This article was published on December 8, 2014

The dark side of Apple’s two-factor authentication

The dark side of Apple’s two-factor authentication
Owen Williams
Story by

Owen Williams

Former TNW employee

Owen was a reporter for TNW based in Amsterdam, now a full-time freelance writer and consultant helping technology companies make their word Owen was a reporter for TNW based in Amsterdam, now a full-time freelance writer and consultant helping technology companies make their words friendlier. In his spare time he codes, writes newsletters and cycles around the city.

Earlier this week, a strange message popped up on my Mac that I thought nothing of. “You can’t sign in because your account was disabled for security reasons.” I dismissed it in my tired haze, thinking it would solve itself and went to sleep.

The next morning, I didn’t have time to deal with the message — which was now popping up every half hour — for a few hours until it became annoying. I figured I’d done something dumb and broken iCloud, but that it could wait.

I’d turned two-factor on my Apple ID in haste when I read Mat Honan’s harrowing story about how his Mac, iPhone and other devices were wiped when someone broke into his iCloud account. That terrified me into thinking about real security for the first time.

When I finally had time to investigate the errors appearing on my machine, I discovered that not only had my iCloud account been locked, but someone had tried to break in. Two-factor had done its job and kept the attacker out, however, it had also inadvertently locked me out.

The Apple support page relating to lockouts assured me it would be easy to recover my account with a combination of any two of either my password, a trusted device or the two-factor authentication recovery key.

When I headed to the account recovery service, dubbed iForgot, I discovered that there was no way back in without my recovery key. That’s when it hit me; I had no idea where my recovery key was or if I’d ever even put the piece of paper in a safe place. I’ve moved since I set up two-factor on iCloud.

Screenshot step 1 Apple ID verification

I began nervously scouring the entire house for the code, before giving up after a few frustrating hours and began searching my computer for any trace of it. I found countless “recovery keys” but they weren’t for the right things; for my Mac’s hard-drive encryption, Twitter, Facebook and other accounts, but not for my Apple ID.

How could I be foolish enough to misplace my Apple ID verification recovery key?

I swore that I’d taken a screenshot, printed it and had taken a photo of it with my iPhone for extra safekeeping.

This is when it began to sink in that this single ID held the keys to much of my digital life; everything from iTunes purchases going back seven years, app purchases and even the ability to get my iPhone out of the grips of Find my iPhone’s lock.

The sinking feeling began. After fruitlessly searching and a lot of cussing, I decided to call Apple. I figured that something must be wrong, since the support page claims you can use trusted devices to recover your ID in cases like this.

The first person I spoke to told me immediately after getting on the phone that in no uncertain terms I had forfeit my Apple ID by losing the recovery key. He refused to help me. I hung up and called back.

On the second call, I got a lovely woman who totally understood my plight and how terrible it was. She told me a similar thing had happened to her, and it had turned out OK. After 20 minutes of poking around and lots of awkward sighing, she put me on hold to talk to a senior manager.

When she got back on the line, the story was just as bleak. “We take your security very seriously at Apple” she told me “but at this time we cannot grant you access back into your Apple account. We recommend you create a new Apple ID.”

I couldn’t believe what I was hearing and fought back that surely there was some other way, but I was told point blank that Apple would not help me. I offered a scan of my government ID, my trusted devices and other proof that it was me. Nope, that won’t do for Apple in this situation. She apologized profusely and said there was nothing more should do.

Screenshot lost recovery key Apple's Two-Factor Authentication

Furious about the situation, I took to Twitter in a fit of rage, complaining that Apple couldn’t help me out of a dumb situation, in which I could easily prove who I was. It was frustrating enough that when setting up my Apple ID, the company assured me I could recover the account with a trusted device.

I know it was stupid that I’d lost the recovery key but I’d set it up so long ago I couldn’t remember where it would conceivably be. There’s only so many things I can keep track of. Besides, I figured I’d be able to use trusted device to get out of a mess like this.

I’d looked almost everywhere twice by this point. Who remembers stuff like this?

Apple’s two factor authentication signup process tries to point out the importance of the key when you set it up.

You have to print the key, then re-enter it to show that you’ve got it. I don’t think this step existed when it launched.

So, I pushed on, resuming the hunt. As 24 hours without my Apple ID approached, iMessage broke and my devices all started incessantly complaining that the account was locked, amplifying an already frustrating situation.

Figuring that maybe I’d just had bad luck with the phone, I tried Apple’s online chat service. I got the exact same answer; “We take your security very seriously at Apple, but we cannot help in this situation.” I pointed out that the security page said otherwise, so the chat person put me on the phone with an iTunes senior advisor.

After a few minutes of “uhhhh” on the other end of the phone, I got my third “we take your security very seriously at Apple, this account will be permanently disabled unless you can find the recovery key.” I argued my point that I had both my trusted devices and my password as required by the support page, but was told this was irrelevant because someone else had tried to get into my account.

I talked to a friend who knew people at Apple who told me that the security folks said the iForgot page is final. There’s nothing they can do.

Basically, I was locked out of my entire digital life, because someone had tried to hack me. The irony of the fact that my increased security had ultimately locked me out dawned on me, mixed with tiredness and frustration, so after taking a moment to scream internally, I started furiously searching ancient time machine backups.

As I searched the depths of my time machine backups and was on the phone for the fifth (or even sixth) time to iCloud support, I found an old picture I’d taken on my iPhone of a screen. It was my recovery key. I started crying tears of joy at this point. The Apple rep on the phone started clapping and was very glad to get out of continuing to argue with me.

Screenshot recovery key Apple ID verification
The only time I’ve ever been glad to have taken a picture of my screen

If I hadn’t managed to find this key or had never bothered to save it in the first place, I would have lost the Apple ID forever. If I hadn’t made a time machine backup of my machine before it got corrupted earlier this year, I’d have been out of luck entirely.

Apple support told me that the security lock doesn’t expire, so there’s no way to get around requiring the key, even though its support site says you can use trusted devices. You’re simply not given that option when your account is locked.

What’s perplexing is it wasn’t even technically my fault. Someone tried to guess their way into my account and it was locked as a result; I didn’t do anything wrong, yet I was entirely locked out because I couldn’t find the key.

Apple’s support page had given me false hope, because I expected to be able to use a combination of my password and trusted devices to recover from being locked out if it ever happened.

This isn’t the case when your account is locked; what Apple doesn’t tell you is that when your account is locked (because of too many attempts) your password is not a valid recovery option and you’ll need your recovery key.

What if I was carrying the key in my wallet and I was robbed, like this poor user on Stack Overflow? Apple still wouldn’t (or couldn’t) help you, because it’s “impossible” to recover an Apple ID without that key, according to its support staff.

Apple’s changing security policy

One has to wonder if it was previously possible, before Mat’s social engineering hack or the iCloud celebrity hackings took place, to recover a two-factor enabled account by using Apple Support. The “we take your security very seriously at Apple” line seems like it’s been rehearsed and drilled into the support staff’s heads so that the same scandals don’t happen again.

I asked Apple PR about this situation, who told me that the support article is correct. If you lose your recovery key with two factor enabled, you lose your account. Apple can’t help you.

I’ve learnt my lesson about treating recovery keys with extreme caution from this. I never knew that I’d have no hope of recovery if it was lost; I’d been lulled into a false sense of security, figuring that my trusted devices would get me back into locked account.

From now on, I’ll know exactly where each recovery key is. I urge you to do the same.

Read Next: Was this the security flaw that lead to the iCloud hacks?

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with