Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Drops Recovery Key From Two-Factor Authentication In New OS Versions

Posted by samzenpus on from the talking-to-people dept.

eggboard writes: If you've ever turned on what's now called "two-step verification" for an Apple ID, you had to create a Recovery Key. Lose this 14-digit code and have your password reset (because of hacking attempts against you), and you might lose access forever to purchases and data, as Owen Williams almost did. Apple confirmed today that starting with its public betas of OS X 10.11 and iOS 9, two-factor authentication won't have a Recovery Key. Instead, if you have to reset a password or lose access to devices, you'll have to go through an account verification process with human beings.

64 comments

  1. "I've lost my password" by queazocotal · · Score: 1

    No, really, this isn't someone that's just stolen their bag at an airport.

    1. Re:"I've lost my password" by michelcolman · · Score: 2

      Hey, and I even know his moth... I mean... my mother's maiden name!

    2. Re:"I've lost my password" by Anonymous Coward · · Score: 2, Funny

      Apple still makes a backup key, they just give it to the NSA...

    3. Re:"I've lost my password" by beefoot · · Score: 1

      I don't know why anyone voted you down. It is a fact of life whether the companies want to admit it or not. The NSA may not request the key officially but I just can't see why they wouldn't do it "unofficially" as it is much easier to do than having to crack the key. To me, that is no brainer.

    4. Re:"I've lost my password" by Anonymous Coward · · Score: 0

      What a world you live in that something that you merely believe to be true magically becomes a "fact of life". That must make for some odd inconsistencies and the occasional paradox.

    5. Re:"I've lost my password" by tsa · · Score: 1

      Indeed! Besides, every Apple fanboy knows that Apple would Never do that!

      --

      -- Cheers!

    6. Re:"I've lost my password" by Anonymous Coward · · Score: 0

      You do realize that your comment doesn't actually make sense in this context, right? Perhaps you were blinded by your own biases.

  2. Authentication is Not Encryption by PvtVoid · · Score: 5, Insightful

    If I encrypt something and lose my key, I should lose my data. But this policy is about authentication (i.e. proving your identity) and not encryption. They're different things, except for some reason they are almost always conflated.

    1. Re:Authentication is Not Encryption by mwvdlee · · Score: 1

      So if you set up some data to require a certain type of authentication and you can't authenticate, you should still have access to the data?

      --
      Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
    2. Re:Authentication is Not Encryption by Anonymous Coward · · Score: 2, Interesting

      Nobody mentioned encryption except you.

    3. Re:Authentication is Not Encryption by Anonymous Coward · · Score: 0

      Anyone who can give you access to your encrypted data after you've lost the key necessarily has a copy of the key.

    4. Re:Authentication is Not Encryption by Overzeetop · · Score: 1

      FTFS: "lose access forever to purchases..."

      So it's not just about data. You could argue that the data should be inaccessible, but this prevents people with large app libraries from being out cash in the event they lose their code. I have more than one friend who has no idea what their wifi password is - they set it up initially and then lost their random password. I suspect this is now becoming a problem with Apple - it's one thing to set up 2 factor, its another to remember what you did with the recovery key after an extended period of time. And Apple is about holding their technologically-unsavvy customers hands, not hanging them out to dry when they do something stupid (as karmic as that might be).

      --
      Is it just my observation, or are there way too many stupid people in the world?
    5. Re:Authentication is Not Encryption by Anonymous Coward · · Score: 4, Interesting

      There's a reason why it's called "two factor authentication" rather than "two factor encryption".

  3. Re:Good by deong · · Score: 2

    I don't understand what you're saying (or alternately, it just doesn't make sense). If anything, this accomplishes the opposite. If the recovery key was a strict technical requirement to access the account information, and Apple doesn't possess that key, then Apple would have the ability to tell the government, "Sorry, there's nothing we can do". If they replace the requirement of a key with a human being employed by Apple, then certainly they lose that ability.

    In general, 2-factor authentication doesn't really have anything to do with whether or not the company has access to your data. It's only affects how difficult it is for an unauthorized user to get access. Apple could happily make themselves an authorized user though by just making sure they have the encryption keys to everything and only using 2-factor on the client to gate access to the keys for a user.

