in addition to an extra security code called the "Recovery Key". However, in a new account from The Next Web's Owen Williams, that Recovery Key also has the potential to completely lock a person out of their account if they're being hacked.
Williams found that someone had tried to hack his iCloud account. Apple's two-factor system kicked in and locked the account, denying entry to the would-be hacker while also denying entry to Williams. When he went to iForgot, Apple's account recovery service, he assumed two of his password, Recovery Key or trusted device would unlock his account, as he was led to believe by an Apple Support document.
Williams concludes with a warning that anyone with two-factor authentication should take far greater care in protecting and remembering where they store their Recovery Keys, as losing it could permanently lock a user out of their Apple ID with Apple unable to do anything to help. The entire account, which is a fascinating and worthwhile read, can be read at The Next Web.
The system requires a user to have a second "trusted" device that is used to verify a user's identity in addition to an extra security code called the "Recovery Key". However, in a new account from The Next Web's Owen Williams, that Recovery Key also has the potential to completely lock a person out of their account if they're being hacked.
Williams found that someone had tried to hack his iCloud account. Apple's two-factor system kicked in and locked the account, denying entry to the would-be hacker while also denying entry to Williams. When he went to iForgot, Apple's account recovery service, he assumed two of his password, Recovery Key or trusted device would unlock his account, as he was led to believe by an Apple Support document.
When I headed to the account recovery service, dubbed iForgot, I discovered that there was no way back in without my recovery key. That’s when it hit me; I had no idea where my recovery key was or if I’d ever even put the piece of paper in a safe place. I’ve moved since I set up two-factor on iCloud.Williams contends he took a screenshot of the Recovery Key and printed that out as well as taking a photo on his iPhone to keep as a backup, but could not locate either and was on the verge of losing his "digital life". He called Apple customer support and was told that he had forfeited his Apple ID by losing his Recovery Key and that there was no way Apple could help him. He called back a second time.
When she got back on the line, the story was just as bleak. “We take your security very seriously at Apple” she told me “but at this time we cannot grant you access back into your Apple account. We recommend you create a new Apple ID.”After a couple more days of talking to Apple customer support and even friends who worked at Apple, he continued to receive same responses: he was locked out of his account due to someone trying to hack into it and couldn't unlock it without a Recovery Key even though Apple's support document says it's possible with a trusted device. Eventually, Williams located his Recovery Key in what he calls the "depths" of his Time Machine backup, allowing him to finally unlock his account.
Williams concludes with a warning that anyone with two-factor authentication should take far greater care in protecting and remembering where they store their Recovery Keys, as losing it could permanently lock a user out of their Apple ID with Apple unable to do anything to help. The entire account, which is a fascinating and worthwhile read, can be read at The Next Web.
[ 206 comments ]
Top Rated Comments
(View all)
56 months ago
I am also confused how this is news. Apple explicitly states that losing the key will make the recovery impossible. And anyway, do you want secure accounts or not? If yes, then you are personally responsible for your stuff. Putting this silly article on MacRumours is entirely pointless.
56 months ago
Almost all the posts in here are incorrect about the purpose of the Recovery Key.
The Recovery Key is required if you forget your Apple ID password or lose access to a trusted device.
According to this article, the person in question knew his password and had a trusted device. He shouldn't have needed the Recovery Key.
The only thing Apple says about an account being compromised is that you need to reset your Apple ID password. And it says nothing about needing a Recovery Key to do that.
The Recovery Key is required if you forget your Apple ID password or lose access to a trusted device.
According to this article, the person in question knew his password and had a trusted device. He shouldn't have needed the Recovery Key.
The only thing Apple says about an account being compromised is that you need to reset your Apple ID password. And it says nothing about needing a Recovery Key to do that.
56 months ago
Two-Factor Authentication is just that:
A user will need 2 out of the 3;
1. Password
2. Device
3. Recovery Key
The name of service describes it.
They could perhaps release the lock after 48 hours, or unlock the account if you supply password, trusted device, and some additional verification (like showing a photo ID at an Apple store or sending a verification code to an alternate email address).
56 months ago
This happened to me
This exact issue happened to me (lost my recovery key and account was locked out), and was fixed just today in fact (funny coincidence?).
So initially my two-factor enabled account was locked out by someone else trying to log into it too many times. Unlike simple accounts, two-factor accounts won't unlock after 8 hours, and actually have to have the passport reset. Where the issue arises is that Apple only ever says you have to have 2 or the 3 "keys" to regain access to your account:
1. Password
2. Trusted Device (or mobile number)
3. Recovery Key
However, if your account gets locked out, the iforgot website only gives you the option to enter the recovery key. There is a link under the box to enter it "Lost Recovery Key" which leads you to the two-part authentication support page. It lists that to reset your recovery key, you simply need to login to manage your apple ID and regenerate a new one. However this simply leads you back to a locked out account, which leads back to iforgot (a big loop).
