seilche
Level 1 (0 points)

Q: Can I use account recovery with two-step verification?

I was reading about how you can use regain access to your account with two-factor authentication.

 

Regain access to your Apple ID with two-factor authentication account recovery - Apple Support

 

Since two-factor authentication is not available for my account yet, I was looking into setting up two-step verification.

 

Is their any type of account recovery available for two-step verification users?

 

Or is this option only available for two-factor authentication users?

 

I would like to add further security to my account, but would first like to determine what the recover options are.

 

From my understanding their is not an account recovery option for two-step verification users.

 

If anyone could please confirm that would be great.

iPhone 6, iOS 9.2

Posted on Dec 17, 2015 8:02 PM

by happyadam,Solvedanswer
happyadam happyadam
Level 1 (40 points)
A:

Can you confirm that this is the case if someone locks out your account (either accidentally or maliciously) - there are some reports that the following issue may have been addressed but I still feel uncomfortable about this:

 

Use Case 1: User knows their password, and they have one of their trusted devices.  However, they have either lost their recovery key (through fire, negligence, etc.) or Apple have screwed up (there are reports of invalid recovery keys or keys not working in the past, and let's face it Apple aren't 100%).

 

Solution: This is typically OK, you can still logon and request a new recovery key.  However, if someone locks your account, then apparently the DS Lockout is infinite for 2-step verification (need confirmation this has been fixed - it is 24 hours for non-2-step accounts apparently).  At this point, you're now permanently locked out of your Apple ID even though you know your password and have a trusted device.  This use case is NOT obvious but does happen and there are no warnings from Apple that this can and has happened.   More details of this happening: http://thenextweb.com/apple/2014/12/08/lost-apple-id-learnt-hard-way-careful-two -factor-authentication/

 

Use Case 2: User knows their password, and they have a valid recovery key. However, they have either lost their one and only trusted device, or it's been stolen/destroyed, etc. (house fire for example takes out all your devices, but luckily you kept an offsite backup of your recovery key).

 

Solution: This is typically OK, you can logon with a non-trusted device and use the recovery key to then add it.  However, if someone locks your account - are you still OK?  You have the recovery key, but you don't have trusted device in order to reset your account/password.  I've not heard this happen, but again I'd like confirmation that this situation is handled.

 

It seems a perfectly fine approach from Apple to require 2 of 3 factors to commence recovery.  However, there are scenarios where this has not worked in the past and I'd like to know if Apple has addressed them.  People can lose one of these factors through no fault of their own no matter how safe/sensible they've been.  But it seems that if you lose one of these factors, and someone locks you out of your account (or more likely one of your Apple devices using an old keychain - again bugs do happen), you're stuck, even though Apple can quite securely address this by temporarily enabling the account after a timeout (which they may now be doing, but I have no way of determining).

 

The fact is that people are being scared off using Apple's Two Step Verification process because they don't trust Apple will handle a secure recovery in all cases even if someone has 2 factors and can produce further evidence.  This seems to have been acknowledged by Apple in introducing the 2 Factor Authentication method which doesn't require recovery keys. 

 

My Apple ID is very important to me for 2 reasons:  my primary email address (since 2001), and my developer account.  Yes it would mean cancelling my credit card in order to suspend my subscriptions but that's in my control.  However, losing my primary email and developer account through no apparent fault of my own scares the **** out of me!   I've not been offered 2FA, and am in two minds whether to switch off 2-step verification.

Posted on Dec 26, 2015 7:20 PM

Close
seilche

Q: Can I use account recovery with two-step verification?

  • All replies
  • Helpful answers

  • by sberman,Apple recommended

    sberman sberman Dec 17, 2015 9:27 PM in response to seilche
    Level 8 (41,036 points)
    Dec 17, 2015 9:27 PM in response to seilche

    "Recovery"?  What exactly are you afraid of losing and needing to recover?  Your password?  No, two-step verification cannot help you there.  The approach is quite different from two-factor authentication:

    Frequently asked questions about two-step verification for Apple ID - Apple Support

  • by seilche,

    seilche seilche Dec 18, 2015 9:16 AM in response to sberman
    Level 1 (0 points)
    Dec 18, 2015 9:16 AM in response to sberman

    Hello sberman,

     

    Thanks for the reply. I wanted to confirm that if I lost my password and recovery code then their is no way to access my Apple account when using two-step verification.. In comparison to two-factor authentication which does have an account recovery process if you are unable to access your account.

