An Apple security feature designed to protect customers has inadvertently given iPhone thieves a way to entirely lock them out of their Apple account.
Introduced in 2020, recovery keys are randomly generated 28-character codes that can help users retrieve their Apple ID account when they don’t have enough information to reset their password.
Unfortunately, as the Wall Street Journal points out in a report, it can also be used by savvy phone thieves to eliminate the chance of victims being able to regain access to their account after the password is changed.
What’s more, while victims of phone theft may be able to recover stolen money racked up through Apple Pay or financial app payments made through their iPhone - retrieving data is harder. A call to the bank may be enough to seal off a compromised credit card but, as the WSJ report shows, retrieving photos, notes, messages and other files from Apple is much more difficult.
One such victim, Greg Frasca, had his iPhone 14 Pro stolen in a bar in Chicago and, after using his passcode to change his Apple ID password, they flipped the recovery key to lock him out completely. Mr Frasca’s Apple account contains the only copies of eight years of photos of his young daughters and the 46-year-old has offered to fly from Florida to Apple HQ in Cupertino to prove his identity in order to restore access to his account.
“We sympathize with people who have had this experience and we take all attacks on our users very seriously, no matter how rare,” an Apple spokesman said of the issue.
“We work tirelessly every day to protect our users’ accounts and data, and are always investigating additional protections against emerging threats like this one.”
How to add a recovery key
Apple advises users to safely store copies of their recovery key in more than one place or to pass it on to a trusted family member or friend instead.
If you did want to add one to your account, it can be found as an option in the Password & Security menu of under the Apple ID option in your iPhone’s Settings app.
Scroll down and you should see an Account Recovery button, tap on this to be taken through the setup process for adding a recovery key.
If you want to know more, here's our full guide on how to set up an Apple ID recovery key.
It bears pointing out that Google employs a different method for recovering an account. The company’s password-reset process asks for an email, phone number or password to allow users to regain access later — even if they’ve been changed by an imposter.
Meanwhile, our guide here will tell you what to do when your iPhone is disabled.