    But if this affects governments' ability to request data at all, they're *adding* a "back-door" method of access here, not removing one.

  4. Re:Good by Anonymous Coward · · Score: 0

    I was under the assumption that the one time recovery code was likely stored as a hash somewhere? Surely it's harder to guess or obtain then somebody ringing up and pretending to be you.

    I mean with the current system the feds either have to put in a request (and have some kind of paper trail) or spend time, money and invest in some infrastructure to do it off the books. Now they'll just have to get your date of birth, address and phone number and pay some homeless guy $5 to impersonate you - all to steal your iTunes library that just contains that U2 album you didn't want in the first place!

  5. Mark on the head and hand by Anonymous Coward · · Score: 0

    but who would've guessed smartphones would take us there?

    considering the company's logo, the whole mark of the beast thing just seems to fit.

    1. Re:Mark on the head and hand by Anonymous Coward · · Score: 0

      the snake was already taken by physicians.

  6. SubjectsInCommentsAreStupid by lesincompetent · · Score: 1

    Oh humans! You mean the weakest link in the security chain?

    1. Re:SubjectsInCommentsAreStupid by Mike+Buddha · · Score: 1

      Yep. And the fact that it's human error doesn't mean that the system is secure and absolve Apple of any responsibility. If you rely on human beings to remember something or type something in, there's a security risk. Ask all the victims of BonerGate.

      --
      by Mike Buddha -- Someday the mountain might get him, but the law never will.
  7. it r alwayz haxx0rz by Anonymous Coward · · Score: 0

    cuz only haxx0rz k4n d0 haxxin

  8. Wonderful... by phayes · · Score: 5, Insightful

    Some random guy in the internet has a hack attempt on his account get blocked by his use of 2 factor ID. Instead of being grateful the guy complains on twitter that he is too busy to have correctly backed the recovery key he was warned he was would have to safeguard.

    Clearly, Apple's procedures up to now avoided having the backdoor of saving the recovery key. That was OUR responsibility. Not saving it meant that Apple could NOT be social engineered or hacked into revealing it.

    Some random guy complains that "it's not his fault his account was hacked" & that he "deserved" his account back. He eventually finds a screenshot but calls for Apple to change the system to add a backdoor so that they can recover any account they want.

    The attack wasn't random guy's fault but it was his fault to not save his recovery key. More importantly, any social engineering or leakage of everybody else's accounts that occur due to Apple backdooring their 2 factor ID WILL be in part his fault. Way to go there, of course your convenience is more important than our security...

    --
    Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
    1. Re:Wonderful... by Anonymous Coward · · Score: 0

      Apple's just falling in line with other companies; Google already offers a slow road to authenticating yourself if you lose your TFA fall-back options.

    2. Re:Wonderful... by Anonymous Coward · · Score: 0

      Apple's not providing any real security anyway. This is a PHONE we're talking about and from a company that won't release the majority of its code. We have no idea what backdoors might have been in it before this. Just because Apple said it couldn't do X for you doesn't mean that it couldn't do X for the government.

    3. Re:Wonderful... by eggboard · · Score: 1

      From some reports, Apple has always had this capability and selectively used it. The Recovery Key was something you could do on your own, but you could potentially also convince an Apple tech to escalate it and go through an identity-proving process.

      What's clear is that people routinely lost or didn't write down their Recovery Key, and one has to intuit it was an ongoing problem and stress for users who enabled "two-step." In this new version, Apple ostensibly could be social engineered, but note that Apple will only engage in account recovery *to a registered phone number*. So you can't call at random, get a random CS person, and do it. You have to apply, they call back (from a team dedicated to it) and only to a number that's registered to the Apple ID account in question.

      --
      Freelance tech journalist for the Economist, MIT Technology Review, Macworld, and others
    4. Re:Wonderful... by sudon't · · Score: 1

      Yep, it's the dumbing-down of security. Companies have to make things safe for people too lazy, or too ignorant, to take some simple precautions, because these same people have a lot of energy for complaining and crying. Note that Mac OS has come with a password manager since at least 2002, so none of its customers should ever have need of two-step authentication.

