Apple to remove Recovery Key from iOS 9, OS X 10.11 two-factor authentication process

Posted:
in iPhone edited July 2015
Apple on Wednesday confirmed that the removal of a pesky Recovery Key security mechanism will be one of the changes coming to its two-factor authentication solution when iOS 9 and OS X 10.11 El Capitan are released this fall.




Currently, the Recovery Key system in Apple's "two-step" protocol works as a failsafe for accessing an Apple ID when registered trusted device or phone number is unavailable. Under the existing setup, losing both a trusted device and Recovery Key renders the account inaccessible, which has in the past forced some users to abandon their Apple IDs altogether.

With higher level integration in iOS 9 and El Capitan, Apple's new method, now referred to as "two-factor," does away with 14-character Recovery Keys, to be replaced by a live customer support recovery process, an Apple spokesperson confirmed to MacWorld. The feature removal is just one modification Apple plans to apply when two-factor authentication rolls out later this year.

Other security enhancements were revealed in a support document published today, including longer six-digit verification codes and more intuitive authentication alerts that work across iOS and OS X platforms. For example, when users sign in to their Apple ID on a new device -- or browser in the case of iCloud -- with a password, a verification code is automatically pushed to all trusted devices. Text message and phone call verifications to trusted numbers will also remain available.

Because the system is built in to iOS 9 and El Capitan, devices running older iOS and OS X versions will not display the new six-digit verification codes. Once a user enables the new two-factor protocol, attempting to access an Apple ID using an iOS 8 device, for example, will send the six-digit code only to compatible devices. In lieu of a dedicated code entry mechanism, users might be prompted to log in again and append the six-digit number to the end of their password.

The new opt-in two-factor protocol is currently rolling out to a limited number of beta testers and will gradually become available to more users as Apple builds up backend support.

Comments

  • Reply 1 of 16
    timmymantimmyman Posts: 31member
    Look forward to the social engineering attacks used against the customer service reps to get around the two-factor authentication going forward.
  • Reply 2 of 16
    idreyidrey Posts: 647member
    ^^^^ like the one with the Apple ID?
  • Reply 3 of 16
    konqerrorkonqerror Posts: 685member
    Quote:

    Originally Posted by TimMyMan View Post



    Look forward to the social engineering attacks used against the customer service reps to get around the two-factor authentication going forward.



    Reading the support document, I suspect the method to prevent that is time. During the "several days", they'll probably send out account warnings and look for activity. For example, if you need to recover because your trusted phone is lost, and they see the phone connect to their servers as normal, then they know they're being tricked.

  • Reply 4 of 16
    cy_starkmancy_starkman Posts: 653member
    Bring it

    Especially smoothing the interaction of security between devices.

    One thing to note if you haven't experienced it yet. The tie in of security and Apple ID means - If for some reason you need to change your Apple ID, not a new account, but change your existing account and you have a bunch of devices then get ready for an evening of IT over a few beverages of your choice.

    You have to disable all iCloud stuff and sign out of everything on everything so that none of your devices are related to your Apple ID anymore in any way. Then you change via browser. Then you have to go through and reconnect and activate everything. If you don't you end up locked out of your own devices or with broken services.

    I REALLY hope in these new OS releases they have streamlined this. I did it in the correct manner a couple months ago now and while it did "just work" the process to do achieve it wasn't "it just works" rather it was more "it's just for nerds"
  • Reply 5 of 16
    sockrolidsockrolid Posts: 2,789member
    Darn. I've used my recovery key so often that I had recently memorized it.
    Oh well.
  • Reply 6 of 16
    sockrolidsockrolid Posts: 2,789member

    (duplicate of above)

  • Reply 7 of 16
    Quote:

    Originally Posted by SockRolid View Post



    Darn. I've used my recovery key so often that I had recently memorized it.

    Oh well.



    How does this happen? You're misplacing your trusted devices for large swaths of time?

  • Reply 8 of 16
    lightknightlightknight Posts: 2,312member
    Quote:
    Originally Posted by PotatoLeekSoup View Post

     



    How does this happen? You're misplacing your trusted devices for large swaths of time?


