Security Tip: Apple ID locked for security?
This one also doubles as a Rant Time. Having my Apple ID account locked is an issue I face far too often with Apple. Perhaps you do, too? In my case, no one knows my account ID. Yet, I face having to unlock my account frequently because of this issue. I personally think Apple is causing this issue. Let’s explore.
Unlocking an Apple ID
As with far too many things, Apple’s unlocking system is unnecessarily complex and fraught with digital peril after-the-fact… particularly if you enable some of Apple’s more complex security features (i.e., Two Factor authentication).
One of the things Apple hasn’t yet to get correct is properly securing its Apple ID system from intrusion attempts. That doesn’t mean that your account is unsafe. What it means is that your account is unsafe against malicious attacks targeting your account ID. But, there’s an even bigger risk using Apple’s ID system… securing your credentials by using an email address. I’ll come back to this practice a little later.
Once your account becomes locked, there are a number of major problems that present. The first immediate problem is that you need to remember your security questions OR face changing your password (assuming standard security). If you use Apple’s two-factor authentication, you face even more problems. If you don’t use two-factor and you’ve forgotten your security questions, you have the option to contact Apple Support to help you with your security question problems to gain access to your account. On the other hand, if you’ve forgotten your security information set up when enabling two-factor, you’re screwed. Apple can’t help you after you have two-factor set up… one of the major reasons I have chosen not to use two-factor at Apple. Two-factor IS more secure, but by using it you risk losing your Apple ID if you lose a tiny bit of information. That risk is far too great. With all of the “ease of use” Apple is known for, its Apple ID system is too overly complex.
The second problem is that once you do manage to get your account unlocked, you are then required to go touch EVERY SINGLE DEVICE that uses your account ID and reenter your password AGAIN. This includes not only every Apple device, but every device utilizing Apple services such as Alexa’s account linking for Apple Music on the Amazon Echo. If you use Apple Music on an Android, you’ll need to go touch that too. It’s not just the locking and unlocking of your account, it’s the immense hassle of signing into your Apple ID on EVERY SINGLE DEVICE. Own an Apple Watch? Own an Apple TV? Own a Home Pod? Own an iPad? Own a MacBook? Use Apple Music on your Android? You’ll need to go to each and every one of these devices and touch them.
On the iPhone, it’s particularly problematic. You’ll be presented with at least 3 login prompts simultaneously all competing with one another on the screen. Later, you’ll be presented with a few more stragglers over the course of 30 minutes or an hour. Apple still can’t seem to figure out how to use a single login panel to authenticate the entire device and all of its services. Instead, it must request passwords for each “thing” separately. So many prompts pop up so fast you have no idea which one is which because none of them are labeled as to which service they are attached. You could even be giving your account ID and password to a random nefarious app on your device. You’d never know. If you own an Apple Watch, you’ll have to re-enter it separately for that device as well. Literally, every single device that uses your Apple ID must be touched after unlocking your Apple ID. Unlike Wi-Fi passwords which you enter once and it’s shared across every device you own, Apple can’t possibly do that with its Apple ID system so that we enter it once and it populates ALL of our devices. No. We must touch each and every device we own.
Worse, if you don’t do go touch each and every one of these devices immediately upon unlocking your account, you risk having your account locked almost immediately by just one of these devices. Apple’s ID system is not forgiving if even one of these devices hasn’t logged in properly after a security lock. You could face being locked out just a few hours later.
So the rant begins…
Using Email Addresses as Network IDs
Here’s a security practice that needs to stop. Apple, I’m l👀king at you! Using email addresses as an ID was the “norm” during the mid-late 00s and is still in common practice throughout much of the Internet industry. It is, however, a practice that needs to end. Email addresses are public entities easily seen, easily found and, most easily, attacked. They are NOT good candidates for use as login identifiers. Login identifiers need to use words, phrases or information that are not generally publicly accessible or known. Yes, people will continue to use their favorite pet’s name or TV show or girlfriend’s name as login IDs. At least that’s only found by asking the person involved. Email addresses are not required when developing login systems. You can use tie the email address to the account via its profile. But, it SHOULD NOT be used as a login identifier.
