Alternative option, put some of this on a pen drive and don't leave it connected to a computer. I have 2 on a keyring which live in a desk drawer. ----- Original Message ----- From: "Joseph" <[email protected]> To: <[email protected]> Sent: Tuesday, December 09, 2014 9:22 PM Subject: Re: The dark side of Apple's two-factor authentication
Hello List, The only thing i'd suggest regarding your recovery key is this. Don't store it on a computer device. Reason? What if the computer with the key on it crashes? I'd write it down somewhere or print it out and keep a copy of the key somewhere. While I use 2 step verification, I see the recovery key as being a condition critical situation and treat it as such. > On Dec 9, 2014, at 1:15 PM, Ray Foret Jr <[email protected]> wrote: > > Mark, many thanks for this very concerning article. I have already saved > it on my Mac. Very timely, and, as I think, a great service to us all. > Again, thank you. > > Sincerely, > The Constantly barefooted Ray, > > Still a very happy Mac, Verizon Wireless iPhone 6+ and Apple TV user! > > Sent from my iPhone, > the only smart phone with full accessibility for the blind built-in > > On Dec 9, 2014, at 2:10 PM, M. Taylor <[email protected] > <mailto:[email protected]>> wrote: > >> Hello Everyone, >> >> I strongly suggest that you read the following article, very carefully. >> >> The link to the original post may be found at the end of the text. >> >> Mark >> >> The dark side of Apple's two-factor authentication >> >> Earlier this week, a strange message popped up on my Mac that I thought >> nothing of. "You can't sign in because your account was disabled for >> security reasons." I dismissed it in my tired haze, thinking it would >> solve >> itself and went to sleep. >> >> The next morning, I didn't have time to deal with the message - which was >> now popping up every half hour - for a few hours until it became >> annoying. I >> figured I'd done something dumb and broken iCloud, but that it could >> wait. >> >> I'd turned two-factor on my Apple ID in haste when I read Mat Honan's >> harrowing story about how his Mac, iPhone and other devices were wiped >> when >> someone broke into his iCloud account. That terrified me into thinking >> about >> real security for the first time. >> >> When I finally had time to investigate the errors appearing on my >> machine, I >> discovered that not only had my iCloud account been locked, but someone >> had >> tried to break in. Two-factor had done its job and kept the attacker out, >> however, it had also inadvertently locked me out. >> >> The Apple support page relating to lockouts assured me it would be easy >> to >> recover my account with a combination of any two of either my password, a >> trusted device or the two-factor recovery key. >> >> When I headed to the account recovery service, dubbed iForgot, I >> discovered >> that there was no way back in without my recovery key. That's when it hit >> me; I had no idea where my recovery key was or if I'd ever even put the >> piece of paper in a safe place. I've moved since I set up two-factor on >> iCloud. >> >> I began nervously scouring the entire house for the code, before giving >> up >> after a few frustrating hours and began searching my computer for any >> trace >> of it. I found countless "recovery keys" but they weren't for the right >> things; for my Mac's hard-drive encryption, Twitter, Facebook and other >> accounts, but not for my Apple ID. >> >> How could I be foolish enough to misplace my Apple ID recovery key? >> I swore that I'd taken a screenshot, printed it and had taken a photo of >> it >> with my iPhone for extra safekeeping. >> >> This is when it began to sink in that this single ID held the keys to >> much >> of my digital life; everything from iTunes purchases going back seven >> years, >> app purchases and even the ability to get my iPhone out of the grips of >> Find >> my iPhone's lock. >> >> The sinking feeling began. After fruitlessly searching and a lot of >> cussing, >> I decided to call Apple. I figured that something must be wrong, since >> the >> support page claims you can use trusted devices to recover your ID in >> cases >> like this. >> >> The first person I spoke to told me immediately after getting on the >> phone >> that in no uncertain terms I had forfeit my Apple ID by losing the >> recovery >> key. He refused to help me. I hung up and called back. >> >> On the second call, I got a lovely woman who totally understood my plight >> and how terrible it was. She told me a similar thing had happened to her, >> and it had turned out OK. After 20 minutes of poking around and lots of >> awkward sighing, she put me on hold to talk to a senior manager. >> >> When she got back on the line, the story was just as bleak. "We take your >> security very seriously at Apple" she told me "but at this time we cannot >> grant you access back into your Apple account. We recommend you create a >> new >> Apple ID." >> >> I couldn't believe what I was hearing and fought back that surely there >> was >> some other way, but I was told point blank that Apple would not help me. >> I >> offered a scan of my government ID, my trusted devices and other proof >> that >> it was me. Nope, that won't do for Apple in this situation. She >> apologized >> profusely and said there was nothing more should do. >> >> Furious about the situation, I took to Twitter in a fit of rage, >> complaining >> that Apple couldn't help me out of a dumb situation, in which I could >> easily >> prove who I was. It was frustrating enough that when setting up my Apple >> ID, >> the company assured me I could recover the account with a trusted device. >> >> I know it was stupid that I'd lost the recovery key but I'd set it up so >> long ago I couldn't remember where it would conceivably be. There's only >> so >> many things I can keep track of. Besides, I figured I'd be able to use >> trusted device to get out of a mess like this. >> >> I'd looked almost everywhere twice by this point. Who remembers stuff >> like >> this? >> >> Apple's two factor signup process tries to point out the importance of >> the >> key when you set it up. >> You have