Several hours ago, I received a bunch of e-mails from Apple stating that one of my devices has been removed as a trusted device.
I naturally did not click on any links in that e-mail and instead logged in directly via Apple’s website.
Now I need to backup a bit and give a brief synopsis of what two-factor verification is. Once setup on Apple’s end, your actual identity is verified using one of your verified devices whenever you sign into Apple’s site (for Apple ID management), sign in to iCloud, making an iTunes or App Store purchase.
A 4-digit code is sent to the trusted device of your choosing which you must then enter to continue with any of the above processes. And herein lies the problem if your device happened to be removed as a trusted device. You the user are potentially stuck in a catch-22 nightmare because you are effectively locked out from completing the verification process.
In my case, only one of my trusted devices had been somehow removed. One way it can be automatically removed is IF you happened to reset/erase the device. That was not something that I did though. Searching online, this turned out to be a far more common problem than I realized. And those who contacted Apple Support found the details lacking except that support engineers stating that this was a “known glitch” on Apple’s side with those cases where no suspicious account activity was seen (only Apple Support can see these logs).
Obviously, this is a problem if you happened to have only one trusted device verified and that device happened to be removed due to an Apple glitch. In my case, I had other devices verified and was able to authenticate that way to access my Apple ID account management where I was able to re-verify everything.
If you no longer have access to any trusted devices, you will have to supply the recovery key that was created when originally setting up two-factor verification. Without that, there are other methods that utilize several forensic style tests (like some of your previous security questions and answers as well as looking at past IP address accesses). This last method is completely automated and basically the last ditch effort. Many companies including Google uses this type of last ditch account recovery but more often than not, recovery fails the IP check (if you changed ISP’s, or if the ISP itself made networking changes which is pretty much a given due to load balancing) where you are pretty much hosed.
The fact that one can be potentially locked completely out from their Apple ID due to an Apple side glitch is utterly disturbing though. All of your digital content and purchases are tied to that account. While there are multiple steps that allow for account recovery, users need to take proactive steps to make sure they have multiple (and secure) methods to make that recovery process less of a pain than it can potentially be.
It’s best to have at least two other trusted devices (iPad, iPhone, or iPod touch), make sure you know where your recovery key is in the event that such a glitch causes this automatic removal. For those who have upgraded to iOS 9 and/or OS X El Capitan on any Mac, switching to two-factor authentication is recommended if it’s available for your Apple ID (the new method is being rolled out in phases over the fall).
