Security Tip: Apple ID locked for security?
This one also doubles as a Rant Time. Having my Apple ID account locked is an issue I face far too often with Apple. Perhaps you do, too? In my case, no one knows my account ID. Yet, I face having to unlock my account frequently because of this issue. I personally think Apple is causing this issue. Let’s explore.
Unlocking an Apple ID
As with far too many things, Apple’s unlocking system is unnecessarily complex and fraught with digital peril after-the-fact… particularly if you enable some of Apple’s more complex security features (i.e., Two Factor authentication).
One of the things Apple hasn’t yet to get correct is properly securing its Apple ID system from intrusion attempts. That doesn’t mean that your account is unsafe. What it means is that your account is unsafe against malicious attacks targeting your account ID. But, there’s an even bigger risk using Apple’s ID system… securing your credentials by using an email address. I’ll come back to this practice a little later.
Once your account becomes locked, there are a number of major problems that present. The first immediate problem is that you need to remember your security questions OR face changing your password (assuming standard security). If you use Apple’s two-factor authentication, you face even more problems. If you don’t use two-factor and you’ve forgotten your security questions, you have the option to contact Apple Support to help you with your security question problems to gain access to your account. On the other hand, if you’ve forgotten your security information set up when enabling two-factor, you’re screwed. Apple can’t help you after you have two-factor set up… one of the major reasons I have chosen not to use two-factor at Apple. Two-factor IS more secure, but by using it you risk losing your Apple ID if you lose a tiny bit of information. That risk is far too great. With all of the “ease of use” Apple is known for, its Apple ID system is too overly complex.
The second problem is that once you do manage to get your account unlocked, you are then required to go touch EVERY SINGLE DEVICE that uses your account ID and reenter your password AGAIN. This includes not only every Apple device, but every device utilizing Apple services such as Alexa’s account linking for Apple Music on the Amazon Echo. If you use Apple Music on an Android, you’ll need to go touch that too. It’s not just the locking and unlocking of your account, it’s the immense hassle of signing into your Apple ID on EVERY SINGLE DEVICE. Own an Apple Watch? Own an Apple TV? Own a Home Pod? Own an iPad? Own a MacBook? Use Apple Music on your Android? You’ll need to go to each and every one of these devices and touch them.
On the iPhone, it’s particularly problematic. You’ll be presented with at least 3 login prompts simultaneously all competing with one another on the screen. Later, you’ll be presented with a few more stragglers over the course of 30 minutes or an hour. Apple still can’t seem to figure out how to use a single login panel to authenticate the entire device and all of its services. Instead, it must request passwords for each “thing” separately. So many prompts pop up so fast you have no idea which one is which because none of them are labeled as to which service they are attached. You could even be giving your account ID and password to a random nefarious app on your device. You’d never know. If you own an Apple Watch, you’ll have to re-enter it separately for that device as well. Literally, every single device that uses your Apple ID must be touched after unlocking your Apple ID. Unlike Wi-Fi passwords which you enter once and it’s shared across every device you own, Apple can’t possibly do that with its Apple ID system so that we enter it once and it populates ALL of our devices. No. We must touch each and every device we own.
Worse, if you don’t do go touch each and every one of these devices immediately upon unlocking your account, you risk having your account locked almost immediately by just one of these devices. Apple’s ID system is not forgiving if even one of these devices hasn’t logged in properly after a security lock. You could face being locked out just a few hours later.
So the rant begins…
Using Email Addresses as Network IDs
Here’s a security practice that needs to stop. Apple, I’m l👀king at you! Using email addresses as an ID was the “norm” during the mid-late 00s and is still in common practice throughout much of the Internet industry. It is, however, a practice that needs to end. Email addresses are public entities easily seen, easily found and, most easily, attacked. They are NOT good candidates for use as login identifiers. Login identifiers need to use words, phrases or information that are not generally publicly accessible or known. Yes, people will continue to use their favorite pet’s name or TV show or girlfriend’s name as login IDs. At least that’s only found by asking the person involved. Email addresses are not required when developing login systems. You can use tie the email address to the account via its profile. But, it SHOULD NOT be used as a login identifier.
