First of all: the idea of this post is to discourage the use of Two Step validation for Apple IDs.
Back in April I opted in for the Two Step verification process since I had a previous great experience with Google's. When you sign in you receive some sort of "master code" a very long and complex password and get told that you can go through the two step in two ways:
1) Using this master password.
2) Receiving a 4 digit code sent to any of your registered mobile devices.
Short story: printed out master password, hid it well, got lost while moving into a new home. Later in March, while spending sometime in Barcelona, my iPhone started malfunctioning, took it to the Macstore where a Genius replaced it for free. This was great! I used my Apple ID login details and got back all my data from iCloud as it should be. So far great.
A week later or so I try to buy an app from my replaced iPhone. After using my password get a prompt message: Apple ID Two Verification process needs you to input a 4 digit code. Okay! please send it. Oh! I don't get any. Hmm thats weird, perhaps the code sending server is down. Tried during a week and no code.
Okay, decided to call Apple Customer service. The support specialist and I made clear the following:
1) That I am still able to access iCloud from ANY computer (not a known computer). I can walk into any computer and use my login and password to access all my iCloud info and even track my new replaced iPhone. Add new mobile devices, etc.
2) That using the same login and password I am still able to go into any computer and introduce my login and password in iTunes and purchase any iTunes content, download my iTunes Match songs, etc.
3) That I can take any iPhone or iPad and use my login and password to retrieve all my personal data.
4) That I can't purchase Apps from my iPhone.
The support person really did not know how to handle this. She escalated my case twice during the length of the phone call. Finally she came with an answer:
I'm very sorry, I actually don't quite understand this well but since you lost your recovery key and your registered mobile device, you now will be unable to access/modify your Apple ID. There's nothing we can do about it, perhaps try sending an email to Apple Feedback.
I was shocked. Yes, I did lose the recovery key, that was my mistake. But I think that it is a total fail that for instance the Genius at the Apple store never bothered to ask if I had other registered devices (even if I had not lost the recovery key, I still was away from home for a month).
And then, what crap of security system allows anyone with my password and login to access all my data, purchase anything from iTunes on a desktop/notebook, even register and track mobile devices on iCloud but won't let me edit my Apple ID.
I believe that considering the total lack of explanation from the Genius bar plus the responses from the support call center and the fact that anyone with my login and password can still get all my data and do some shopping, I see Two Step verification as an incomplete/failed implementation.
Put it this way: although I enabled Two Step verification, I still needed to call my bank and ask for a replacement credit card (this was actually suggested at Apple's call center) because well.. I was not able to access my Apple ID to manage/remove my card but still anyone with my login and password could buy stuff.
Oh, of course the support representative told me: We cannot transfer any purchases to a new Apple ID account so basically 100+ apps, 4000+ songs, 2 Mac OS versions... well I 'll have to transfer these "manually". Yet.. I can still buy new songs on my locked Apple ID
Back in April I opted in for the Two Step verification process since I had a previous great experience with Google's. When you sign in you receive some sort of "master code" a very long and complex password and get told that you can go through the two step in two ways:
1) Using this master password.
2) Receiving a 4 digit code sent to any of your registered mobile devices.
Short story: printed out master password, hid it well, got lost while moving into a new home. Later in March, while spending sometime in Barcelona, my iPhone started malfunctioning, took it to the Macstore where a Genius replaced it for free. This was great! I used my Apple ID login details and got back all my data from iCloud as it should be. So far great.
A week later or so I try to buy an app from my replaced iPhone. After using my password get a prompt message: Apple ID Two Verification process needs you to input a 4 digit code. Okay! please send it. Oh! I don't get any. Hmm thats weird, perhaps the code sending server is down. Tried during a week and no code.
Okay, decided to call Apple Customer service. The support specialist and I made clear the following:
1) That I am still able to access iCloud from ANY computer (not a known computer). I can walk into any computer and use my login and password to access all my iCloud info and even track my new replaced iPhone. Add new mobile devices, etc.
2) That using the same login and password I am still able to go into any computer and introduce my login and password in iTunes and purchase any iTunes content, download my iTunes Match songs, etc.
3) That I can take any iPhone or iPad and use my login and password to retrieve all my personal data.
4) That I can't purchase Apps from my iPhone.
The support person really did not know how to handle this. She escalated my case twice during the length of the phone call. Finally she came with an answer:
I'm very sorry, I actually don't quite understand this well but since you lost your recovery key and your registered mobile device, you now will be unable to access/modify your Apple ID. There's nothing we can do about it, perhaps try sending an email to Apple Feedback.
I was shocked. Yes, I did lose the recovery key, that was my mistake. But I think that it is a total fail that for instance the Genius at the Apple store never bothered to ask if I had other registered devices (even if I had not lost the recovery key, I still was away from home for a month).
And then, what crap of security system allows anyone with my password and login to access all my data, purchase anything from iTunes on a desktop/notebook, even register and track mobile devices on iCloud but won't let me edit my Apple ID.
I believe that considering the total lack of explanation from the Genius bar plus the responses from the support call center and the fact that anyone with my login and password can still get all my data and do some shopping, I see Two Step verification as an incomplete/failed implementation.
Put it this way: although I enabled Two Step verification, I still needed to call my bank and ask for a replacement credit card (this was actually suggested at Apple's call center) because well.. I was not able to access my Apple ID to manage/remove my card but still anyone with my login and password could buy stuff.
Oh, of course the support representative told me: We cannot transfer any purchases to a new Apple ID account so basically 100+ apps, 4000+ songs, 2 Mac OS versions... well I 'll have to transfer these "manually". Yet.. I can still buy new songs on my locked Apple ID