      --
      -- sudon't

      Air-ride Equipped

    5. Re:Wonderful... by vux984 · · Score: 1

      So they'll only call the person who stole your phone? That seems to have some rather major fail on it, unless I've missed something.

    6. Re:Wonderful... by phayes · · Score: 1

      What part of Apple being previously unable to work around a client forgetting a recovery key didn't you understand? Apple clearly did NOT have the keys or they would have been able to do something for the forgetful & ambiguous claims that Apple could always work around a lost recovery key are bull. There are claims that there is alien technology in iPhones that feeds on your soul -- do you believe that too?

      So, now Apple saves these keys somewhere. While you believe that the only way to get to this info is through Apple's procedures, the point I made that went completely over your head is that the mere existence of this info in a database on an apple server makes it vulnerable & not on an individual level. Social Engineering isn't someone calling Apple support -- It's working on someone that has DBA access to that database. Now that the recovery key is no longer ONLY in our hands we could all wake up one day to learn that someone worked around the safeguards that Apple put into place.

      Yes I do trust Apple (up to a certain limit). However, having read into just how RSA & others were hacked, I'd really have preferred that the recovery keys were never saved anywhere other than where I decide.

      --
      Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
  9. TLDR: Apple has access to your encrypted files by Richard_at_work · · Score: 1, Insightful

    So, the actual story here is that Apple has access to your encrypted files and can decrypt them at will, its just selling it as a nice convenience for you...

    I guess that's the "law enforcement cannot access encrypted iPhones" issue solved.

    1. Re:TLDR: Apple has access to your encrypted files by Ronin441 · · Score: 2

      TFA says "The current two-step method will continue to work indefinitely, so as not to lower security for older users nor break systems." So it's entirely possible that Apple genuinely doesn't have access to devices and files currently two-factor-protected.

    2. Re:TLDR: Apple has access to your encrypted files by bbeagle · · Score: 0

      So, it seems that Apple has a skeleton key that opens up all Apple devices EXCEPT the ones where users choose to hold the key themselves. Apple now has a sort of 'skeleton key' they can give to law enforcement, so that law enforcement can unlock a device used with that method. Of course, some devices won't be able to be opened by this 'skeleton key'. This has nothing to do with Apple having access to the actual encrypted data on the phone. They can give someone ELSE access to the ecncrypted data if they are actually holding the physical device, but they can't access the data remotely.

    3. Re:TLDR: Apple has access to your encrypted files by Anonymous Coward · · Score: 0

      Well you could just roll your own encryption though right, I mean it's your hardware - you bought it, you can do whatever you want to it right? Ohh, wait...

    4. Re:TLDR: Apple has access to your encrypted files by Anonymous Coward · · Score: 0

      Apple can send updates to the device, so it's like with an administrator account on Windows: Can't access everything, but can give itself access to everything.

    5. Re:TLDR: Apple has access to your encrypted files by Anonymous Coward · · Score: 0

      Thanks for mentioning this. If you're part of the 0.0001% of people who can actually do all of this without leaning on another source of implementation to ensure that you're not just passing the buck from Apple to another vendor then have at it. If you're not then you're just as vulnerable as you were under Apple.
       
      Have a nice day. :)

    6. Re:TLDR: Apple has access to your encrypted files by Anonymous Coward · · Score: 0

      How exactly do I change the encryption used by Google for its cloud data backups?

    7. Re:TLDR: Apple has access to your encrypted files by Lunix+Nutcase · · Score: 1

      So I can roll my own encryption to replace that which is used by Google Play services? Ohh, wait...

    8. Re:TLDR: Apple has access to your encrypted files by eggboard · · Score: 1

      These aren't encrypted files. These are data to which they already have access (iCloud Drive, contacts, calendars, and purchases).

      --
      Freelance tech journalist for the Economist, MIT Technology Review, Macworld, and others
    9. Re:TLDR: Apple has access to your encrypted files by Lunix+Nutcase · · Score: 1

      If someone can get access to your account, they can download and decrypt your iCloud backups.

