Without your Recovery Key, your Apple ID could be lost forever
Here’s a question that could change the rest of your digital life: Where is the Recovery Key for your Apple ID account?
If you haven’t enabled two-step verification on your Apple ID (or on multiple such accounts), you don’t have to answer that question, because you don’t have such an animal. If you have turned on this extra account protection, that question is vital, but don’t panic quite yet if you don’t have an answer.
Owen Williams of The Next Web documented the many hours of cold sweats he went through after someone attempted to crack his account, and Apple disabled normal access, as described in this support document. He couldn’t find his Recovery Key, and Apple said without it, his account data and access would be lost forever.
And that’s true. Apple has designed its two-step recovery system, just like iOS 8’s passcode protection and Mac OS X’s FileVault encryption, so that if the necessary credentials are lost, the firm cannot recover your data. It’s not just being perverse. Apple doesn’t retain information in a way that lets it gain access without key pieces of data or devices only you possess. If it has the secrets, then attackers can gain them, too, or it can be compelled to surrender them to government agents. (The one exception: FileVault offers an escrow option for your drive recovery key, but even then you have to provide precise information to Apple to unlock the encryption that’s surrounding your key.)
The fact that an attacked account is locked means that a malicious party could even weaponize that behavior into you losing your account access forever if you don’t know where you stashed your Recovery Key. Some of us set up two-factor authentication nearly two years ago when Apple first offered it.
It’s time to rummage through your records and make sure you have what you need to prevent someone’s attempt to poke your account—or you fumble-finger entering the wrong password a few too many times in a row—into a digital-life disaster. If you can’t find it, it’s past time to reset your Recovery Key and figure out a better way to retain it.
(Owen had a happy ending: Digging through Time Machine backups, he eventually found a picture he’d taken that had the key and was able to get back into his account.)
Recovery Key is your last-ditch effort
Apple built two-step verification around the notion that you’ll always have access to at least two of three things: your password, a trusted device, and your Recovery Key. If you lose your password, you enter the Recovery Key and get a message on a trusted iOS device or phone. If you lose all your trusted devices, you can use your password and Recovery Key to add new ones. Lose the Recovery Key, and you can log in and generate a new one.
However, this goes out the window if someone repeatedly enters the wrong password for your Apple ID into any of the places that Apple lets you use that account information. It’s as if your password were lost, because Apple has thrown it away. Now you absolutely need the Recovery Key, plus a trusted device.
It’s unlikely you’ll find yourself without all trusted devices, because Apple requires that you use SMS with at least one phone number, and a phone number isn’t tied to a physical device. In fact, if you can’t find your phone, and you’ve got iOS 8 installed on it, Yosemite on your Mac, and the phone remains logged into the same iCloud account as your Mac, SMS forwarding will deliver a trusted-device token right to the Mac OS X Messages app. (I raised some minor security issues about SMS forwarding a few weeks ago.) You can also get a carrier to put the number on another phone.
But that still means you need your Recovery Key. If you’re using two-step verification, likely because you’ve read this far, where is it? Did you print it out, take a photo, stash it in a password or data storage program? Tattoo it on your bicep? Do you know? If you can’t find it in less than five minutes, it’s time to reset it.
Go to the Apple ID page, click Manage Your Apple ID, and log in, if you haven’t already. Now you can click the Password and Security item in the left navigation bar, and click Replace Lost Key. Follow the steps here, and your old Recovery Key is made invalid and a new one created.
Now, whether or not you just reset your Recovery Key, you need to keep good track of it from now on. And you need to ask yourself whether anyone else you know or any other location can be trusted with it, so that you’re not a single point of failure. By itself, a Recovery Key has no value: someone needs that plus one of your trusted devices or your password.
Thus, it would be smartest to put a backup copy (not the only copy!) somewhere that you can gain access to it, but someone else can’t, even if they hold it for you. Encrypt the key using ZIP-based archive encryption or an encrypted disk image via Disk Utility, put that on a USB flash drive, and give it to a friend or partner. Print it out, place it in an envelope, and put it into a safe-deposit box, or perhaps tape it into a drawer at your parents’ or children’s house. (For years, an old roommate and I had our alarm system emergency disable word taped inside a bookshelf for when we triggered it and inevitably forget it.)
This is certainly a significant drawback to Apple’s two-step verification: it’s actually so strong, that you can find yourself locked out when you haven’t reset your password—when you’re the victim of an attack. You can avoid this by making sure you know precisely where your Recovery Key is from now on.
Glenn Fleishman is the editor and publisher of The Magazine, a regular contributor to Boing Boing and The Economist, and a senior contributor to Macworld.