Apple drops Recovery Key in new two-factor authentication for El Capitan and iOS 9

In early June, Apple said two-factor authentication would be tightly integrated into OS X 10.11 El Capitan and iOS 9, but provided little detail as to what that means. The current setup is scattered across sites and methods in order to deliver a second one-time use, time-limited code or other method of verification when a user logs in to an Apple site or on an Apple device with an Apple ID set up for it.

Apple today posted a detailed explanation about how two-factor authentication works starting with the public betas of iOS 9 and El Capitan.

Among other changes, the Recovery Key option that has tripped up users in the past, and led in some cases to users having to abandon an Apple ID as permanently unavailable, has been removed, an Apple spokesperson confirmed. With the new system, Apple customer support will work through a detailed recovery process with users who lose access to all their trusted devices and phone numbers.

Two-factor authentication systems can deter or defeat attempts to log into accounts remotely, as an attack has to not just have a password, but also access to a device, computer, or phone number belonging to the target account. This turns hacking from "wholesale" to "retail": unless a flaw is found in the underlying system, each protected account has to be cracked one at a time.

A longer code, a simpler process

As in the existing system, you have to set up at least one--but up to any number--of iOS and OS X systems as "trusted devices." These appear in a list in your Apple ID account and can be removed from there, as well as in OS X in iCloud system preferences, by clicking Account Details, and in iOS 9 in Settings > iCloud > Account. You also have to verify at least one phone number as a backup.

Currently, the phone has to receive text messages, but in the update, a phone can receive texts or phone calls, which indicates an option will be to have the code spoken aloud by an automatic system, typical with other two-factor systems.

The current system, labeled "two-step" by Apple, requires an (ironic) extra step during login. When you log in at an Apple site that supports two-step now, after entering an Apple ID account name and password, a pop-up dialog or screen of some sort prompts you to select a trusted device or trusted phone number to which a four-digit code is sent, and then enter that code in a following step.

In the new system for El Capitan and iOS 9, the need to specify a device to which a code is sent is removed. After entering the account name and password, Apple says all trusted devices running the newer OSes will display a six-digit verification code. That code, as before, only appears when a iOS device or OS X system is unlocked. Apple notes there will be an option to send the code to a trusted phone from the code-entry page by clicking "Didn't Get a Code?"

While Apple doesn't specify it here, in the current system only some Apple sites and systems require two-step. Apple developers; users of its iTunes Connect system for book, music, and app uploads; and other sites allow access with just an account name and password, even for two-step-enabled accounts. This is likely to change as part of this integration, as these are all holes that can be exploited by wily crackers.

The current two-step method will continue to work indefinitely, so as not to lower security for older users nor break systems. When using iOS 8 or earlier or OS X 10.10 Yosemite or earlier, a verification field won't appear. Rather, after attempting a login with the Apple ID and password, and having the verification code appear on trusted devices, a user will then need to log in again appending the six-digit code at the end of the password in the password field. Only El Capitan and iOS 9 devices will display six-digit codes.

The use of a phone number as part of the two-factor system provides better flexibility for users, but it can also provide an opening for individual targeting. The SMS system isn't designed for security and integrity, and iOS 8 and Yosemite's SMS Relay option allows text messages to be received on computers logged into the same iCloud account as an iPhone anywhere in the world. (See "Private I," October 23, 2014.)

The end of Recovery Key

The current two-step system relies on two factors, but also included a third element for regaining access to an account: Recovery Key. The 14-character Recovery Key is generated during the two-step signup process and is meant as a backup. If you forget your password or lose access to all trusted devices and your phone number (but not both), the Recovery Key was the only way to restore your Apple ID account.

Without it, the data and purchases associated with that ID were lost for good. This could also be triggered if Apple decided your account was under attack and reset your password. Some reports indicated that Apple's customer service could reset accounts without the Recovery Key, but it seemed to be available only in limited cases and with support's discretion.

In the new two-factor authentication system, Apple confirmed that Recovery Key is gone. Instead, Apple provides more general guidance, noting that you might need to work through what it's calling in lower case "account recovery" if you "can't sign in, reset your password, or receive verification codes."

The process described in the FAQ should help overcome social engineering and identity theft, widely described as ways in to user accounts at many sites over the last several years. Apple will get in touch via a "verified phone number," which one assumes is one associated with your Apple ID account--it's worth noting that one can associate multiple numbers there.

There's a process that's loosely described as having one's case reviewed, and then needing to provide detailed information to prove you're the rightful owner of the Apple ID account. "The process is designed to get you back into your account as quickly as possible while denying access to anyone who might be pretending to be you," the FAQ notes.

Not immediately available to all beta testers

Not every account will be eligible to sign up during beta testing. Apple notes, "Individual accounts will be made eligible gradually until we can offer the service to everyone."

If an account is eligible, a user will be alerted after signing in with an Apple ID on a public beta in the Setup Assistant. Apple says users will see a "two-factor authentication" screen if they can opt in.

Join the CSO newsletter!

Error: Please check your email address.

Tags iOS 9OS X El CapitanAppleiCloudsecurityCapita

More about Apple

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Glenn Fleishman

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place