When an Apple ID account gets continually locked, Apple Support suggests to change the login ID, but that’s not going to change anything. You’re simply moving the crap from one toilet to another. Crap is still crap. The problem is that it still uses an email address and, to reiterate, email addresses are easily seen, found and attacked. What I need is a login ID that’s of my own choosing and is not an email address. This way, random folks can’t go to Apple’s iCloud web site and randomly enter an email address intentionally to lock accounts. If I can choose my own login identifier, unless I give that information out explicitly to someone, it’s not guessable AT ALL and far less likely to be locked out by random folks entering junk into web based Apple’s login panels.
Oh, and make no mistake, it’s not people on an iPhone or iPad doing this. It’s people going to Apple’s web site and doing it there. There is no other place where it can be happening. And yet, we unsuspecting users are penalized by having to spend a half an hour finding and reentering passwords on all our devices because someone spent 5 minutes at Apple’s web site entering random information incorrectly 3 times. Less than 5 minutes worth of effort triggers at least 30 minutes of work unlocking the account and reentering passwords on many devices and services. And then there are the stragglers that continue to prompt for at least an hour or two after… all because Apple refuses to secure its own web site login panels from this activity. This is not my problem Apple, it’s yours. You need to fix your shit and that’s something I absolutely cannot do for you.
Notifications
Apple prides itself on building its push notification system, yet it can’t even use it to alert users of potential unusual activity on its very own Apple IDs. If someone is incorrectly trying passwords on a web site, they know where this vector is. So then, tell me about it, Apple. Send me an alert that someone is trying to log into the Apple Store or the iCloud.net site. Inform me that my ID is being used in a place that seems suspect. You know the IP address where the user is coming from. Alert me. Google does. You can, too.
Additionally, Apple stores absolutely NO information about bad login attempts. If you attempt to contact Apple Support about your account activity, they don’t have access. They can’t even tell you what triggered your Account ID lock. This level of information is the absolute bare minimum a company using centralized login IDs must offer to its users. If Apple can’t even bother to help you find out why and where your account was locked, why would you trust Apple to store your information? Apple puts all its cards on its functionality side, but it can’t put a single card on this side of the security fence? What the hell, Apple?
Apple Locking Accounts
I also firmly believe that Apple is intentionally locking accounts. When these lockouts occur, it’s not me doing it. I’m not out there entering my account credentials incorrectly. It’s not my devices, either. My devices ALL have my correct password setup. This means that either someone has guessed my email address or, more likely, Apple is intentionally locking the account. I firmly believe Apple is intentionally doing this internally and it’s not incorrect password attempts at all. The more it happens, the more I believe Apple is forcing this. I don’t know why they would want to do this, but I do believe they are. Maybe it’s a disgruntled employee who just randomly feels the need to screw with Apple’s users?
Apple’s Response
I’ve called Apple Support at least twice regarding this issue and gotten absolutely nowhere. They can’t and, more importantly, won’t help with this issue. They claim to have no access to security logs. They can’t determine where, when or why an account was locked. In fact, I do believe Apple does have access to this information, but I believe Apple Support has been told not to provide any information.
If Apple Support can’t give this information, then this information should be offered through the Apple ID account site (appleid.apple.com). This site should contain not only the ability to manage your Apple ID, it should also store and offer security information for when and where your ID was used (and where the account was used when it locked). Yet, Apple offers NOTHING. Not a single thing. You can log into this site, but there are no tools offered to the user. Apple exposes nothing about my account use to me. Google, on the other hand, is very transparent. So transparent, in fact, that they send “unusual activity” alerts whenever your ID is used in an unusual way. Google errors on the side of over-communication. Yet, Apple hasn’t done shit in this area and errors on the side of absolute ZERO communication.
Get your act together Apple. Your Apple ID system sucks. Figure it out!