    Talking of "misplaced trusted devices", I've had a bad surprise with Blizzard. I had an authenticator thing installed on my previous iPhone, and when I upgraded I just made the usual "install iPhone as previous iPhone". Well, guess what.... The authenticator doesn't carry over.

     

    So I end up locked out of my Blizzard account, because "trusted device" actually means "physical trusted device".

    Apple gives you bad reflexes, expecting things to "just work" :p

  • Reply 9 of 16
    ny3rangerny3ranger Posts: 77member
    Love it. Almost got locked out of my main account because I had a hard time locating my recovery key. After I got in I actually stopped 2 factor because I was afraid that if I did lose it I would lose that account forever.
  • Reply 10 of 16
    timmymantimmyman Posts: 31member
    ny3ranger wrote: »
    Love it. Almost got locked out of my main account because I had a hard time locating my recovery key. After I got in I actually stopped 2 factor because I was afraid that if I did lose it I would lose that account forever.

    I don't. Now there is a huge, gaping security hole in the system that didn't previously exist: CSRs that have over the years been notorious for being scammed by social engineering and phishing attacks. Even employees at well-known security companies have fallen prey to these attacks and we are now supposed to trust an underpaid, overworked CSR to fully vet highly-skilled people trying to gain access to people's account? Not tomention the potential abuse of this by three-letter agencies with NSLs.

    Hopefully the old system will stick around.
  • Reply 11 of 16
    zer0her0zer0her0 Posts: 24member
    Quote:

    Originally Posted by lightknight View Post

     

    Talking of "misplaced trusted devices", I've had a bad surprise with Blizzard. I had an authenticator thing installed on my previous iPhone, and when I upgraded I just made the usual "install iPhone as previous iPhone". Well, guess what.... The authenticator doesn't carry over.

     

    So I end up locked out of my Blizzard account, because "trusted device" actually means "physical trusted device".

    Apple gives you bad reflexes, expecting things to "just work" :p




    I had the same thing happen back with the original iPhone or maybe it was my 3GS to 4, had to send a scan of my drivers license to them to get it unlocked. Took about 3 days total, not hard but def annoying.

  • Reply 12 of 16
    timmymantimmyman Posts: 31member
    As for why this is bad we only need to look [URL=http://appleinsider.com/articles/12/08/05/apple_tech_support_allows_hacker_access_to_journalists_icloud_account]to the past.[/URL] Anyone who thinks that this backdoor in the 2-factor auth for convenience won't be exploited is extremely naive.
  • Reply 13 of 16
    bradipaobradipao Posts: 145member
    timmyman wrote: »
    Now there is a huge, gaping security hole in the system that didn't previously exist: CSRs that have over the years been notorious for being scammed by social engineering and phishing attacks.

    It seems also a huge change in security paradigm, because if Customer Support is capable of unlocking access to your encrypted data, it means that has a copy of your "key" or "key" is not unique. And so access can be technically granted to third parties.
  • Reply 14 of 16
    timmymantimmyman Posts: 31member
    bradipao wrote: »
    It seems also a huge change in security paradigm, because if Customer Support is capable of unlocking access to your encrypted data, it means that has a copy of your "key" or "key" is not unique. And so access can be technically granted to third parties.

    Exactly. It's a backdoor for TLAs being sold as a feature. No thanks, Apple.
  • Reply 15 of 16
    SpamSandwichSpamSandwich Posts: 33,407member
    Perhaps this is Apple's way of telling us they have no choice but to do this (in other words, by secret order they may be legally compelled).
  • Reply 16 of 16
    charlitunacharlituna Posts: 7,217member
    Losing your recovery key is a user error issue not an Apple one. I printed mine and did a screen shot and verified the shot worked before emailing it to myself and uploading a copy to my drop box. And that was all before I closed the window.

    Now without it folks will have call customer support, sit on hold for who knows how long, then get grilled for half an hour about all sorts of details to prove they are the real account holder and so on
Sign In or Register to comment.