Among the new features of iOS 7 is an antitheft Activation Lock that prevents someone else from erasing and reformatting your iPhone. This is a great feature that could prevent a thief from stealing your device and reselling it and some police departments are advising citizens to upgrade to iOS 7. In a nutshell, the way Activation Lock works is that if you have Find My Phone turned on, you must have the password associated with its Apple ID in order to turn off Find my Phone, erase or reactivate the device. This is great in theory, but in practice the strategy relies on some advance planning by device owners to prevent a disaster.
In iOS 7 your Apple ID has new features
The Apple ID is your gateway to Apple’s ecosystem and can include your iCloud email as well as all your purchases from the App and iTunes stores. It can also be used to lock down or erase a device remotely so adding the ability to prevent resale is logical.
However, given the immense power an Apple ID holds, the system is ripe for hackers. Phishing scams are common, and Apple has worked hard to lock down the ability of non-authorized users to reset the passwords including rolling out two-factor authentication last year.
The problem for iOS 7 users arises when they lose access to their Apple ID. Previously when a user lost access to their account, they potentially lost access to previous purchases or the associated Apple email, but with iOS 7 they now lose the ability to reset or resell their phone. As Apple stated in its knowledge base article, even Apple technicians may not be able to provide service.
How do you lose access to your Apple ID?
Sometimes it’s due to an Apple account lockout due to a phishing attempt, but there can be other times when someone else typed your ID thinking it was theirs and boom: you are locked out. That’s happened to me more than once and the solution is simple: go to iForgot and reset your password by answering security questions or providing your recovery key if you enabled two-token authentication. You remember all those answers and that key, right?
That’s the first snag. If you forget the answer to your security questions, you are locked out. Even worse is a hacker that changes the answers or guesses yours, which means your device is treated as stolen. Contacting Apple might provide help but if you have two-token authentication set up you’ll need two of these three items: the password, a trusted device and a recovery key which is a 14 character alpha-numeric code you provide apple if you have lost your password (or your device). The device you hopefully have and wasn’t stolen. If it was stolen and Apple reset your password, then ouch.
Of course, you have that recovery key right? You know exactly where it is and how to access it. I didn’t until I started hearing horror stories from clients and friends. Treat that recovery key as an important document like your birth certificate and car title. I keep my recovery key near both those documents because all these magic pieces of paper say who I am and what I own. Without them I could potentially lose access to my information. Your recovery key is your last and best way to prevent this problem.
The second issue is when an iOS device is sold, given away or repossessed. Apple has specific instructions on what to do when device ownership is transferred but if the original owner forgets this step, then the new owner is out of luck without the assistance from the original owner. This normally shouldn’t be a problem if the sale was legitimate, but what happens when the the original owner has passed away or is otherwise inaccessible?
In particular, I see this coming into play during divorces when husband and wife share an Apple ID for purchases or a child goes off to college and Find My Phone is associated with the parent’s ID. Additionally when an employee returns a device to their employer upon separation, they may be reluctant to remove the Apple ID from the unit out of spite.
However, the most obvious (and fully preventable) scenario is simply having out of date information in your Apple ID account. Your recovery email might be from an old employer or ISP and you might not remember the answer to Apple’s esoteric and cryptic security questions. Some of the questions Apple asks can change over time such as “secret word” or “lucky number.” Perhaps you set up two-token authentication and can’t find that super-important recovery key or forgot to update the list of your trusted devices. For whatever reason, if you can’t get into your Apple ID, you can’t fully use your devices.
1) A unique password: With databases of IDs and passwords being hacked all the time, now is the time to make your password exclusive to your Apple ID.
2) Current email address: Make sure all the email addresses you have listed are current and accessible by you. Find someone you trust (spouse, parent) who can be listed there as a just-in-case scenario should something happen to you.
3) Correct security questions and answers: Check those security questions and verify they are still valid answers (and can’t be answered by searching the internet). Keep these answers in a safe place.
4) For two-token users: You won’t have the security questions. You’ll need to make sure that your trusted device list is up to date. Until I wrote this article, I had forgotten that Apple had replaced my iPhone 4 due to a problem and the new one was no longer a trusted device. I removed devices I had replaced and verified my new devices. I also made sure that my spouse’s phone was a trusted device so he could access my account in case of emergency.
Now is the time to do this so you never lose access to your devices. If you give away or sell your iOS 7 device, Apple recommends turning off the Find my Phone feature and removing the device for your Apple ID, and explains how to check that information before buying a used iOS 7 device.
Ultimately the iOS 7 activation lock is a great idea but it relies on the end user to properly maintain and protect their Apple ID. Without user vigilance a hacked Apple ID is the disaster that keeps getting worse.