The dark side of Apple’s two-step verification; losing recovery key could permanently lock Apple ID

“Earlier this week, a strange message popped up on my Mac that I thought nothing of. ‘You can’t sign in because your account was disabled for security reasons,'” Owen Williams reports for TNW. “I dismissed it in my tired haze, thinking it would solve itself and went to sleep. The next morning, I didn’t have time to deal with the message — which was now popping up every half hour — for a few hours until it became annoying. I figured I’d done something dumb and broken iCloud, but that it could wait.”

“I’d turned two-factor on my Apple ID in haste when I read Mat Honan’s harrowing story about how his Mac, iPhone and other devices were wiped when someone broke into his iCloud account. That terrified me into thinking about real security for the first time,” Williams reports. “When I finally had time to investigate the errors appearing on my machine, I discovered that not only had my iCloud account been locked, but someone had tried to break in. Two-factor had done its job and kept the attacker out, however, it had also inadvertently locked me out.”

“The sinking feeling began. After fruitlessly searching and a lot of cussing, I decided to call Apple. I figured that something must be wrong, since the support page claims you can use trusted devices to recover your ID in cases like this,” Williams reports. “The first person I spoke to told me immediately after getting on the phone that in no uncertain terms I had forfeit my Apple ID by losing the recovery key.”

The full angst-ridden story is here.

MacDailyNews Take: Bottom line: If you enable Apple’s two-step verification, don’t lose your Apple Recovery Key.

[Thanks to MacDailyNews Reader “Lynn Weiler” for the heads up.]


  1. My old iMac has a 2TB drive that I partition to use as a back up for my current iMac and MacBook Air. This drive is backed up to BackBlaze and two alternating external drives which are kept in a firebox (one off site). The spare machine has an account within which I store the recovery key for my Apple ID. I also have it in my safe.

      1. I’m someone who lost a fair amount of data when my drive died and since I store pretty much everything electronically I really don’t want to be in that situation again. Dropbox and Backblaze keep most of it available, and along with Time Machine I should be pretty much OK, but you can’t beat a physical copy – the difficulty is being bothered to do it.

    1. Thanks for the suggestion about the safe. I’m going to do the same thing when I get home from work this afternoon. But as for all the rest, is there such a thing as too much reduncancy?

    1. Yeah, lets water down the security because of moron that has access to a web page to cry over his lost Apple ID, cry me a river.. The only thing that should be done is increase the size and color of the warning font that says you lose this key, your screwed.. end of story

    1. Yeah, they could have written:


      Which is why a lot of this stuff is NOT on by default. When you make a knee jerk decision to enable some security you don’t understand then take precautions to ensure that you KNOW how to use it… your loss.

  2. At least he doesn’t drag the story the entire page. The “I’m an idiot” moment is right up top.

    “That’s when it hit me; I had no idea where my recovery key was or if I’d ever even put the piece of paper in a safe place.”

    1. A clue: Take screen shots of all critical operations when you establish or change accounts … every single one.

      Screen shots do not lie … They do not make typing mistakes.

      I use them on all important purchases. They are good evidence. SnapZPro and/or SnagIt are damn good investments.

      1. What’s wrong with command-shift-3 (or command-shift-4, if you want just the window, or part of the screen)? I can’t think of a justification for paying for the ability to just take a screenshot when built-in functionality does a perfectly fine job (which can be customised if necessary).

          1. I’m truly curious what are the advantages of those two (Snapzpro and Snagit), to make it worth spending money on them. Long ago, I used to use Snapzpro for screencast recording, but with built-in Quicktime recording feature, which allows full-screen or selection recording, I can’t think of any reason to pay.

            1. Fair enough. If you need to take screenshots every day, for various purposes, the built-in functionality may limit your workflow (it’s a bit of a hassle to change the destination path and format for a cmd-Shift-4 screenshot).

              My default destination is the desktop, and format PNG. From there, I can take it wherever I need, when I need a screenshot (once in a few weeks). SnapzPro would just be an overkill.

            2. I appreciate that users have varied needs.

              For documentation, I often switch to B&W screenshots from CAD drawings. I often take a large series of shots and they garbage up the desktop, so changing folders to store images fast keeps me happy.

  3. 2 Step verification was not built for people who forget their passwords and have to reset them regularly. If you don’t want to follow the instructions then don’t use the service. This is completely the users fault, no need to blame the employees telling you how it works, just like it told you when you signed up.

    1. Not sure why you are being down voted. Anyone with security knowledge knows that consumer security is far from being optimal yet.

      For instance, N-of-M encryption would allow you to automatically register your digital keys with M different entities, none-of-which will have the ability to use them. Only you could recover your keys at any time from any N of them.

      In other words extremely secure and extremely private password storage.

      But it will take time for companies like Apple to supply more sophisticated complete security. I think the biggest problem is that security features that a customer doesn’t understand end up backfiring. As was the case with this blogger.

      1. That analogy fails in the digital world.

        In the physical world you really can lose all keys but get a locksmith to create a new key or replace the lock. There is no way to completely lock yourself out.

        There are ways to do the same in the digital world (see my comment above).

  4. I just thought of the best way to never lose your recovery key. If you have to keep one for yourself and significant other, have it Tattoo’d on your Right Butt Cheek for yours and the Left Butt Cheek for your other account. For added security have it in reverse mode, so that you need a mirror to view it properly. This will guarantee that you will never lose those Recovery Keys! 😜

  5. I am a victim of this situation. In my case, the number Apple handed me for my second factor verification went off into the aether, never to be seen again. Apple sent it off to a phone that (my fault!) didn’t have active messaging. 🙁

    I’m making due, but can’t officially attach my new MBP to my original Apple ID. So I gave it a second ID, which doesn’t connect to the first ID and all it’s store purchases, barf barf etc.

  6. Isn’t anyone else mad at Apple for lying on its web site? It clearly told him he could use a trusted device and the password, even without the security key. He couldn’t, because Apple lied.

  7. What about when you do have the recovery key and it does not work?
    I copy/paste it in 1Password and checked it afterwards. Did not thought I need a printout.
    It’s my fault I did not take a screenshot now I can’t prove anything and lost all my stuff, or will loose all my stuff when I replace my devices…
    There’s no way to add devices to iCloud without a working key…
    I mean there should be a balance between security and usability. If someone really wants your data there are plenty of ways to get it no matter how secure you thing you are.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.