↩︎
How to fix Touch ID purchasing after Apple ID unlock
Touch ID App store purchasing no longer works after your Apple ID is unlocked? How do you get it working again? Let’s explore.
Apple ID Locked
I’ve recently begun having problems with Apple locking my Apple ID account about every 3 weeks with no explanation. After I’ve unlocked my account, I find that the App store app refuses to use Touch ID and forces entry of my password to download an app. Hey Apple, I set up Touch ID so I don’t have to type in a password.
I’ve called Apple twice about this problem and they are of no help. I had to figure this one out on my own. Thanks Apple… not!
Not only does Apple have no logs to determine why the account is locked, they simply don’t care about this problem. Their login system has become shit in the last few months beginning in June of 2018. I have no explanation for this lockout problem except that Apple needs to get their shit together. I’ve never had this problem before this point. Anyway, once an Apple ID is locked, you’ll need to unlock it to proceed cleaning up the mess Apple leaves behind.
Note, I have no problems unlocking my account. In fact, it takes about 5 minutes or less. However, there’s a bunch of crap to do to clean up Apple’s mess.
Unlocking an Apple ID
To unlock your account, go to appleid.apple.com. Note, I have chosen not to linkify in the address in this article for security reasons. This is why it’s not clickable in this paragraph.
Instead, simply select the text => appleid.apple.com . Then copy and paste it into your browser’s address bar. Or better, type it into your browser’s address bar manually. Next, browse to this destination. Because this is Apple’s security site which manages your Apple ID security settings, I urge you to make sure you type it in exactly and carefully. If you mistype this address, it’s possible that you could land on a malicious web site that looks identical to Apple’s site and which could collect your Apple ID and password. Alway be cautious, alert and careful when visiting sites which manage the security of your account(s). Here are the steps to get you started:
- Once you’re on the Apple ID site, under the ‘Manage your Apple account’ text, enter your Apple ID username and click the arrow pointing right →
- Now enter your current password and click the arrow →
- It will tell you your account is locked
- At this point, follow the prompts to unlock your account
You’ll need to need to know the following info (as of 2018) to unlock your account:
- Birthdate
- Answers to the security questions you set up previously
This section assumes you have not set up two-factor authentication. You can choose to unlock by email or by answering security questions. It’s up to you which path to follow. Whichever path you choose, complete the process to unlock your Apple ID. After unlocking, here’s where the fun begins. /sarc
If you can’t remember your security questions or birthdate, you’ll need to contact Apple Support and request for them to help you with unlocking your Apple ID. If you have set up two-factor authentication (2FA), you will need to know your recovery key. If you’ve lost you recovery key and access to your trusted device after setting up 2FA, you’re out of luck. If you have access to your trusted device, Apple can send you a text to finish the unlocking process. You cannot recover your Apple ID when using 2FA if you have lost the recovery key and lost access to your trusted device. For this reason alone, I cannot recommend setting up 2FA on your Apple ID. Stick with a strong password and avoid 2FA.
Note, I strongly recommend unlocking your account via this web browser method only. Even if your iPhone or iPad prompts to unlock your account directly on your device, don’t. Do not rely on the methods built into iOS devices as I have found them to be problematic and unreliable. Using the browser method, you will have no troubles.
Account Unlocked / Touch ID problems
Once your account is unlocked, you’ll find that all devices that were formerly logged into this account will have been force logged out. This force logout method is different than the method you would use to logout on the device. If you log out of the device, you will be prompted for both the account name and the password. With Apple’s force logout due to a lock, you are only required to reenter your password. Your login ID will be remembered and cached.
An account lockout wreaks havoc on certain features in iOS like Touch ID. Because the account was force logged out, then unlocked, Touch ID will fail to work on both the Music and the App store app. As I said above, you’ll find that the App store now prompts you to enter your password rather than using Touch ID.
Worse, you can go to settings and clearly see that Touch ID is still enabled for the App store app, but it is not working. This is demonstrably a bug that Apple simply won’t fix. How do we resolve this? Let’s continue.
