Losing Two-Factor Recovery Key Could Permanently Lock Apple ID

by

In March 2013, Apple introduced two-factor authentication to provide additional security for Apple IDs. It expanded the feature to several new countries earlier this year and introduced it to the company's iCloud.com website this September. This was after CEO Tim Cook promised to broaden use of its two-factor authentication system in the wake of a hacking incident that saw several celebrities' iCloud accounts hacked.

recoverykey
The system requires a user to have a second "trusted" device that is used to verify a user's identity in addition to an extra security code called the "Recovery Key". However, in a new account from The Next Web's Owen Williams, that Recovery Key also has the potential to completely lock a person out of their account if they're being hacked.

Williams found that someone had tried to hack his iCloud account. Apple's two-factor system kicked in and locked the account, denying entry to the would-be hacker while also denying entry to Williams. When he went to iForgot, Apple's account recovery service, he assumed two of his password, Recovery Key or trusted device would unlock his account, as he was led to believe by an Apple Support document.

When I headed to the account recovery service, dubbed iForgot, I discovered that there was no way back in without my recovery key. That’s when it hit me; I had no idea where my recovery key was or if I’d ever even put the piece of paper in a safe place. I’ve moved since I set up two-factor on iCloud.

Williams contends he took a screenshot of the Recovery Key and printed that out as well as taking a photo on his iPhone to keep as a backup, but could not locate either and was on the verge of losing his "digital life". He called Apple customer support and was told  that he had forfeited his Apple ID by losing his Recovery Key and that there was no way Apple could help him. He called back a second time.

When she got back on the line, the story was just as bleak. “We take your security very seriously at Apple” she told me “but at this time we cannot grant you access back into your Apple account. We recommend you create a new Apple ID.”

After a couple more days of talking to Apple customer support and even friends who worked at Apple, he continued to receive same responses: he was locked out of his account due to someone trying to hack into it and couldn't unlock it without a Recovery Key even though Apple's support document says it's possible with a trusted device. Eventually, Williams located his Recovery Key in what he calls the "depths" of his Time Machine backup, allowing him to finally unlock his account.

Williams concludes with a warning that anyone with two-factor authentication should take far greater care in protecting and remembering where they store their Recovery Keys, as losing it could permanently lock a user out of their Apple ID with Apple unable to do anything to help. The entire account, which is a fascinating and worthwhile read, can be read at The Next Web.

Popular Stories

New Things Your iPhone Can Do in iOS 18

18 New Things Your iPhone Can Do in iOS 18.2

Wednesday November 13, 2024 2:09 am PST by
Apple is set to release iOS 18.2 next month, bringing the second round of Apple Intelligence features to iPhone 15 Pro and iPhone 16 models. This update brings several major advancements to Apple's AI integration, including completely new image generation tools and a range of Visual Intelligence-based enhancements. There are a handful of new non-AI related feature controls incoming as well....
Read Full Article25 comments
airtag purple

New AirTag Rumored to Launch in Mid-2025 With These Features

Sunday November 17, 2024 5:18 am PST by
Apple released the AirTag in April 2021, so it is now three over and a half years old. While the AirTag has not received any hardware updates since then, a new version of the item tracking accessory is rumored to be in development. Below, we recap rumors about a second-generation AirTag. Timing Apple is aiming to release a new AirTag in mid-2025, according to Bloomberg's Mark Gurman....
Read Full Article52 comments
M4 MacBook Pros Thumb

M4 MacBook Pro Uses Quantum Dot Display Technology

Thursday November 14, 2024 4:19 pm PST by
The M4 MacBook Pro models feature quantum dot display technology, according to display analyst Ross Young. Apple used a quantum dot film instead of a red KSF phosphor film, a change that provides more vibrant, accurate color results. Young says that Apple has opted for KSF for prior MacBook Pro models because it doesn't use toxic element cadmium (typical for quantum dot) and is more...
Read Full Article98 comments
iCloud General Feature

Apple Acknowledges iCloud Notes Disappearing and Explains How to Fix

Saturday November 16, 2024 9:45 am PST by
Earlier this month, we reported about some iPhone users temporarily losing all of their notes in the Notes app after accepting Apple's updated iCloud terms and conditions. Apple has now indirectly acknowledged this issue in a new support document that outlines steps to follow if your iCloud notes are not appearing on your iPhone, iPad, or Vision Pro. Fortunately, the notes can be re-synced...
Read Full Article59 comments
iPhone XS Max Black Background

Apple Adds iPhone XS Max and More to Vintage/Obsolete Product Lists

Friday November 15, 2024 8:09 am PST by
Apple today added a few older iPhone and Apple Watch models to the vintage and obsolete products list on its website. Apple has now classified the iPhone 6s Plus and iPhone XS Max as "vintage" worldwide. Apple considers a device to be "vintage" once five years have passed since the company stopped distributing it for sale. Apple and Apple Authorized Service Providers sometimes offer repairs...
Read Full Article70 comments

Top Rated Comments

kitsap2 Avatar
kitsap2
130 months ago
Breaking News!

System works as designed!
Score: 101 Votes (Like | Disagree)
leman Avatar
leman
130 months ago
I am also confused how this is news. Apple explicitly states that losing the key will make the recovery impossible. And anyway, do you want secure accounts or not? If yes, then you are personally responsible for your stuff. Putting this silly article on MacRumours is entirely pointless.
Score: 29 Votes (Like | Disagree)
lolkthxbai Avatar
lolkthxbai
130 months ago
Extra! Extra! Read all about it! Man discovers responsibility!
Score: 28 Votes (Like | Disagree)
Rigby Avatar
Rigby
130 months ago
Two-Factor Authentication is just that:
A user will need 2 out of the 3;
1. Password
2. Device
3. Recovery Key

The name of service describes it.
Except that it apparently doesn't work that way if Apple decides to lock your account due to hack attempts. In that case you have to have the recovery key, even if you have the 2 other factors. I think it is a bit draconian to permanently lock the account like that, given the value attached to it (you could lose not only your iTunes purchases, email, cloud documents etc., but also effectively brick your devices if you use Find my iPhone and need to restore a device for some reason).

They could perhaps release the lock after 48 hours, or unlock the account if you supply password, trusted device, and some additional verification (like showing a photo ID at an Apple store or sending a verification code to an alternate email address).
Score: 26 Votes (Like | Disagree)
swingerofbirch Avatar
swingerofbirch
130 months ago
Almost all the posts in here are incorrect about the purpose of the Recovery Key.

The Recovery Key is required if you forget your Apple ID password or lose access to a trusted device.

According to this article, the person in question knew his password and had a trusted device. He shouldn't have needed the Recovery Key.

The only thing Apple says about an account being compromised is that you need to reset your Apple ID password. And it says nothing about needing a Recovery Key to do that.
Score: 26 Votes (Like | Disagree)
TheJae Avatar
TheJae
130 months ago
So now they are saying Apple is too strict?
Score: 26 Votes (Like | Disagree)
Read All Comments