what about setting up a Recovery Key ? Is it useful ?

Question

what about setting up a Recovery Key ? Is it useful ?

So if one has the foresight to create a 28 digit Recovery Key IN ADVANCE and BEFORE the thief takes the phone (right after observing the user input his or her device passcode), it's apparently still currently of NO USE. Why? Because Apple allows the user of the phone (the thief) to invalidate any Recovery Key and generate a new one. So the thief, who has the passcode to the phone, goes in, changes the Apple ID Password and also generates a new replacement Recovery Key (and he only needs the passcode for the phone to do both of these actions !!!!) and signs the victim out of Find My and removes all of the victim's devices signed into iCloud.

The mistakes that Apple made are as follows: Apple should have instead required that:

(1) the Apple ID Password should not be able to be changed by the thief without entering the Recovery Key, assuming a Recovery Key was originally created before the iPhone was stolen i.e. by the victim/true owner (currently, only the device passcode is required to change the Apple ID Password, and the thief already has the device passcode) and;

(2) the thief should not be able to generate a new replacement 28 character Recovery Key (which invalidates the original Recovery Key and locks out the owner for good) UNLESS the thief provides the original Apple ID Password, which he does not have---he only has the device passcode.

In this way, the original Recovery Key is linked to the original Apple ID Password and neither the Recovery Key nor the Apple ID Password can be guessed found by brute force. The true owner can then go to iCloud online and using the Recovery Key track the device and lock it remotely and erase it if desired.

I hope that a future iOS fixes this weakness in security.

P.S.: Screen Time passcodes protecting Accounts and Passcodes, as recommended by the recent WSJ article on this, won't work either. Why? Because there is downloadable 3rd party software called 4uKey made in China, easily downloaded to a laptop that the thief has which can strip the phone of the 4 digit Screen Time passcode in just a few clicks.

Apple needs to think this through more carefully. I believe my suggestions above solve the problem.

I'd appreciate a discussion about this from Apple and/or the Apple Community on this matter. Thank you in advance.

iPhone 14 Pro Max

Posted on Feb 28, 2023 10:01 PM

Reply

Answer 1

Limnos

Level 10

426,755 points

Mar 1, 2023 4:17 AM in response to HARBORFISHDOC

Apple Support Communities is set up as an end-user to end-user technical issue support service (i.e., users like you helping other users). Feedback for Apple will likely get more attention if you send it using: Product Feedback - Apple

I just proactively make sure nobody can see me typing in a passcode. You could try FaceID if you can't use a passcode.

Reply

Answer 2

Mar 1, 2023 12:22 PM in response to Limnos

Apple removed my post because they said it was "speculative". The Wall Street Journal however documented numerous UNspeculative cases of this security issue just a few days ago and I have sent what I could to the Product Feedback link you provided me above. Thank you.

I have a technical question: What is the procedure that one uses with one's Recovery Key to regain access to one's account ? I mean, if someone has taken your phone and regenerated a replacement Recovery Key without your knowledge, and your own Recovery Key is then invalidated, what options does one have to regain one's account ?

Reply

what about setting up a Recovery Key ? Is it useful ?

Similar questions