Fixing Touch ID in the iTunes and App store app after a lockout
Here are the steps to fix this problem:
- Kill the Music and App store apps on your iOS device. DON’T SKIP THIS STEP. You do this by double clicking the home button. Then scroll through the apps running, then drag the app up to the top of the screen with your finger until it disappears from the list. This will kill that app. It’s always a good idea to periodically kill all running apps on your phone to improve performance. Be sure to kill the App store app before proceeding. If you have many apps in the list to scroll through, you can bring the app to the front of the list easily by launching the app before trying to kill it.
- Once the apps are killed, proceed to the Home screen and touch the Settings app
- Scroll down to Touch ID & Passcode and touch it
- Enter your pincode (if requested)
- This is the screen you’ll see next
- On this screen, you’ll see the iTunes & App store is already enabled (green). This setting is a lie. After a force lock and unlock, Apple automatically disables this feature internally even though the button shows green and enabled. That this button remains enabled is a bug and is the reason Touch ID doesn’t work.
- Click the green slider button next to iTunes & App Store to disable this setting.
- Wait for a moment for this to register and turn grey, like soÂ
- Now, click it a second time to re-enable it. This time, it will prompt you for your Apple ID password.
- Enter your current Apple ID password in the password prompt
- Wait for the button to do a little jig before leaving this screen. The jig is described like so: the button starts off green, then turns grey for a moment, then slides back to green. This jig confirms that Touch ID for the App store is now truly enabled
- Exit to the home screen and launch the App store app
- Browse to any free app in the store and click ‘Get’. Touch ID should now prompt you for your fingerprint instead of prompting for your password.
If you skip killing the apps where I asked you to do that, you’ll find that the App store app still prompts for a password. The reason for this is that the App has cached the forced logout. To break that cache, you perform all of the steps described above. Following the order of these steps is important.
If you leave the App store app running when you reset the Touch ID settings, you’ll find that the password prompt problem remains. You may find that killing and relaunching the app even after resetting the Touch ID after-the-fact also won’t work. That’s why the order the steps is important.
Stupid Problems, Debugging and Network Settings
Problems this stupid shouldn’t exist on iOS devices, but here we are. I’ve already discussed this issue with Apple Support, but they simply won’t do anything about it. In fact, because this problem was formerly a rare occurrence, Apple Support isn’t even aware of this workaround.
In fact, while on the phone, Apple Support “recommended” that I reset my network settings. Never reset network settings as a first step. Resetting network settings should be the absolute last step and only when nothing else resolves a problem. The difficulty with resetting network settings is that it wipes all iCloud stored network passwords and access point information, like WiFi passwords. Not only does it wipe all WiFi networks and passwords on iCloud for the device where you wiped network settings, it wipes it for every device also using iCloud. This means if your Apple ID is being used on a MacBook, an iPhone, an iPad, an iPod or any combination of several of these devices, you’ll have to reinter the password on every device manually. It will also have forgotten all of the access points that iCloud formerly knew. Each new device will need to relearn them all.
You can somewhat solve this problem by first signing your device out of iCloud before wiping network settings. However, when you log your device back into iCloud, it might still wipe some settings from iCloud once logged back in and synced with iCloud. Be cautious with doing this.
I’ve been there and done that. This is a pain-in-the-ass. If Apple Support ever requests you to wipe network settings, tell them politely but firmly, “No.” Then state, “I only wipe network settings as a last ditch effort. Let’s exhaust all other workarounds and possibilities first.”
Wiping network settings usually only resolves actual networking problems, such as the phone refusing to connect to a WiFi access point. Touch ID has nothing to do with networking. Be wary of Support Team members requesting you to wipe network settings to help resolve non-network problems. The last thing you want to do is spend hours fixing all of your other devices in addition to not resolving the original problem. The Apple Support team is very good at causing more problems without actually solving the original problem. It is up to you to always exercise your best judgement to prevent Apple Support slip ups.
I really wish that Apple would just fix these stupid bugs. I also wish that they would tell me why my account keeps getting locked out.
↩︎
Random Thoughts - Randocity! 
leave a comment