Does anyone else implement two-factor authentication this way? Because that’s unbelievably stupid. Why would you need to reset an attacked account’s password if they have two-factor auth? And how can you expect 99% of your users to keep a copy of their recovery key — especially when your own website points out that they’ll be able to create another as long as they’ve got their original password and device? This is a policy that can only, mathematically, end up locking out 100% of Apple’s users over time.
I have my recovery key in 1Password, but I’m considering turning two-factor off for my account (assuming that’s even possible), because Apple’s online services can’t be trusted with anything and I feel pretty stupid for signing up to be an early adopter of new security measures that of course they rushed to implement without understanding the consequences.
Don’t forget that, since iOS 7, your devices are locked to your iCloud account. So “just create another account” doesn’t only make you lose everything you’ve ever bought on the App Store.
Want to know when I post new content to my blog? It's a simple as registering for free to an RSS aggregator (Feedly, NewsBlur, Inoreader, …) and adding www.ff00aa.com to your feeds (or www.garoo.net if you want to subscribe to all my topics). We don't need newsletters, and we don't need Twitter; RSS still exists.
Legal information: This blog is hosted par OVH, 2 rue Kellermann, 59100 Roubaix, France, www.ovhcloud.com.
Personal data about this blog's readers are not used nor transmitted to third-parties. Comment authors can request their deletion by e-mail.
All contents © the author or quoted under fair use.
