Apple ditches Recovery Key in new 2FA process for El Capitan and iOS 9

Ever since Apple turned on two-step verification (2SV) in 2013, Naked Security has been advising Apple ID users to write down the generated 14-character emergency Recovery Key and then tuck it away where it’s safe and sound.

Now, Apple is beta testing operating systems that offer security processes that, thankfully, cut out the Recovery Key, which has been at the heart of horror shows when users lost the precious digits.

Apple had said at the 2015 Worldwide Developers Conference in June that two-factor authentication (2FA) would be tightly integrated into OS X 10.11, named El Capitan, and its mobile update, iOS 9, but at the time, it didn’t provide any detail as to how.

On Wednesday, the company drew the curtain back, posting the missing details about how 2FA will work, starting with the public betas of iOS 9 and El Capitan.

Among other changes, Apple has dropped the Recovery Key, as an Apple spokesperson confirmed to MacWorld.

It won’t be missed by the people who’ve suffered after losing it.

One such was Owen Williams of The Next Web, who went through more than 24 hours of frantic hell when an intruder tried to break into his Apple account from an unknown device, upon which Apple dutifully locked the account down, and he then found, to his dismay, that he’d lost the Recovery Key when he moved into a new home.

This is serious stuff: Apple said that without the key, he’d lose his account data and access – forever.

As it is, the Recovery Key system in Apple’s 2SV process works as a failsafe for accessing an Apple ID when a registered, trusted device or phone number is unavailable.

2SV vs 2FA

I’m referring to the current system as 2SV, as Apple did, for good reason: as Paul Ducklin explained when Apple first introduced 2SV, Apple has been letting SMS verification codes go to the same device on which you actually use an Apple ID, meaning that anyone who controls your iPhone and manages to get your password could use that same device to get all the text messages that you receive, in real time, including account verification codes.

That’s why Apple was accurate in calling it 2SV instead of two-factor authentication (2FA): the process of recovering your account didn’t require two factors.

Instead, you could get by with just the one factor: the thief bait that is your iPhone.

At any rate, back to Williams: thankfully, he eventually found a photo he’d taken of his screen, showing the Recovery Key, long ago.

He wept tears of joy, and an Apple rep on the phone started clapping.

Is there any among us who cannot relate?!

The end of Recovery Key

Explaining how the new 2FA will work in the public betas of iOS 9 and OS X El Capitan, Apple says in its support article:

Whenever you sign in with your Apple ID on a new device or browser, you will verify your identity by entering your password plus a six-digit verification code. The verification code will be displayed automatically on any Apple devices you are already signed in to that are running iOS 9 or OS X El Capitan. Just enter the code to complete sign in. If you don’t have an Apple device handy, you can receive the code on your phone via a text message or phone call instead.

You won’t need to specify a device to which a code is sent – rather, all trusted devices running the newer OSes will display a six-digit verification code.

As in the earlier 2SV process, the code only appears when a iOS device or OS X system is unlocked. Also, there’ll be an option to send the code to a trusted phone, via either text message or a phone call, from the code-entry page by clicking “Didn’t Get a Code?”

With the new 2FA system, Apple customer support will work through a detailed recovery process with users who lose access to all their trusted devices and phone numbers.

The company will review your case and contact you at the number provided when your Apple ID is ready for recovery. After that, an automated message will direct you to iforgot.apple.com to complete the required steps and regain access to your account.

The company says it will take a few days – or longer – to recover accounts this way, depending on how much information you can provide to verify that you really are the account owner.

Apple says it’s set up the process to get users back in as soon as possible while still keeping out imposters: a process that incorporates lessons learned in the case of journalist Mat Honan, who famously had his digital life ransacked and then rubbed out by somebody who tricked Apple support staff into resetting his Apple password.

In beta

The current 2SV process will still work for those who are enrolled. In fact, it will work indefinitely, in order to help keep older devices secure.

Apple isn’t rolling this new 2FA out to everybody just yet. Rather, it says that “individual accounts will be made eligible gradually until we can offer the service to everyone.”

Those with eligible accounts will be alerted after signing in with an Apple ID on a public beta in the Setup Assistant.

Apple says users will see a “two-factor authentication” screen if they can opt in.

Image of Apple devices courtesy of mama_mia / Shutterstock.com .

Leave a Reply