    10. Re:TLDR: Apple has access to your encrypted files by Anonymous Coward · · Score: 0

      How exactly do I change the encryption used by Google for its cloud data backups?

      You don't. If you're sufficiently paranoid, you encrypt/decrypt your data client-side, rendering the vendor's encryption redundant and decryption (and backdoors) moot.

      - T

    11. Re:TLDR: Apple has access to your encrypted files by Anonymous Coward · · Score: 0

      No. This is about the account password, not encryption. For example, this won't let you access your keychain (iCloud or local). Nor will it change the passcode on your phone. Nor your local disk encryption password. It does not provide any more access to information than Apple already had.

    12. Re:TLDR: Apple has access to your encrypted files by thegarbz · · Score: 1

      TLDR is quite an apt title given you didn't even read the summary.

  10. Point in case demonstrated by Anonymous Coward · · Score: 0

    The authentication of that data tells you that it hasn't been tampered with. If it was encrypted, you'd still have a now authenticated bit of encrypted data.

    1. Re:Point in case demonstrated by Damarkus13 · · Score: 1

      Not the issue at hand. The recovery key in question authenticated a user, not data.

  11. Management by MrLint · · Score: 1

    I forsee this as a problem. As part of policy we have to encrypt mobile devices, and we store the recovery key in case the users get locked out. We cannot have someone calling apple (for which we don't setup account for our devices) to unlock these units. Apple cannot be the arbiter of access.

    1. Re:Management by Anonymous Coward · · Score: 0

      Now the TLAs will have access too.

  12. Because social engineering... by cloud.pt · · Score: 1

    Because social engineering is like the hardest point of entry of any computer system. A'ight. Mitnick approves

    1. Re:Because social engineering... by gnasher719 · · Score: 2

      Because social engineering is like the hardest point of entry of any computer system. A'ight. Mitnick approves

      That's not the only problem. If Apple (or any other company) has the capability to give you access to your data if you forget your password or passcode or whatever, then obviously this can be used against you through social engineering. But it can also be used against you by the police, the NSA etc.

      Your biggest protection against Apple ratting you out to any agencies is the fact that Apple deliberately avoids being able to do so. Once they have the capability, they can be forced to use it against you.

  13. Re:Good by Anonymous Coward · · Score: 2, Interesting

    Furthermore, I wouldn't trust those Apple "geniuses." They are utterly clueless and unhelpful. I recently had to call in to get some help because someone else had somehow managed to open a new account using my email address instead of theirs (ours were similar). Apparently there's no email verification before they can use it for an account. Anyways, I kept getting bombed with email intended for him so I reset the password on the account (since I'm in control of the email, this was easy) and noticed he had set his actual email as the recovery email--which I could not remove nor edit in any way, meaning he could then reset the password too. Point is, I either wanted them to remove my email from the account, or remove his recovery email from it, and the "geniuses" I had talked to couldn't seem to understand that simple request. In the end, their best advice was, "I don't know. Just deal with it I guess? There's nothing we can do." So, here we are still, both of us still have access to this account and neither of us can do anything about it.

    Great customer support.

  14. seems to me by Anonymous Coward · · Score: 0

    that is backwards step and they have caved in to government pressure for data access. As instead of being 'lost' they can just hand the data over.

  15. Re:Good by michelcolman · · Score: 4, Insightful

    Exactly, if you can reset your account password by "talking to a human", all the Fed has to do is talk to that same human.

    This is just because they probably had too many Apple users call them with "I lost my password, can you reset it? Recovery key? What's that?".

    Since there are probably ten times as many of those, compared to the number of people who actually care about security, it makes sense for them to dumb down the system. Keeps the majority of their users happy. And the Fed, to boot.

  16. Social Engineering Hack by wile_e_wonka · · Score: 2

    Aren't humans a problem with a lot of important hacks anymore. For example:
    http://appleinsider.com/articl...

    If not for a human at Apple, this hack wouldn't have happened. The authentication code was intended to prevent this issue.

