2023-02-03

Vicious circle

 

Image from Unsplash

A reader had ended up in a vicious circle and shared his story with me, with the opening sentence: “Maybe I have a nice input for your blog.” Well, he was right. His experiences are instructive and can prevent other readers from ending up in the same situation.

Colleague Mark de Wals's iPhone was broken. That in itself was annoying enough, but for Mark it was only the beginning of a vortex that he struggled to get out of. Oddly enough, that vortex was partly caused by two excellent security measures that Mark had taken: he used a password manager and he applied two-factor authentication (2FA, also known as MFA, with M for multi). How can these measures, which I wholeheartedly recommend to everyone, get you into trouble? And, more importantly: how do you stay out of trouble? Wait for it, but above all: learn from it.

Mark wanted his iPhone repaired (it wasn't completely dead, by the way). Before handing over the device, he performed a reset. This ensures that all data, including all accounts, are erased - it is then as if the device came fresh from the factory. It's nice to know for sure that the repairman can't poke around in your data, isn't it? The downside is of course that you have to set up the device again after the repair. Many people don't like that; for many, this is the main reason for postponing the purchase of a new device until the old one can no longer be used. But since the repairman will often need access to the device, you can hardly avoid such a reset.

When the device came back, Mark sat down for it. One of the first things the iPhone asked for was its Apple ID password (“Your Apple ID is the account that gives you access to all Apple services and allows all your devices to work together seamlessly.”) That password was in Mark’s password manager – which was not yet accessible because the device had not yet been set up. But don't worry: thanks to the cloud, the password vault could also be accessed via his laptop.

Mark typed in his password, to which the iPhone responded with: fine, and now you have to approve this login in your 2FA app. Ouch, that app was also on the iPhone – and therefore inaccessible! Voilà a textbook example of a vicious circle: you need that app to get the device going, but the app runs on the same device.

Eventually Mark requested a reset from Apple. That involved an email and a text message. Fortunately, Mark was still able to receive and read the code from the text message. Apple allows a few days to pass if you request a reset from them for security reasons. Those were two scary days, but then Mark received an email and a text message with verification codes. With that he was able to access his account again.

Mark has a few tips for us. The first one concerns the fact that he does not use a real SIM card in this device, but an e-SIM – which stands for embedded SIM and means that the card is built into the device. Your provider therefore does not send a SIM card, but uses the e-SIM. What if you need to receive a text message with a verificaation code, but you can't access your phone? With a physical SIM card, you simply put it into another device and read the message there, but that is not possible with an e-SIM. If the latter is secured with a PIN code, you will not see the received code on the lock screen as long as you are not logged in. Mark had turned off that PIN code since the device itself is protected and you cannot remove the e-SIM from the device anyway.

The next tip is the most important: make sure you keep your most important passwords somewhere you can always access them. Marks password manager ( LastPass ) offers the possibility to share passwords with others. Through this option, he can always retrieve the passwords of his email and his Apple ID. And if another family member also has an Apple ID, you can authorize each other to help each other reset your password.

Android also works with email addresses and phone numbers for account recovery. For this you need a different e-mail address than the address that is linked to the account. But be careful not to use an address that only forwards incoming mail to your primary account - after all, you cannot access it in such a situation.

Mark's experiences teach us that it is important to take measures in advance to escape from such a situation. Check this weekend if you have your affairs in order.

 

And in the big bad world…

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English. 

 

No comments:

Post a Comment

The invisible king

Image from Pixabay His Majesty the King has been pleased to honor us with a visit. Although I myself had a meeting at the office yesterday, ...