If You Enable iCloud’s Two-Factor Authentication, Do Not Lose Your Recovery Key

Harrowing tale from Owen Williams at The Next Web: his iCloud account was locked because someone seemingly had attempted to hack into it. But he couldn’t unlock it without his recovery key (which he couldn’t find), even though he still knew his account password and had access to his second “trusted device”, his iPhone.

I think he’s way too harsh on Apple’s policies here, though. Even the headline of the piece seems off to me: “The Dark Side of Apple’s Two-Factor Authentication”. The lesson here is that if you enable two-factor authentication, you might need to access your recovery key even if you haven’t forgotten your password or lost your trusted device. Apple should make that clear.

The lesson is decidedly not that Apple should allow you to talk your way back into accessing your account over the phone, which seems to be what Williams wanted. That’s exactly how Mat Honan’s account got hijacked two years ago.

Wednesday, 10 December 2014