  17. Insecurity as a feature by mysidia · · Score: 4, Insightful

    Sounds like they might be spinning "The government forced us to change our design so we can break the encryption for them"
    TO: "For your convenience, you no longer have to keep a copy of a 14 character recovery code to decrypt your phone: now we can just recover your account for you with a 'super-secure' human verification of the last 4 digits of your credit card that 10 other online retailers know about, and your SSN that can be looked up in a public database."

    1. Re:Insecurity as a feature by Barlo_Mung_42 · · Score: 1

      They should make it an opt in for those who don't want to manage it themselves. Keep a key to allow a representative to help unlock the account for those who want that feature and not keep the key for the rest of us.

  18. Lots of assumptions going on here... by skribble · · Score: 1

    If you read the available information about this, there seems to be many procedures in place to avoid social engineering. Also, there is nothing here about anyone having access to any ones files or data (encrypted or otherwise). Just procedures which would allow one access to there own account, this would be akin to an automated password reset.
    That said, a lot of the details about this are unknown.

    --
    --- Nothing To See Here ---
    1. Re:Lots of assumptions going on here... by Lunix+Nutcase · · Score: 1

      If you read the available information about this, there seems to be many procedures in place to avoid social engineering.

      Except those same procedures have been worked around in past social engineering attacks. Unless Apple's CSRs are magically immune to social engineering then there's no reason to expect that anyone determined enough won't get around them.

      lso, there is nothing here about anyone having access to any ones files or data (encrypted or otherwise). Just procedures which would allow one access to there own account, this would be akin to an automated password reset.

      Having access to someone's account means one can download an decrypt iCloud device backups.

    2. Re:Lots of assumptions going on here... by Anonymous Coward · · Score: 0

      This change has no impact on what data Apple has (or can provide) access to; you should never consider your data "encrypted" in a system where changing your password didn't invalidate old date. The only protection that sort of encryption provides is against someone physically obtaining the disk Apple was using to hold it (which is all Apple ever claimed -- that the data was encrypted on-disk, not that they couldn't read it).

      But this wouldn't provide access to: keychains, encrypted disks/images, iOS device PINs, encrypted iOS or TimeMachine backups (network or local), firmware passwords, etc. Apple does not nor or in the past collect those explicitly separate keys (though a few of those can be explicitly sent to Apple if and only if you choose to) and Apple cannot provide them even when resetting your account.

  19. Re:Good by Anonymous Coward · · Score: 0

    Why would the Federal Reserve be interested in your Apple ID?

  20. Re:Good by Maestro485 · · Score: 4, Informative

    Except this is the recovery key for an Apple account, not an encryption key. Apple explicitly has access to information about your account. For example, they know which songs you've purchased from iTunes and which iPhone apps you've downloaded.

    This has nothing to do with encryption. This information is already available to the government if they have a warrant. The recovery key in question here is to authenticate, not to decrypt.

  21. Eggs in one basket. by djsmiley · · Score: 1

    So my apple security key is in my gdrive, my gdrive offline codes are in my hotmail account, and my hotmail accounts offline auth thing is in my lastpass cault..

    This is why I don't trust any one person/organisation with *all* my details.

    --
    - http://www.milkme.co.uk
  22. Re:Good by adamstew · · Score: 1

    Your apple ID can unlock your iCloud account, which also hosts an e-mail service. Some people use their apple ID to access their personal e-mail.

  23. Re:Good by Falos · · Score: 1

    "what's my password" is basically what constitutes the pie slice.

    You know, the biggest one. In the pie. The pie that is IT support. Anywhere.

  24. This may not be Apple's doing... by Anonymous Coward · · Score: 0

    This may have come as a request that Apple couldn't refuse - think of this as a canary.

    Know we know, and knowing is half the battle.

  25. Re: Good by Brawlking · · Score: 1

    I'm confused by this. It's very easy to remove a rescue email from your account, you can do it yourself. Here is an article that describes how: https://support.apple.com/en-u... Once you have removed that rescue email only the person with the password to the primary email address will be able to get in to reset the password. If you need to reset your security questions to access the section where that information is located you would have to call in to support and verify that you are the account holder.

  26. Re:Good by Anonymous Coward · · Score: 0

    Monumentally stupid of them.