When an Apple ID account gets continually locked, Apple Support suggests to change the login ID, but that’s not going to change anything. You’re simply moving the crap from one toilet to another. Crap is still crap. The problem is that it still uses an email address and, to reiterate, email addresses are easily seen, found and attacked. What I need is a login ID that’s of my own choosing and is not an email address. This way, random folks can’t go to Apple’s iCloud web site and randomly enter an email address intentionally to lock accounts. If I can choose my own login identifier, unless I give that information out explicitly to someone, it’s not guessable AT ALL and far less likely to be locked out by random folks entering junk into web based Apple’s login panels.
Oh, and make no mistake, it’s not people on an iPhone or iPad doing this. It’s people going to Apple’s web site and doing it there. There is no other place where it can be happening. And yet, we unsuspecting users are penalized by having to spend a half an hour finding and reentering passwords on all our devices because someone spent 5 minutes at Apple’s web site entering random information incorrectly 3 times. Less than 5 minutes worth of effort triggers at least 30 minutes of work unlocking the account and reentering passwords on many devices and services. And then there are the stragglers that continue to prompt for at least an hour or two after… all because Apple refuses to secure its own web site login panels from this activity. This is not my problem Apple, it’s yours. You need to fix your shit and that’s something I absolutely cannot do for you.
Notifications
Apple prides itself on building its push notification system, yet it can’t even use it to alert users of potential unusual activity on its very own Apple IDs. If someone is incorrectly trying passwords on a web site, they know where this vector is. So then, tell me about it, Apple. Send me an alert that someone is trying to log into the Apple Store or the iCloud.net site. Inform me that my ID is being used in a place that seems suspect. You know the IP address where the user is coming from. Alert me. Google does. You can, too.
Additionally, Apple stores absolutely NO information about bad login attempts. If you attempt to contact Apple Support about your account activity, they don’t have access. They can’t even tell you what triggered your Account ID lock. This level of information is the absolute bare minimum a company using centralized login IDs must offer to its users. If Apple can’t even bother to help you find out why and where your account was locked, why would you trust Apple to store your information? Apple puts all its cards on its functionality side, but it can’t put a single card on this side of the security fence? What the hell, Apple?
Apple Locking Accounts
I also firmly believe that Apple is intentionally locking accounts. When these lockouts occur, it’s not me doing it. I’m not out there entering my account credentials incorrectly. It’s not my devices, either. My devices ALL have my correct password setup. This means that either someone has guessed my email address or, more likely, Apple is intentionally locking the account. I firmly believe Apple is intentionally doing this internally and it’s not incorrect password attempts at all. The more it happens, the more I believe Apple is forcing this. I don’t know why they would want to do this, but I do believe they are. Maybe it’s a disgruntled employee who just randomly feels the need to screw with Apple’s users?
Apple’s Response
I’ve called Apple Support at least twice regarding this issue and gotten absolutely nowhere. They can’t and, more importantly, won’t help with this issue. They claim to have no access to security logs. They can’t determine where, when or why an account was locked. In fact, I do believe Apple does have access to this information, but I believe Apple Support has been told not to provide any information.
If Apple Support can’t give this information, then this information should be offered through the Apple ID account site (appleid.apple.com). This site should contain not only the ability to manage your Apple ID, it should also store and offer security information for when and where your ID was used (and where the account was used when it locked). Yet, Apple offers NOTHING. Not a single thing. You can log into this site, but there are no tools offered to the user. Apple exposes nothing about my account use to me. Google, on the other hand, is very transparent. So transparent, in fact, that they send “unusual activity” alerts whenever your ID is used in an unusual way. Google errors on the side of over-communication. Yet, Apple hasn’t done shit in this area and errors on the side of absolute ZERO communication.
Get your act together Apple. Your Apple ID system sucks. Figure it out!
↩︎
Random Thoughts - Randocity! 
leave a comment