to print the key, then re-enter it to show that you've got it. I >> don't think this step existed when it launched. >> >> So, I pushed on, resuming the hunt. As 24 hours without my Apple ID >> approached, iMessage broke and my devices all started incessantly >> complaining that the account was locked, amplifying an already >> frustrating >> situation. >> >> Figuring that maybe I'd just had bad luck with the phone, I tried Apple's >> online chat service. I got the exact same answer; "We take your security >> very seriously at Apple, but we cannot help in this situation." I pointed >> out that the security page said otherwise, so the chat person put me on >> the >> phone with an iTunes senior advisor. >> >> After a few minutes of "uhhhh" on the other end of the phone, I got my >> third >> "we take your security very seriously at Apple, this account will be >> permanently disabled unless you can find the recovery key." I argued my >> point that I had both my trusted devices and my password as required by >> the >> support page, but was told this was irrelevant because someone else had >> tried to get into my account. >> >> I talked to a friend who knew people at Apple who told me that the >> security >> folks said the iForgot page is final. There's nothing they can do. >> >> Basically, I was locked out of my entire digital life, because someone >> had >> tried to hack me. The irony of the fact that my increased security had >> ultimately locked me out dawned on me, mixed with tiredness and >> frustration, >> so after taking a moment to scream internally, I started furiously >> searching >> ancient time machine backups. >> >> As I searched the depths of my time machine backups and was on the phone >> for >> the fifth (or even sixth) time to iCloud support, I found an old picture >> I'd >> taken on my iPhone of a screen. It was my recovery key. I started crying >> tears of joy at this point. The Apple rep on the phone started clapping >> and >> was very glad to get out of continuing to argue with me. >> >> The only time I've ever been glad to have taken a picture of my screen >> >> If I hadn't managed to find this key or had never bothered to save it in >> the >> first place, I would have lost the Apple ID forever. If I hadn't made a >> time >> machine backup of my machine before it got corrupted earlier this year, >> I'd >> have been out of luck entirely. >> >> Apple support told me that the security lock doesn't expire, so there's >> no >> way to get around requiring the key, even though its support site says >> you >> can use trusted devices. You're simply not given that option when your >> account is locked. >> >> What's perplexing is it wasn't even technically my fault. Someone tried >> to >> guess their way into my account and it was locked as a result; I didn't >> do >> anything wrong, yet I was entirely locked out because I couldn't find the >> key. >> >> Apple's support page had given me false hope, because I expected to be >> able >> to use a combination of my password and trusted devices to recover from >> being locked out if it ever happened. >> >> This isn't the case when your account is locked; what Apple doesn't tell >> you >> is that when your account is locked (because of too many attempts) your >> password is not a valid recovery option and you'll need your recovery >> key. >> >> What if I was carrying the key in my wallet and I was robbed, like this >> poor >> user on Stack Overflow? Apple still wouldn't (or couldn't) help you, >> because >> it's "impossible" to recover an Apple ID without that key, according to >> its >> support staff. >> >> Apple's changing security policy >> One has to wonder if it was previously possible, before Mat's social >> engineering hack or the iCloud celebrity hackings took place, to recover >> a >> two-factor enabled account by using Apple Support. The "we take your >> security very seriously at Apple" line seems like it's been rehearsed and >> drilled into the support staff's heads so that the same scandals don't >> happen again. >> >> I asked Apple PR about this situation, who told me that the support >> article >> is correct. If you lose your recovery key with two factor enabled, you >> lose >> your account. Apple can't help you. >> >> I've learnt my lesson about treating recovery keys with extreme caution >> from >> this. I never knew that I'd have no hope of recovery if it was lost; I'd >> been lulled into a false sense of security, figuring that my trusted >> devices >> would get me back into locked account. >> >> From now on, I'll know exactly where each recovery key is. I urge you to >> do >> the same. >> >> http://thenextweb.com/apple/2014/12/08/lost-apple-id-learnt-hard-way-careful >> <http://thenextweb.com/apple/2014/12/08/lost-apple-id-learnt-hard-way-careful> >> -two-factor-authentication/ >> >> -- >> You received this message because you are subscribed to the Google Groups >> "MacVisionaries" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] >> <mailto:[email protected]>. >> To post to this group, send email to [email protected] >> <mailto:[email protected]>. >> Visit this group at http://groups.google.com/group/macvisionaries >> <http://groups.google.com/group/macvisionaries>. >> For more options, visit https://groups.google.com/d/optout >> <https://groups.google.com/d/optout>. > > > -- > You received this message because you are subscribed to the Google Groups > "MacVisionaries" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] > <mailto:[email protected]>. > To post to this group, send email to [email protected] > <mailto:[email protected]>. > Visit this group at http://groups.google.com/group/macvisionaries > <http://groups.google.com/group/macvisionaries>. > For more options, visit https://groups.google.com/d/optout > <https://groups.google.com/d/optout>. -- You received this message because you are subscribed to the Google Groups "MacVisionaries" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/macvisionaries. For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "MacVisionaries" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/macvisionaries. For more options, visit https://groups.google.com/d/optout.
