Apple’s Too-Good Recovery Key Security

As systems get secure, the biggest fear of many end-users is that they will be inadvertently locked out. The lack of human override capability can be frightening. Into this fray enters Apple and a recovery key hole created by the Apple ID two-factor authentication.

The problem, as detailed in this first-person account on The Next Web, is that Apple promises users that an access problem can be resolved through using two of the following: a password, a trusted device or the two-factor recovery key. What Apple didn’t say is that doesn’t work if someone—yourself or an evil would-be thief—continues to try incorrect passwords and the account gets locked. When that happens—even though the user is not necessarily at fault—the recovery key is essential. Without it, the user is locked out forever and will lose access to their digital life. Their only option? Create a new Apple ID and start their digital life over again.

The victim in the Next Web story, Owen Williams, eventually got back in because he miraculously found his digital ID. Seems that he had taken a picture of it from his screen and saved it into his phone. But he only found that image in an old backup of his computer.

“I was locked out of my entire digital life because someone had tried to hack me. The irony of the fact that my increased security had ultimately locked me out dawned on me, mixed with tiredness and frustration, so after taking a moment to scream internally, I started furiously searching ancient time machine backups.”

Although the easy takeaway is for users to take extreme care of their recovery key (a copy of mine is now being printed out, laminated and placed into my bank’s safe deposit box), this raises a more interesting question. Shouldn’t companies have a mechanism—albeit time-consuming and cumbersome—for overriding such lockouts?

“I couldn’t believe what I was hearing and fought back that surely there was some other way, but I was told point blank that Apple would not help me. I offered a scan of my government ID, my trusted devices and other proof that it was me. Nope, that won’t do for Apple in this situation. She (customer service rep) apologized profusely and said there was nothing more she could do.”

But shouldn’t there be a method? Perhaps an in-person visit to the Apple store and requirement to bring a half-dozen different forms of ID? Blood draws and DNA testing? Submitting it to an Apple-chosen private investigator’s probe to verify you are you claim to be? All at cost to the user, presumably.

To have no fallback at all if a customer uses a recovery key seems ill-advised.