Tune up your two-step Recovery Key

Do you even know where your Recovery Key is?

iphone security stock

If you’re using Apple’s two-step verification system for logins, I have just one (not two) questions for you: do you know where your Recovery Key is?

A friend recently went through a multi-week set of interlocked problems when he was locked out of his Apple ID account on his iPhone, and couldn’t find his Recovery Key. He wasn’t ultimately able to get Apple to unlock his account. (During this period, his phone also locked up for a few days and he couldn’t receive texts or alerts, either.)

He had forgotten he’d enabled two-step verification, which is the older of Apple’s two methods of using a second piece of information to validate that you’re the accountholder. With the two-step system, Apple uses something akin to Find My iPhone to provide a code on your iOS devices or sends an SMS that you use to complete your login.

If you can’t remember your password, you need to have two other things to hand: a Recovery Key generated at the time you enabled two step, and access to one of the account’s trusted devices, which can be iOS devices or a phone that can receive an SMS. Your Apple ID can also be locked for reasons out of your control, such as someone trying to hack your account, and you won’t be able to log in with the password. If you wind up without your Recovery Key, all was lost.

So…can you find your Recovery Key right now? No? You’ve got three choices:

Disable two-step verification at appleid.apple.com. This reduces your protection against someone guessing or obtaining your password, but you won’t get locked out.

Reset your Recovery key. Generating a new Recovery Key while you retain access to your account also solves the problem. Follow these steps:

  1. Go to the Apple ID account page.
  2. Log in and validate the session as prompted.
  3. Click Security, click Edit, and then click Replace Lost Key. Follow the steps.
  4. Figure out where you will put the Recovery Key this time to not lose it.

I suggest dating the Recovery Key so you know the last time you reset it. If you use software that can strongly encrypt data and which doesn’t sync that data via Dropbox or other sources, you can keep a digital copy. Otherwise, figure out a physical location, including a safe-deposit box or other safe location—wherever you keep your birth certificate, say.

Switch to two-factor authentication. Apple newer two-factor authentication (2FA), introduced in fall 2015 and still apparently rolling out, no longer uses a Recovery Key, so you won’t necessarily lose access forever if your password is reset or forgotten. When logging into any Apple site or service, Apple’s 2FA system sends a location alert to every OS X and iOS device connected to the Apple ID. Once you approve the location by clicking or tapping Allow, you’re presented with a 6-digit code to enter on the login screen or site. You can also opt to send a text or have an automated voice call in which the number is read aloud.

To enable 2FA, you first have to disable two-step verification. For months, I tried to enroll in 2FA, and was told I didn’t meet the system requirements: at least one device had to be running iOS 9 or OS X 10.11 El Capitan. Despite all my hardware using those releases, it wasn’t until about six months into Apple’s rollout that I could finally make it work.

If you lose access to the account, you can go through a recovery process with Apple that involves human beings and can take a few days. They need to confirm you really are the valid owner of the account. Apple notes in its support page that registering a credit-card number with your iCloud account that uses the Apple ID can aid in recovery as part of verifying your identity.

Remember that in both cases you need to generate app-specific passwords, available at the Apple ID site, to use third-party apps that need access to calendars and contacts.

Ask Mac 911

We’ve compiled a list of the most commonly asked questions we get, and the answers to them: read our super FAQ to see if you’re covered. If not, we’re always looking for new problems to solve! Email yours to mac911@macworld.com including screen captures as appropriate. Mac 911 cannot reply to email with troubleshooting advice nor can we publish answers to every question.


Subscribe to the Best of Macworld Newsletter