best practice for not being locked out (two factor)?

[rb24]

A friend, moving country, handed in her corporate iPhone and the number that went with it was axed.

She'd removed it from her trusted devices and then was trying to do something on her 15inch Macbook Pro, probably to do with iCloud. Needed 2-factor authentication. Gradually she realised that was impossible. Then that it was necessary to embark on the "account recovery" procedure. In the OSX preference pane it said that it could take "up to a week". When she got a confirmation e-mail it said it would take A MONTH. (Launched Feb 6th 2019 - expected March 6th).

HOLY COW.

She needs to be able to setup a new iphone and it's quite impossible. Morever she's locked out of a bunch of data on her Mac. And there are new operations she can't perform. And there's no way out of this through Apple support

ONE MONTH!!

So this sets me thinking. If I'm on holiday and lose laptop / phone there is no logging into iCloud through a hotel computer (not that I'd do that out of anything less than desperation). Which means I'd be left with just the phone numbers I can remember. Errrr.

As far as can see would not have a chance of getting connected until had contacted phone operator and they had sent me a new SIM. So you're on some Caribbean island and... how is that going to go? It looks like Apple have outsourced all responsibility for ID identification to the phone operators. Like they are particularly trustworthy or secure. And the mailman....

So what are we supposed to do?

It seems one can add additional trusted phone numbers for receiving two factor codes. So maybe like the landline of aging parents. Trustworthy, yes. Though a savvy criminal could figure a way....

What would you do? What are the best practices? Is Apple going to keep us in this terrible situation or are they in the process of working towards a better solution?

 

[Audit13]

To be safe, set up a firmware password, enable encryption, turn on MacBook location in settings, sign into iCloud on the MacBook, enable Find my Mac, and disable two factor authentication.

I've done this on my MacBook pro and air.

 

[Cashmonee]

Best I can tell, TFA is working as intended in the situation you mention. That is the point to it in fact. The more ways you allow to get the second factor, the less secure it is. As for contacts, I would suggest a second location such as Google for storing them. Also, I would suggest you memorize at least a few important phone numbers or email addresses. I mean, what you are talking about would suck, but not be an impossible situation.

I am not sure what Apple could do without making things less secure.
[doublepost=1550173195][/doublepost]

To be safe, set up a firmware password, enable encryption, turn on MacBook location in settings, sign into iCloud on the MacBook, enable Find my Mac, and disable two factor authentication.

I've done this on my MacBook pro and air.

I wouldn't recommend this. Two factor authentication is almost a requirement these days wherever possible. I mean how many hundreds of millions of logins have been shown in the wild the last month?

 

[Audit13]

I wouldn't recommend this. Two factor authentication is almost a requirement these days wherever possible. I mean how many hundreds of millions of logins have been shown in the wild the last month?

Sorry, not sure what you mean by logins.

What's wrong with encryption and firmware password since neither of these require internet access? Thanks.

 

[rb24]

Firmware password: good idea, have never done that. Seems that these days it's impossible to turn off TFA, it's now obligatory.

Keeping contacts in a second location makes sense. Are there any decent alternatives to google, the one company who you know are constantly looking for ways to monetise your data?

Realise that one of the things I'd been counting on being able to do in an emergency was to access my iCloud Keychain and thence all those impossible computer generated passwords.....

 

[Apple_Robert]

It is always a good idea to have a trusted device backup. That way you won't get locked out.

 

[Cashmonee]

Sorry, not sure what you mean by logins.

What's wrong with encryption and firmware password since neither of these require internet access? Thanks.

Nothing is wrong those and they are both good ideas for securing your hardware. Neither help with securing your cloud accounts though. That is where TFA comes in. Apple's TFA is for iCloud and your Apple ID, which would be required to sync things like contacts. By turning off TFA, anyone with your username and password would have access to your iCloud and Apple ID.

Essentially we are talking about two different things. One is for the physical device and the other is for your iCloud and Apple ID accounts.

 

[Audit13]

Nothing is wrong those and they are both good ideas for securing your hardware. Neither help with securing your cloud accounts though. That is where TFA comes in. Apple's TFA is for iCloud and your Apple ID, which would be required to sync things like contacts. By turning off TFA, anyone with your username and password would have access to your iCloud and Apple ID.

Essentially we are talking about two different things. One is for the physical device and the other is for your iCloud and Apple ID accounts.

I see where you are coming from.

Thanks for the insight.

 

[Stephen.R]

What would you do?

My iCloud account is linked to 3 devices.. 4 if you count a Mac not running Mojave. It's unlikely I'll lose access to all of them simultaneously.

Another suggestion is: don't use a "work" phone for your personal stuff.

 

[rb24]

Also have laptop clones to physcial drives. But a) the very latest document backups are to iCloud; b) the passwords for encrypted drives are on iCloud keychain!

Now the thing about having additional devices that can receive verification codes linked to iCloud account is that they in a sense pose a security risk. Hard to keep track of lots of devices.

 

[Stephen.R]

Now the thing about having additional devices that can receive verification codes linked to iCloud account is that they in a sense pose a security risk. Hard to keep track of lots of devices.

For me - it's an iPhone I take with me everywhere, a Mac mini in my home office, a 2018 MBP that is mostly just a "spare" and sits on the desk in the office - if I go away, it will go with me. The 4th is a 2011 MBP that my wife currently uses for some basic use - but that will soon become an iTunes server and thus be sitting on a bench/etc somewhere.. So not really much to "keep track of" when they're predominantly in my own house, or with me if I go somewhere.

 

[chscag]

I'm not sure any of that matters since Apple no longer allows you to turn off 2FA once it has been turned on. One of the reasons Apple is getting sued.

 

[Stephen.R]

If by "any of that" you mean additional verified macos/ios devices: the purpose of those isn't to turn off 2FA, it's to have machines that can generate valid 2FA codes.
[doublepost=1550223647][/doublepost]

One of the reasons Apple is getting sued.

I think the American legal system's propensity for ridiculous lawsuits is probably a bigger reason.

 

[MisterSavage]

Best I can tell, TFA is working as intended in the situation you mention.

I was going to say the same thing. I actually think the month wait is a good thing. If someone is trying to impersonate me and break into my account I want as much time as possible to realize and stop it. I have my iPhone, iPad, and Mac all listed as trusted devices, which means two factor prompts are sent to them when a new login is detected. If my house burns down and I lose all three of those I have trusted phone numbers specified that are people I can trust to tell me what my two factor code is when I specify that it should be sent to them.