More that one year ago Apple has introduced the two-step verification system to implement a two-factor authentication process and improve security for Apple IDs. Since March 2013 Apple has progressively extended the two-step verification system to other countries and has introduced the feature to protect other services offered by the company, including the Apple the Fappening case. In September, the CEO Tim Cook announced the imminent implementation of a two-factor authentication mechanism to protect the access to the iCloud service from a mobile device that was effective with the iOS 8.0.September after
The login to iCloud service from iPhones and iPads will be allowed to users is possession of the couple Apple ID and password, plus the an authentication code sent to the device through SMS or generated at the time of sign-up. Tim Cook highlighted the great importance reserved by Apple to the user’s privacy, confirming that the company will do even more to protect user’s data.
The two-step verification system requires a user to provide the number of a second “trusted” device that is used to verify the user’s identity in addition to an extra security code called the “Recovery Key”. The reporter at The Next Web’s Owen Williams explained that the Recovery Key mechanism could cause completely lock a person out of their Apple account if they’re being hacked.
Williams discovered that someone had tried to hack his Apple iCloud account despite the Apple’s two-step verification system. The mechanism correctly avoided the unauthorized access to the system and blocked the account, unfortunately, denying both the would-be hacker and Williams access it.
“Earlier this week, a strange message popped up on my Mac that I thought nothing of. “You can’t sign in because your account was disabled for security reasons.” I dismissed it in my tired haze, thinking it would solve itself and went to sleep.” states the post on TheNextWeb.
The reporter then tried to recover the password with the Apple iForgot procedure. To unlock the account, it is requested to provide Recovery Key or the number of a trusted device as he was led to believe by an Apple Support document, but he was wrong.
“The Apple support page relating to lockouts assured me it would be easy to recover my account with a combination of any two of either my password, a trusted device or the two-factor recovery key. When I headed to the account recovery service, dubbed iForgot, I discovered that there was no way back in without my recovery key. That’s when it hit me; I had no idea where my recovery key was or if I’d ever even put the piece of paper in a safe place. I’ve moved since I set up two-factor on iCloud.” states the post.
Unfortunately, Williams was not able to retrieve a screenshot or a print copy of the Recovery Key he had taken for extra safekeeping, then he contacted the Apple customer support and was told that there was no way Apple could help him despite he offered a scan of his government ID, his trusted devices and other proof that it was him.
In a second call, he made to the support he received the following reply:
“We take your security very seriously at Apple” she told me “but at this time we cannot grant you access back into your Apple account. We recommend you create a new Apple ID.”
After a couple more days of talking to Apple customer support, the reporter discovered that it was impossible to unlock the account without a Recovery Key even though Apple’s support document explains that it is possible with a trusted device.
Williams shared with the web his experience, warning the reader on possible consequences in managing Apple Recovery Key for the two-step verification system. Williams explained that losing the recovery key could permanently lock a user out of their Apple ID with Apple unable to do anything to help.
“I know it was stupid that I’d lost the recovery key but I’d set it up so long ago I couldn’t remember where it would conceivably be. There’s only so many things I can keep track of. Besides, I figured I’d be able to use trusted device to get out of a mess like this.” he said.
Manage your two-step verification system now, before an attack will force you to do it in difficult conditions.
(Security Affairs – Apple, two-step verification system)