iOS 15 brings two new ways to recover your Apple account if you’re locked out. Or one unique way and one improved way. Creating a recovery key is now much easier than before, and you can designate a friend or family member as a Recovery Contact, kind of like leaving a spare key with a neighbor. This is great if you get locked out, but it adds another vector for attack. “Users should be aware that all the data in their iCloud is encrypted with end-to-end encryption, both in transit and at rest. But should someone steal their Apple ID and iCloud account credentials, they can log in and intercept everything kept in that iCloud account,” Daniel Markuson, a digital privacy expert at NordVPN, told Lifewire via email.
Unlock
Getting locked out of your Apple account could be a major hassle. You lose access to all your purchased apps, stored data, and your entire photo library if you don’t have local backups. At the same time, you want to keep it as secure as possible. To set up a recovery option, you head to a new Account Recovery section in the Password and Security pane of your iCloud settings. Yes, it’s buried deep, but you shouldn’t need to visit very often. In there, you can set a recovery key, which is a long string of letters and numbers that serves as a backup passcode. Write it on paper, and keep it somewhere safe. But the new option is more interesting. It allows you to name another Apple user as your Recovery Contact. The setup helper will suggest members of your Family Sharing group if you are in one, but you can select any five contacts you like. They must also be using iOS 15 or iPadOS 15 to participate. Family members are added immediately. Other contacts will have to accept an invitation.
Security Hole
The problem with designating someone to help is that you have to trust your recovery contact. It’s not that they will use their newly bestowed powers to access your account and rip you off. It’s that they are now a vector for attack. Any hacking attempt previously aimed at you alone also will be effective against your recovery contact. Apple does make some efforts to mitigate this vulnerability. You will have to remember who you added because Apple—for security reasons—will not. There’s no list to be stolen or otherwise accessed. But if somebody knows you, they can probably guess who you have entrusted, and will probably also know that person. And they’d need access to one of your devices to input the recovery code. “Even if someone can be used as a recovery contact, they won’t have any access to the person’s account they’re helping, which makes it safe,” Sarah Kiran, chief editor at Good Cloud Storage, told Lifewire via email. “They can only help the other person with the provided code so that they can log in again.” So perhaps there’s very little to worry about. As with all security measures, it’s a compromise between being secure and being convenient. The best way to lock down an account is to switch off all recovery options, iCloud email resets and the like, turn on two-factor authentication, and set a recovery code. There are some general security hygiene practices you can follow, too. “To check if your iCloud is being monitored and to remove any unknown users (devices), simply go to your iPhone settings and tap your name to access your Apple ID account. From there, access the list of devices assigned to your account. If you find a device you do not recognize, you can remove it from the account,” says Markuson. In conclusion, Apple’s new Recovery Contact option seems to have few downsides. If you’re the family nerd, you might want to set it on other family members’ accounts so that you can help them out in the future.
