While Apple’s two-factor authentication used to reset a password does provide additional security to a user’s Apple ID, it also makes it virtually impossible to reset your password or access your account in the event that your account has been hacked and you forget your recovery key.
The system requires a user to have a second “trusted” device that is used to verify a user’s identity in addition to an extra security code called the “Recovery Key”. However, in a new account from The Next Web’s Owen Williams, that Recovery Key also has the potential to completely lock a person out of their account if they’re being hacked.
When an outside party attempted to hack Williams’ account, Apple’s two-factor system kicked in, and locked his account to deny entry to the would-be violator. It also locked Williams out of the account. He went to iForgot, Apple’s account recovery service, he discovered there was no way back in without his recovery key.
Unfortunately, Williams didn’t remember his recovery key, and had no idea what he’s done with the piece of paper he’d written it down on and then secured in a safe place. (He had moved in the interim.)
Williams called Apple customer support, and was told that without the recovery key, he was basically locked out of his account forever, and Apple couldn’t help him. Unwilling to accept this, he called back a second time.
When she got back on the line, the story was just as bleak. “We take your security very seriously at Apple” she told me “but at this time we cannot grant you access back into your Apple account. We recommend you create a new Apple ID.”
Eventually Williams was able to recover a screenshot he had taken of the recovery key, by digging into the “depths” of his Time Machine backups, and thus regained access to his “digital life” in iCloud.
Lesson Learned: Take care in recording and remembering your Recovery Key! If you lose it, you’re basically screwed, and Apple can’t help you. For a full account of Williams adventures in two-factor land, visit The Next Web.