Why Apple’s Two-Step Authentication Can Be Dangerous

Apple offers two-step authentication for iCloud accounts, but their version of this process is quite rigid, and is downlight dangerous. Owen Williams writes about this in an article for The Next Web, showing how he was nearly locked out of his account.

His account was locked for “security reasons;” in other words, someone tried to get into his account, and presumably made too many login attempts, and the account was automatically locked. No problem; just use the recovery key that he got when setting up two-step authentication… But, as Williams says, “How could I be foolish enough to misplace my Apple ID recovery key?”

And there’s the big problem with the way Apple implements two-step authentication.

Two-step authentication combines the need for a password and a code that is sent to you on a device you own. So, when logging into your account from a new device (you don’t do this every time you log in), you’ll get an SMS sent to your phone with a code. You need to have more than one device, in case you lose one of them. For example, if you lose your phone, you need to be able to log in on a computer, and add a new phone as a trusted device. (Hmmm, what does happen if you lose both your computer and phone…?)


In Apple’s case, there is a recovery key, which you can use if you no longer have any trusted devices; this code is also needed if your account gets locked for any reason.

So the real problem is ensuring that you save the recovery key. Apple recommends that you print it out, and keep it in “a safe place,” and that you do not save it on your computer. (Though saving it in an app such as 1Password would be fine.) If you do this, you’ll have no problems. But if you don’t, then you could get locked out of your account; Apple makes this very clear.

So, Apple’s two-step authentication is dangerous, but if you follow the instructions to the letter, you won’t have anything to worry about. As far as I’m concerned, I’ve never set it up, because while the risk of losing access to the account is minimal, it exists. If my house were to burn down, and I lost both physical and digital access to the recovery key, then I’d lose access to a lot of my stuff. If you use this two-step authentication, make sure to have a copy of that key somewhere safe, and make sure to remember, say ten years from now, where you put it, in case you need it then.