Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

iPhone Two-factor authentication on vacation: how to restore new iPhone from iCloud?

M

MyFakeAcc

macrumors newbie
Original poster
May 6, 2011
29
0
Hi there,

I'm one of the few people still not using 2FA. There's a single reason for that: one specific "emergency" scenario is putting me off.

I'm traveling a lot and usually do so with little to no electronics, except my iPhone. In case it gets stolen I can just go to the next major city, buy a new iPhone, restore from iCloud backup and I'm good to go again. But with 2FA, my "Trusted Phone Number" stolen and no further authentication factor (Apple device) on hand, I have an unsolvable problem, right?

Is there nowadays something I can do in this scenario (short of carrying my MBP with me)?
Apparently, since WatchOS 6 the Apple Watch now is also a potential "trusted device". Given I have one with me and and can connect it to the internet* this would solve my problem, wouldn't it?


* Would need a 2.4GHz Wifi without Hotspot-Login-Page though. Not sure how common that is...
 
In your scenario, if your travel is domestic, that same major city should have a store for your cellular provider to get you back up and running with your new iPhone.

More generally, if you are not using 2FA for anything, there are additional ways. My SO and I use 1Password, and store our OTP's there. It is shared between us, so if either of us lose a phone, the other has access.



MyFakeAcc said:
Hi there,

I'm one of the few people still not using 2FA. There's a single reason for that: one specific "emergency" scenario is putting me off.

I'm traveling a lot and usually do so with little to no electronics, except my iPhone. In case it gets stolen I can just go to the next major city, buy a new iPhone, restore from iCloud backup and I'm good to go again. But with 2FA, my "Trusted Phone Number" stolen and no further authentication factor (Apple device) on hand, I have an unsolvable problem, right?

Is there nowadays something I can do in this scenario (short of carrying my MBP with me)?
Apparently, since WatchOS 6 the Apple Watch now is also a potential "trusted device". Given I have one with me and and can connect it to the internet* this would solve my problem, wouldn't it?


* Would need a 2.4GHz Wifi without Hotspot-Login-Page though. Not sure how common that is...
Click to expand...
 
No, not unsolvable at all. You should never set up 2FA where your phone is the only way to get into your account. Depending on what service it is you can have backup codes (I carry those on piece of paper for my Google account when I travel internationally), have backup phone numbers configured (call a trusted person and have them read the code they are sent), have OTP codes in something like 1Password which sync with the cloud and you can reach on another PC/device. My Apple account has several backup numbers configured.
 
Other services are usually no problem as they have means of recovery for such cases, e.g. recovery codes. It's only Apple being problematic here. :/
MisterSavage said:
No, not unsolvable at all. You should never set up 2FA where your phone is the only way to get into your account.
Click to expand...
So a standalone Apple Watch (paired iPhone is gone) doesn't count and isn't capable of getting me back into my account on a new device?


What do other people do when traveling? Do you ensure to have multiple Apple devices with you?
 
They get a code sent to their device, right? But then I would need a way to communicate with them which isn't easy, given that my only smartphone was stolen (in this scenario).
 
Sure it would be a minor inconvenience to have to make a phone call from your hotel room or borrowing someone else's cell if you were on vacation. In my eyes it's a small price to pay to have your account always secured by 2FA.
 
  • Like
Reactions: BigMcGuire, jetsam and Apple_Robert
Usually I stay at airbnbs, not hotels, so no landline. Not even sure when I last saw a phone booth. Do they still exist? Anyway, it's probably easier to get access to a 2.4GHz Wifi instead of a landline so what about an (unpaired) Apple Watch? It should be able to let me login on a new iPhone, shouldn't it?
 
Because of 2FA and because I don't want to be without a phone if my main iPhone is lost/stolen, I have kept an old 16G iPhone SE as a backup / secondary device when travelling. It is small enough to not be noticed and functional enough to do what is really necessary. ...... and if it is stolen / lost then it isn't exactly a huge loss.
 
  • Like
Reactions: Apple_Robert
MyFakeAcc said:
Usually I stay at airbnbs, not hotels, so no landline. Not even sure when I last saw a phone booth. Do they still exist? Anyway, it's probably easier to get access to a 2.4GHz Wifi instead of a landline so what about an (unpaired) Apple Watch? It should be able to let me login on a new iPhone, shouldn't it?
Click to expand...

In that scenario I'd go to a coffee shop, Kinko's, etc where I could access a computer. I'd use Google Voice to text a message to one of my trusted contacts saying "Hey what's the code I just had send to you from Apple?"
 
  • Like
Reactions: BigMcGuire
Apple should really do what others do,.. Print out backup codes as an alternative... Each code can only be used once, So unless you lose those as well.. it should be ok.

I guess Apple never wanted to give people alternative ways, like Dropbox allows you to do.
 
Last edited:
I think the problem with trying to use an Apple Watch is that it can only log onto a wifi if its paired iPhone has already logged onto that wifi. That is not much use if you lose the phone will actually travelling. As you know, a cellular connection is unlikely work overseas.
Thanks for pointing out this issue. As it happens I have always travelled with either an iPad or a Macbook and so have never thought about the dilemma of 2FA with a lost iPhone.
Having 2FA link to a relative/friend's phone would be a real nuisance at home.
 
For the OP's situation this may be the best option. Pick up the cheapest iDevice (and smallest for travel) you can and use that as your backup.


Roachjt said:
Because of 2FA and because I don't want to be without a phone if my main iPhone is lost/stolen, I have kept an old 16G iPhone SE as a backup / secondary device when travelling. It is small enough to not be noticed and functional enough to do what is really necessary. ...... and if it is stolen / lost then it isn't exactly a huge loss.
Click to expand...
 
mpainesyd said:
I think the problem with trying to use an Apple Watch is that it can only log onto a wifi if its paired iPhone has already logged onto that wifi.
Click to expand...
Not at all, with watchOS 6 you can choose from the settings which Wifi you want to access and even enter its password.
 
Anyone know how long those verification codes you get from "Get Verification Code" on your phone are valid? If they're valid for a reasonably long time you could presumably get one before the trip and write it down in a secure place to use if this situation arises.
 
Tech198 said:
Apple should really do what others do,.. Print out backup codes as an alternative... Each code can only be used once, So unless you lose those as well.. it should be ok.
Click to expand...
MyFakeAcc said:
Other services are usually no problem as they have means of recovery for such cases, e.g. recovery codes. It's only Apple being problematic here. :/
Click to expand...

Nobody realistically travels with backup codes, and you shouldn't because they could be exposed in a border search or hotel room break-in.
 
konqerror said:
Nobody realistically travels with backup codes, and you shouldn't because they could be exposed in a border search or hotel room break-in.
Click to expand...
First and foremost: I do.
And regarding the second half of your sentence: that's not how it works.
When someone steals my luggage/codes from my hotel room then I still own my device and can simply invalidate those codes. If someone robs me and steals my device I still own the codes stored in my hotel room and I can recover access to my account. The only scenario where you are right is when someone robs me at gunpoint in my hotel room, forcing me to hand over all of my devices and backup codes together. And that's what I'd call unrealistic.

yass31 said:
Not at all, with watchOS 6 you can choose from the settings which Wifi you want to access and even enter its password.
Click to expand...
Also since watchOS 6 the Apple Watch is officially listed as "authentication factor". Previously it wasn't.
But I haven't heard from anyone (yet) using it in such a case. And the necessity for a non-hotspot 2.4GHz Wifi might make it hard in reality.
 
konqerror said:
Nobody realistically travels with backup codes, and you shouldn't because they could be exposed in a border search or hotel room break-in.
Click to expand...

