Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

awawiwawa

macrumors newbie
Original poster
Oct 20, 2020
16
8
Apple allows you to add one or more trusted accounts to recover your account.

For example, if I set my friend up as a trusted account and then his device is stolen, assuming the thief gains access to his device, can this compromise my account as well?

It's possible that this procedure may involve more risks than benefits.
 

awawiwawa

macrumors newbie
Original poster
Oct 20, 2020
16
8
In that scenario, there is no risk to your account.

Thanks for the reply, so even if the attacker accesses the device, even though he can read my email and generate a code, he can't compromise my account?

ios15-iphone-12-pro-settings-apple-id-password-security-account-recovery-get-recovery-code.jpg
 

Apple_Robert

Contributor
Sep 21, 2012
35,649
52,437
In a van down by the river
You should delete that pic (f that is you) so that the email doesn't get spammed or targeted.

As long as you have a good strong account password and (2 factor authentication) turned on, you should be fine.
 

awawiwawa

macrumors newbie
Original poster
Oct 20, 2020
16
8
You should delete that pic (f that is you) so that the email doesn't get spammed or targeted.

As long as you have a good strong account password and (2 factor authentication) turned on, you should be fine.

Thanks, the photo is from the Apple site, don't worry 😄

Screenshot 2022-12-11 alle 17.27.28.png
 

VineRider

macrumors 65816
May 24, 2018
1,425
1,255
I was curious how this worked myself, so I set it up on a test account and added my real iCloud address as a recovery contact for the test account. I did this process on my iPad via the Apple Support App forgot password option and used my iPhone to create the recovery code. A third iPad mini was the account I was trying to reset (the test account).

Assume that your recovery contact lost their phone or other iOS device, or it was stolen. The question is, if someone broke into your recovery contacts phone, can your account be compromised.

Assume the bad actor has access to the recovery contacts phone and they want to gain access to your account since they see your information in the recovery contacts screen (they can see your iCloud address from this screen).

They start the recovery process to reset the password to your account. First thing it asks them to complete the phone number for your trusted phone numbers. Let's assume they know that since you are likely in your recovery contacts address book (the screen gives the last two digits of the trusted number). If they don't know the number, they cannot go any further.

Assume that they enter in the correct trusted phone number. Next, it asks to send a code to that number. Obviously, they are not going to do that as they don't have your actual device. They select the option that they don't have access to that device and need help from their recovery contact (since they have the recovery device in hand).

They select that they have a recovery code and enter that in from the recovery accounts device.

Next, it asks for the passcode of another iOS device on your account. Since they won't know this, it asks them to choose another device. It brings up a list of your other Apple devices, but they will not know the passcode to any of those devices either (assuming you have passcodes on your devices).

Since they don't know your passcodes, the only other recovery option is to go through Apple, and it states that this may take several days.

When I tried this via a web page (Apple ID forgot password site), it sent a prompt to the test device allowing it to change the password, so a bad actor would inadvertently let you know your account was being probed as you'd get the alert on one of your iOS devices. Even this way, if they say they don't have access to that device, if they don't ultimately know your passcode, they cannot reset your account.

I may have skipped a step in my description above, but I tried this several times, and the bottom line is, if they don't know your device passcodes, they cannot reset your account, other than to start the recovery process from Apple, and they are not going to be able to do that as Apple will require some kind of verification as well and you will certainly be alerted that something is amiss before the account is reset.

Overall, I think the likelihood of someone getting into your account via your recovery contacts device is very, very, remote.
 

awawiwawa

macrumors newbie
Original poster
Oct 20, 2020
16
8
I was curious how this worked myself, so I set it up on a test account and added my real iCloud address as a recovery contact for the test account. I did this process on my iPad via the Apple Support App forgot password option and used my iPhone to create the recovery code. A third iPad mini was the account I was trying to reset (the test account).

Assume that your recovery contact lost their phone or other iOS device, or it was stolen. The question is, if someone broke into your recovery contacts phone, can your account be compromised.

Assume the bad actor has access to the recovery contacts phone and they want to gain access to your account since they see your information in the recovery contacts screen (they can see your iCloud address from this screen).

They start the recovery process to reset the password to your account. First thing it asks them to complete the phone number for your trusted phone numbers. Let's assume they know that since you are likely in your recovery contacts address book (the screen gives the last two digits of the trusted number). If they don't know the number, they cannot go any further.

Assume that they enter in the correct trusted phone number. Next, it asks to send a code to that number. Obviously, they are not going to do that as they don't have your actual device. They select the option that they don't have access to that device and need help from their recovery contact (since they have the recovery device in hand).

They select that they have a recovery code and enter that in from the recovery accounts device.

Next, it asks for the passcode of another iOS device on your account. Since they won't know this, it asks them to choose another device. It brings up a list of your other Apple devices, but they will not know the passcode to any of those devices either (assuming you have passcodes on your devices).

Since they don't know your passcodes, the only other recovery option is to go through Apple, and it states that this may take several days.

When I tried this via a web page (Apple ID forgot password site), it sent a prompt to the test device allowing it to change the password, so a bad actor would inadvertently let you know your account was being probed as you'd get the alert on one of your iOS devices. Even this way, if they say they don't have access to that device, if they don't ultimately know your passcode, they cannot reset your account.

I may have skipped a step in my description above, but I tried this several times, and the bottom line is, if they don't know your device passcodes, they cannot reset your account, other than to start the recovery process from Apple, and they are not going to be able to do that as Apple will require some kind of verification as well and you will certainly be alerted that something is amiss before the account is reset.

Overall, I think the likelihood of someone getting into your account via your recovery contacts device is very, very, remote.
Awesome, really thanks for all the explanations! 💙
 
  • Like
Reactions: VineRider
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.