Hello Everyone,

I strongly suggest that you read the following article, very carefully.  

The link to the original post may be found at the end of the text.

Mark

The dark side of Apple's two-factor authentication

Earlier this week, a strange message popped up on my Mac that I thought
nothing of. "You can't sign in because your account was disabled for
security reasons." I dismissed it in my tired haze, thinking it would solve
itself and went to sleep.

The next morning, I didn't have time to deal with the message - which was
now popping up every half hour - for a few hours until it became annoying. I
figured I'd done something dumb and broken iCloud, but that it could wait.

I'd turned two-factor on my Apple ID in haste when I read Mat Honan's
harrowing story about how his Mac, iPhone and other devices were wiped when
someone broke into his iCloud account. That terrified me into thinking about
real security for the first time.

When I finally had time to investigate the errors appearing on my machine, I
discovered that not only had my iCloud account been locked, but someone had
tried to break in. Two-factor had done its job and kept the attacker out,
however, it had also inadvertently locked me out.

The Apple support page relating to lockouts assured me it would be easy to
recover my account with a combination of any two of either my password, a
trusted device or the two-factor recovery key.

When I headed to the account recovery service, dubbed iForgot, I discovered
that there was no way back in without my recovery key. That's when it hit
me; I had no idea where my recovery key was or if I'd ever even put the
piece of paper in a safe place. I've moved since I set up two-factor on
iCloud.

I began nervously scouring the entire house for the code, before giving up
after a few frustrating hours and began searching my computer for any trace
of it. I found countless "recovery keys" but they weren't for the right
things; for my Mac's hard-drive encryption, Twitter, Facebook and other
accounts, but not for my Apple ID.

How could I be foolish enough to misplace my Apple ID recovery key?
I swore that I'd taken a screenshot, printed it and had taken a photo of it
with my iPhone for extra safekeeping.

This is when it began to sink in that this single ID held the keys to much
of my digital life; everything from iTunes purchases going back seven years,
app purchases and even the ability to get my iPhone out of the grips of Find
my iPhone's lock.

The sinking feeling began. After fruitlessly searching and a lot of cussing,
I decided to call Apple. I figured that something must be wrong, since the
support page claims you can use trusted devices to recover your ID in cases
like this.

The first person I spoke to told me immediately after getting on the phone
that in no uncertain terms I had forfeit my Apple ID by losing the recovery
key. He refused to help me. I hung up and called back.

On the second call, I got a lovely woman who totally understood my plight
and how terrible it was. She told me a similar thing had happened to her,
and it had turned out OK. After 20 minutes of poking around and lots of
awkward sighing, she put me on hold to talk to a senior manager.

When she got back on the line, the story was just as bleak. "We take your
security very seriously at Apple" she told me "but at this time we cannot
grant you access back into your Apple account. We recommend you create a new
Apple ID."

I couldn't believe what I was hearing and fought back that surely there was
some other way, but I was told point blank that Apple would not help me. I
offered a scan of my government ID, my trusted devices and other proof that
it was me. Nope, that won't do for Apple in this situation. She apologized
profusely and said there was nothing more should do.

Furious about the situation, I took to Twitter in a fit of rage, complaining
that Apple couldn't help me out of a dumb situation, in which I could easily
prove who I was. It was frustrating enough that when setting up my Apple ID,
the company assured me I could recover the account with a trusted device.

I know it was stupid that I'd lost the recovery key but I'd set it up so
long ago I couldn't remember where it would conceivably be. There's only so
many things I can keep track of. Besides, I figured I'd be able to use
trusted device to get out of a mess like this.

I'd looked almost everywhere twice by this point. Who remembers stuff like
this?

Apple's two factor signup process tries to point out the importance of the
key when you set it up.
You have to print the key, then re-enter it to show that you've got it. I
don't think this step existed when it launched.

So, I pushed on, resuming the hunt. As 24 hours without my Apple ID
approached, iMessage broke and my devices all started incessantly
complaining that the account was locked, amplifying an already frustrating
situation.

Figuring that maybe I'd just had bad luck with the phone, I tried Apple's
online chat service. I got the exact same answer; "We take your security
very seriously at Apple, but we cannot help in this situation." I pointed
out that the security page said otherwise, so the chat person put me on the
phone with an iTunes senior advisor.

After a few minutes of "uhhhh" on the other end of the phone, I got my third
"we take your security very seriously at Apple, this account will be
permanently disabled unless you can find the recovery key." I argued my
point that I had both my trusted devices and my password as required by the
support page, but was told this was irrelevant because someone else had
tried to get into my account.

I talked to a friend who knew people at Apple who told me that the security
folks said the iForgot page is final. There's nothing they can do.

Basically, I was locked out of my entire digital life, because someone had
tried to hack me. The irony of the fact that my increased security had
ultimately locked me out dawned on me, mixed with tiredness and frustration,
so after taking a moment to scream internally, I started furiously searching
ancient time machine backups.

As I searched the depths of my time machine backups and was on the phone for
the fifth (or even sixth) time to iCloud support, I found an old picture I'd
taken on my iPhone of a screen. It was my recovery key. I started crying
tears of joy at this point. The Apple rep on the phone started clapping and
was very glad to get out of continuing to argue with me.

The only time I've ever been glad to have taken a picture of my screen

If I hadn't managed to find this key or had never bothered to save it in the
first place, I would have lost the Apple ID forever. If I hadn't made a time
machine backup of my machine before it got corrupted earlier this year, I'd
have been out of luck entirely.

Apple support told me that the security lock doesn't expire, so there's no
way to get around requiring the key, even though its support site says you
can use trusted devices. You're simply not given that option when your
account is locked.

What's perplexing is it wasn't even technically my fault. Someone tried to
guess their way into my account and it was locked as a result; I didn't do
anything wrong, yet I was entirely locked out because I couldn't find the
key.

Apple's support page had given me false hope, because I expected to be able
to use a combination of my password and trusted devices to recover from
being locked out if it ever happened.

This isn't the case when your account is locked; what Apple doesn't tell you
is that when your account is locked (because of too many attempts) your
password is not a valid recovery option and you'll need your recovery key.

What if I was carrying the key in my wallet and I was robbed, like this poor
user on Stack Overflow? Apple still wouldn't (or couldn't) help you, because
it's "impossible" to recover an Apple ID without that key, according to its
support staff.

Apple's changing security policy
One has to wonder if it was previously possible, before Mat's social
engineering hack or the iCloud celebrity hackings took place, to recover a
two-factor enabled account by using Apple Support. The "we take your
security very seriously at Apple" line seems like it's been rehearsed and
drilled into the support staff's heads so that the same scandals don't
happen again.

I asked Apple PR about this situation, who told me that the support article
is correct. If you lose your recovery key with two factor enabled, you lose
your account. Apple can't help you.

I've learnt my lesson about treating recovery keys with extreme caution from
this. I never knew that I'd have no hope of recovery if it was lost; I'd
been lulled into a false sense of security, figuring that my trusted devices
would get me back into locked account.

>From now on, I'll know exactly where each recovery key is. I urge you to do
the same.

http://thenextweb.com/apple/2014/12/08/lost-apple-id-learnt-hard-way-careful
-two-factor-authentication/

-- 
You received this message because you are subscribed to the Google Groups 
"MacVisionaries" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to macvisionaries+unsubscr...@googlegroups.com.
To post to this group, send email to macvisionaries@googlegroups.com.
Visit this group at http://groups.google.com/group/macvisionaries.
For more options, visit https://groups.google.com/d/optout.

Reply via email to