I raised this issue with Apple Support back in July/August 2014 and over 15 calls and emails back and forth and 4 different senior support specialists they were still "looking into it". Finally I got tired of the lack of effort on their side to resolve my issue so I emailed them back (first week of December 2015), this time copying Tim Cook and Eddy Cue. It's surprising how much faster things moved after that. I received a phone call from a representative from the executive support team who hooked me up on a call with an Apple Engineer and another support specialist (they seem to have many levels of these).
Long story short, the Apple Engineer was able to "unlock" my account temporarily which allowed me to login to my Apple ID management account page and reset my account. I was able to use my existing password and a text message sent to my phone to resolve the two-step authentication part. The engineer was a bit of a dick about it and was blaming me for having lost the Recovery Key, but I don't see how thats my problem as they said I could use "any" 2 not my "Recovery Key" then "any" 2.
So there is hope if you think they can't do it. You might have to wait 3-4 months like me, but all is not lost :).
This exact issue happened to me (lost my recovery key and account was locked out), and was fixed just today in fact (funny coincidence?).
So initially my two-factor enabled account was locked out by someone else trying to log into it too many times. Unlike simple accounts, two-factor accounts won't unlock after 8 hours, and actually have to have the passport reset. Where the issue arises is that Apple only ever says you have to have 2 or the 3 "keys" to regain access to your account:
1. Password
2. Trusted Device (or mobile number)
3. Recovery Key
However, if your account gets locked out, the iforgot website only gives you the option to enter the recovery key. There is a link under the box to enter it "Lost Recovery Key" which leads you to the two-part authentication support page. It lists that to reset your recovery key, you simply need to login to manage your apple ID and regenerate a new one. However this simply leads you back to a locked out account, which leads back to iforgot (a big loop).
I raised this issue with Apple Support back in July/August 2014 and over 15 calls and emails back and forth and 4 different senior support specialists they were still "looking into it". Finally I got tired of the lack of effort on their side to resolve my issue so I emailed them back (first week of December 2015), this time copying Tim Cook and Eddy Cue. It's surprising how much faster things moved after that. I received a phone call from a representative from the executive support team who hooked me up on a call with an Apple Engineer and another support specialist (they seem to have many levels of these).
Long story short, the Apple Engineer was able to "unlock" my account temporarily which allowed me to login to my Apple ID management account page and reset my account. I was able to use my existing password and a text message sent to my phone to resolve the two-step authentication part. The engineer was a bit of a dick about it and was blaming me for having lost the Recovery Key, but I don't see how thats my problem as they said I could use "any" 2 not my "Recovery Key" then "any" 2.
So there is hope if you think they can't do it. You might have to wait 3-4 months like me, but all is not lost :).
56 months ago
It's been this way since day 1. Hello!
Since the password has been entered wrong multiple times hence "forgotten", "hacked", "locked", "disabled", call it whatever you want, the system requires you to have the other 2 options:
recovery key + trusted device
Since the password has been entered wrong multiple times hence "forgotten", "hacked", "locked", "disabled", call it whatever you want, the system requires you to have the other 2 options:
recovery key + trusted device
56 months ago
I wonder how many of the people here calling that guy stupid proceeded to check that their recovery key still exists.
[ Read All Comments ]
Apple today released a new update for Safari Technology Preview, the experimental browser Apple first introduced three years ago in March 2016. Apple designed the Safari Technology Preview to test...
Apple today announced that all new and updated iPhone and iPad apps submitted to the App Store on and after March 27, 2019 must be built with the iOS 12.1 SDK or later and support the iPhone XS Max...
T-Mobile kicked off a new promotion today that lets new and existing customers get the 64GB iPhone XR at no extra cost when they add new voice lines and trade in a qualifying device.
...
Satechi, known for its line of accessories for the iPhone, iPad, and Mac, today announced the launch of two new USB-C accessories designed for Macs and iPads.
The Type-C Headphone Jack Adapter...
If you don't have a vehicle with CarPlay installed natively, there are a number of third-party aftermarket CarPlay receivers from companies like Alpine and Pioneer, which can be an affordable way...
Apple today announced the launch of a new media literacy initiative that's designed to encourage critical thinking and empower students to be better informed.
Apple is teaming up with...
Amid the launch of brand-new iPads this week, there are quite a few deals on older models for users who don't mind purchasing previous generation devices. Along with these sales, you can also...
