Apple launches three-factor security, incorrectly calls it two-factor

In 2008, when MobileMe was first launched, Steve Jobs was apoplectic at its flaky, poor functionality – he told the team that they “should hate each other for having let each other down” (source).

iCloud replaced MobileMe, and in some cases its functionality is better than the unlamented predecessor, but the ghosts of stupid design and implementation are still there.

Apple introduced two-factor authentication for the iTunes store (using AppleID) about a year ago (source) and generally it’s a good idea because of the financial information that Apple forces you to store in your account.  There had been exploits in previous years where miscreants had created iTunes gift cards using purloined credentials.

Unfortunately, though, as I found out today, the implementation of 2-factor security has been laughably poor.  Two factor security requires that you have two of the three items:

  • iTunes password
  • Access to device on which to receive a code
  • A recovery key

As of right now I have two of those three items but I’m locked out of my account with very little possibility of access. Why?  Because Apple arbitrarily reset my password due to some kind of activity.  Great – I would hope that vendors would do that when they see suspicious activity (Chase have been outstanding for me in the past in that regard).  BUT – now I can’t reset my password because I don’t have both of the remaining items.  So Apple’s two factor security is in fact three factor security, with two separate passwords (one called a recovery key) and device access.

I’m sure I have that recovery key somewhere in a file in a box in a storage unit in Brooklyn because I am in the process of moving.  But I shouldn’t need it because I have two factors – it’s just that Apple arbitrarily changed one and now demands the third which I guarantee most people will not have.

I’m going to the “genius” bar this evening to see if they can help me – which I am fairly sure they cannot.  So learn from my mistakes and remember that Apple’s two-factor security is really three-factor and you will need access to all three at all times in order to continue to use iCloud.

About Raoul

With a fairly unusual first name, this is where I have to stress VERY STRONGLY that these posts are my personal opinions and in no way reflect anything at all to do with my employer. For employer-approved content, take a look at my work blog.
This entry was posted in Life, Tech, WTF?. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *