Apple ID adds recovery key option, but it’s not yet ready for you to use
- 26 November, 2020 00:00
In a little-noticed change that arrived with iOS 14 and iPadOS 14, Apple re-enabled the option to have a recovery key associated with an Apple ID. The Apple ecosystem-spanning account system offers two-factor authentication, which requires both a password and a device or phone number associated with the account to login. The recovery key layers on top of that.
A warning, first! Apple has updated necessary pieces of iOS, iPadOS, and macOS to let you set a recovery key. But weeks after iOS 14 and iPadOS 14 were released, the Apple ID support sites, Apple Support app, and Find My app remain out of date with the use of this newly revived recovery key, even though various support documents have been updated to explain correctly some of the details of how it’s intended to work.
I recommend not enabling a recovery key until Apple has fully updated its ecosystem to explain and support the feature. We’ll update this article when that happens.
The new recovery key limits access severely
With an Apple ID recovery key enabled, the account’s password can’t be changed through any means except on a trusted device and with possession of the key. A trusted device is one logged into iCloud using the Apple ID (or an account within macOS logged into iCloud with that account), and enrolled in two-factor authentication. This acts as a deterrent to hijacking, as it prevents someone from attempting to change the password through the Apple ID Web site or the iForgot Apple password recovery site.
You can also use the recovery key to regain access to an Apple ID if it’s locked by Apple for security reasons, which can include too many failed login attempts—including by a third party over whom you don’t have control. Disabling access to your Apple ID account through bad login attempts is a form of denial of service (DoS), though Apple tries to block such attempts quietly, by identifying patterns.
Without a recovery key, Apple offers a special Apple ID recovery process, which is intentionally designed to take time and require substantial documentation to prevent identity theft.
With a recovery key, this last-ditch option is no longer available. If you lose all access to your trusted devices, through accidental loss, theft, or natural disaster, your Apple ID account is completely irretrievable. So you need to balance the increased account integrity you would gain against the potential of losing your account forever in the worst circumstance.
Recovery key has shifted in use over time
Apple uses the term “recovery key” for several different elements across macOS, iOS, iPadOS, and its Apple ID account management system. In all these cases, the recovery key is an “out of band” element: a long code that’s generated when you create an account, enable FileVault in macOS, or turn on extra security—and the key is only shown once ever. An encrypted form of the code is all that Apple retains, and there’s no way to ever retrieve the original key if you didn’t record it when it was display initially.
Apple first offered a recovery key alongside its earlier two-step verification for Apple ID, an account-hijack deterrence system put into place after several iCloud accounts and associated photos and other data were accessed through social engineering and password guessing way back in 2013. The recovery key was an additional way to make sure people didn’t lose access to their accounts if they lost or forgot necessary login elements.
In 2015, Apple shifted from the quick-fix of two-step to a more integrated, more cleverly designed two-factor authentication system across all its devices. As part of that, Apple dropped a recovery key as an option for most accounts. (Some legacy two-step accounts that were upgraded automatically by logging into a later version of iOS or macOS did retain it.)
This new recovery key is 28 characters long, displayed as six groups of four alphanumeric characters. (The old one was 14.)
Activate a recovery key
You can activate a recovery key in either macOS or iOS/iPadOS.
Open the iCloud preference pane in 10.14 Mojave or earlier, click the Account Details button, and click the Security tab. Or go to the Apple ID preference pane in 10.15 Catalina or later and click the Password & Security item.
Click Turn On next to Recovery Key.
When prompted, agree to create the key.
Enter the password for the account you’re logged into.
macOS displays the recovery key. It cannot be copied; you have to type it into another piece of software or write it down. I suggest using a password manager to retain it securely, preferably one that syncs to central storage that only you can decrypt to let you regain access if all your devices were unavailable. Click to continue.
Enter the recovery key precisely to show you have it recorded correctly, and then click to verify.
In iOS or iPadOS:
- Go to Settings > account name > Password & Security > Recovery Key.
- Tap the switch to enable it.
- Confirm you want to add a recovery key.
- The key is displayed. Write it down or type it into a password manager. Tap to continue.
- Enter the key exactly and then tap to verify.
Use a recovery key to recover account access
Apple doesn’t yet fully document how to use a recovery key as an element of changing your Apple ID password nor in recovering accessing to a locked account. The online documentation suggests, “you can try to regain access using your trusted device protected by a passcode. Or you can use your recovery key, a trusted phone number, and an Apple device to reset your password.” But the steps aren’t documented, and I’ve been able to trigger a request for a recovery key.
In one location, Apple suggests using Find My or Apple Support on someone else’s iPhone or iPad to regain access, but because you can’t use the Apple ID management site with a recovery key, neither of those apps will help. We have reached out to Apple for more information about the exact sequence of steps required.
Regenerate or disable a recovery key
You might lose the record of your recovery key or become concerned it was compromised by someone who gained access to your stuff. You can simply regenerate it from any trusted device.
In macOS, navigate to the location above where you enabled the recovery key and click Create New Key. In iOS or iPadOS, go to Settings > account name > Password & Security > Recovery Key and tap Create New Recovery Key.
If you no longer want to restrict password-reset access and have a last-ditch recovery option, you can turn off the recovery key. Visit the same place as resetting it. In macOS, click Turn Off and enter the recovery key to confirm. In iOS or iPadOS, tap Recovery Key, tap the switch to disable it, and enter the recovery key to confirm.