It's not like you're going to tell anyone you're traveling with the codes, and you're probably not going to write them like this:

iCloud Verification Codes for myemail@gmail.com:

885 572 (USED)
822 752
385 319

No, you're just going to write a code on a scrap of paper and shove it into a seam of your luggage and anyone who finds it will have no context as to what it is. You could even write it as a fake phone number with the code being the last six digits.

Also, a hacker needs your password to even get a chance to use the codes. You can keep your password in your head.

This is all just a contingency for an extremely unlikely event anyway.
 
  • Like
Reactions: MisterSavage
zorinlynx said:
It's not like you're going to tell anyone you're traveling with the codes, and you're probably not going to write them like this:

iCloud Verification Codes for myemail@gmail.com:

885 572 (USED)
822 752
385 319

No, you're just going to write a code on a scrap of paper and shove it into a seam of your luggage and anyone who finds it will have no context as to what it is. You could even write it as a fake phone number with the code being the last six digits.

Also, a hacker needs your password to even get a chance to use the codes. You can keep your password in your head.

This is all just a contingency for an extremely unlikely event anyway.
Click to expand...

100% this. I travel with my Gmail backup codes. There's no way I would write my account on that paper. Someone would need that and my password to make use of them (as you said).
 
MyFakeAcc said:
First and foremost: I do.
And regarding the second half of your sentence: that's not how it works.
When someone steals my luggage/codes from my hotel room then I still own my device and can simply invalidate those codes. If someone robs me and steals my device I still own the codes stored in my hotel room and I can recover access to my account. The only scenario where you are right is when someone robs me at gunpoint in my hotel room, forcing me to hand over all of my devices and backup codes together. And that's what I'd call unrealistic.
Click to expand...

That's not how it works. The border patrol or industrial espionage robber simply plays the lost phone scenario. First, your password is compromised via a keylogger, spy camera, phishing or poor password hygiene. This is exactly the scenario that 2-factor protects against.

Now with the recovery key and therefore account access, they can simply log in and download your iCloud drive, and worse, they can download your device backups. Now they have unimpeded access to your data.

This is not theoretical. The software to do this is $80:

Elcomsoft Phone Breaker | Elcomsoft Co.Ltd.

Perform logical and over-the-air acquisition of iOS, Windows Phone 8/8.1 and Windows 10 Mobile, break into encrypted backups, obtain and analyze information from Apple iCloud.
www.elcomsoft.com www.elcomsoft.com

By design, if an attacker can access the recovery key, then two-factor authentication is completely worthless. By carrying the recovery key, especially internationally, you are defeating its use precisely in a higher risk environment.

It gets even worse when you consider the lost password flow. In the old two-step system, you needed two of three factors (trusted device, recovery key, password), to access your account. Due to permanent lockouts, Apple weakened the policy. Therefore, Apple lets you now reset your password with only your phone number, any other iOS device and your recovery key. The recovery key now defeats the password.
 
Last edited:
BasicGreatGuy said:
You can use a non Apple device for 2FA (another family member's phone, landline etc). Granted, it wouldn't be the easiest method but, it can still be done.
Click to expand...

Yep... Wife's cellphone or a Google Voice #... Can't imagine having 2FA without that.

That said, I did have to replace my iPhone at an Apple Store one time because of a red screen - they insisted on setting it up ... couldn't log into my iCloud account because I had no other Apple device at the time (wife did not go with me). lol. Like others said, a small price to pay for 2FA.
 
  • Like
Reactions: MisterSavage
MyFakeAcc said:
Usually I stay at airbnbs, not hotels, so no landline. Not even sure when I last saw a phone booth. Do they still exist? Anyway, it's probably easier to get access to a 2.4GHz Wifi instead of a landline so what about an (unpaired) Apple Watch? It should be able to let me login on a new iPhone, shouldn't it?
Click to expand...
You mentioned you have a google Acct. Just setup a Google voice number and use that as a trusted device. Can check that online with any browser and receive text messages.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back