  • by sberman,

    sberman sberman Dec 18, 2015 2:40 PM in response to seilche
    Level 8 (41,036 points)
    Dec 18, 2015 2:40 PM in response to seilche

    As the article I attached above states, if you lose both your password and recovery code with two-step verification, you would have a problem.  You need to avoid losing two of the following items simultaneously:

     

    • Password
    • Recovery key
    • Trusted devices

     

    You can recover from losing one of these, but not two.

     

    Frankly, I cannot imagine any circumstances (even something as drastic as a stroke or other medical emergency) in which a person would lose more than one of these security items.

  • by happyadam,Solvedanswer

    happyadam happyadam Dec 26, 2015 7:20 PM in response to sberman
    Level 1 (40 points)
    Dec 26, 2015 7:20 PM in response to sberman

    Can you confirm that this is the case if someone locks out your account (either accidentally or maliciously) - there are some reports that the following issue may have been addressed but I still feel uncomfortable about this:

     

    Use Case 1: User knows their password, and they have one of their trusted devices.  However, they have either lost their recovery key (through fire, negligence, etc.) or Apple have screwed up (there are reports of invalid recovery keys or keys not working in the past, and let's face it Apple aren't 100%).

     

    Solution: This is typically OK, you can still logon and request a new recovery key.  However, if someone locks your account, then apparently the DS Lockout is infinite for 2-step verification (need confirmation this has been fixed - it is 24 hours for non-2-step accounts apparently).  At this point, you're now permanently locked out of your Apple ID even though you know your password and have a trusted device.  This use case is NOT obvious but does happen and there are no warnings from Apple that this can and has happened.   More details of this happening: http://thenextweb.com/apple/2014/12/08/lost-apple-id-learnt-hard-way-careful-two -factor-authentication/

     

    Use Case 2: User knows their password, and they have a valid recovery key. However, they have either lost their one and only trusted device, or it's been stolen/destroyed, etc. (house fire for example takes out all your devices, but luckily you kept an offsite backup of your recovery key).

     

    Solution: This is typically OK, you can logon with a non-trusted device and use the recovery key to then add it.  However, if someone locks your account - are you still OK?  You have the recovery key, but you don't have trusted device in order to reset your account/password.  I've not heard this happen, but again I'd like confirmation that this situation is handled.

     

    It seems a perfectly fine approach from Apple to require 2 of 3 factors to commence recovery.  However, there are scenarios where this has not worked in the past and I'd like to know if Apple has addressed them.  People can lose one of these factors through no fault of their own no matter how safe/sensible they've been.  But it seems that if you lose one of these factors, and someone locks you out of your account (or more likely one of your Apple devices using an old keychain - again bugs do happen), you're stuck, even though Apple can quite securely address this by temporarily enabling the account after a timeout (which they may now be doing, but I have no way of determining).

     

    The fact is that people are being scared off using Apple's Two Step Verification process because they don't trust Apple will handle a secure recovery in all cases even if someone has 2 factors and can produce further evidence.  This seems to have been acknowledged by Apple in introducing the 2 Factor Authentication method which doesn't require recovery keys. 

     

    My Apple ID is very important to me for 2 reasons:  my primary email address (since 2001), and my developer account.  Yes it would mean cancelling my credit card in order to suspend my subscriptions but that's in my control.  However, losing my primary email and developer account through no apparent fault of my own scares the **** out of me!   I've not been offered 2FA, and am in two minds whether to switch off 2-step verification.

  • by seilche,

    seilche seilche Dec 26, 2015 7:22 PM in response to happyadam
    Level 1 (0 points)
    Dec 26, 2015 7:22 PM in response to happyadam

    Thanks for the response. You outlined all of the concerns I have about the Two Step Verification. Well said!