When I got up this morning, my iPhone had a message about needing to reenter my password to access some Apple services. Annoying but not a major hassle. However, when I did so, I was told that my Apple ID was locked and needed to be unlocked. I was asked, whether I wish to do so by email or to answer some security questions?
This was more than annoying. It was outright anger-inducing. Why would Apple behave so? They gave no indication about why the lock happened. I was able to unlock my ID.
From my email, they last did this to me in June. Are they going to do this every few months for as long as I am an Apple user?
Having a security mindset isnāt necessarily a bad thing; however, it can be overdone. If you make security protocols too complex and difficult, they tend to eventually result in the protocols being ignored and actively worked around.
Has anyone else seen this sort of thing from Apple? (Are they just picking on me? :-))
I havenāt and it would drive me nuts. I think itās bad enough I have to periodically enter my passcode to unlock my phone and iPad instead of using Touch or Face ID.
My suspicion is that thereās an automated process that triggers this if you have a security issue ā perhaps someone tried to enter your account with the wrong password multiple times and therefore they locked your ID just in case.
It would be nice if Apple would let you know the cause ā perhaps you can ask someone there and see if theyāll tell you what happened?
Apple locks an account when someone tries to access it multiple times unsuccessfully. I have two iCloud accounts, and I donāt recall either of them, one of them dating back to the iTools days, ever being locked. In contrast, my friendās daughterās account gets locked multiple times a year. Some individuals in Brazil, Italy, NYC, and possibly other locations think her daughterās Apple ID is theirs. I suspect every once in a while, one of them might realize something is wrong when they donāt receive an email they expect. Theyāll unsuccessfully try to access the account multiple times and get it locked.
I get that it can be annoying when you discover your account has been locked, but I donāt think the blame should be directed at Apple, who is just trying to keep your account secure. The blame lies with the people who, for whatever reason, tried to access your account. It could be an innocent mistake, or it could be a miscreant trying to break into your account.
I agree, but I think companies take it a bit too far.
I think it makes perfect sense to lock an account if there are repeated password failures. That could indicate an attempt to hack an account. If you donāt lock it (or at least impose substantial delays), then a brute-force attack can succeed.
On the other hand, Iāve seen accounts locked when the password is correct and the 2FA code fails to match. I donāt see the purpose of that. Nobody can brute-force a 2FA code, because the code changes more rapidly than a script can run through every possible 6-digit number. Especially if the server imposes a few seconds delay between attempts. So thereās no need to lock anything there - just alert the account owner and leave it at that.
Oh, yes, a correct user & password with multiple wrong 2fa codes should lock an account. It may be after several attempts - definitely not one or two - but thatās definitely something I want as a user. If my password has leaked due to someone hacking a server I donāt want just six digits protecting me for even more than a few minutes.
Speaking of 2FA, I also get periodic requests from Apple (and others) to request and enter a code because Iām using a ānew computerā. This is on a computer Iāve been using since 2012!
Perhaps this is because Apple doesnāt track users so it has to annoy them by repeatedly demanding its users prove themselves.
I find the roughly weekly requirement to re-enter my iPhone password instead of using FaceID quite annoying. Not so much because of the idea in itself, but because I have no way of knowing ahead of time when it will be required and when it does kick in it always seems to be at the absolutely worst possible moment.
I agree with @shamino about 2FA codes. Notify me about repeated attempts. But donāt just block the account. Thatās what 2FA is there for. Just because some dunce is trying to brute force it doesnāt mean anybody needs to have a cow.
Since Apple says the interval is a bit over six days, just manually force a non-Face ID login in a shorter time frame. Especially since you may need to access the iPhone while wearing a face mask, thatās an easy requirement to meet.
Alternatively, practice the emergency SOS power-off sequence (pressing a volume button and the side button simultaneously). You will need to login via passcode and start the countdown then.
This sounds good in principal, but in practice remembering to do so is annoying. The logical thing is to set up a once-a-week reminder ā except Appleās silly 6.5 day timeline ruins that since 7 days is too long.
You all keep talking about 2FA codes but if he had to answer security questions then he isnāt using 2FA. Accounts probably being locked by someone trying to hack his password.
I wonāt bore you with all the details, other than to remind you that anyone that gets your 6 digit unlock code to your iPhone has the power to change your AppleID password from your iPhone, without logging in.
Apple still allows this. Plus, Apple illegally uses your credit card on file to restore a lost, compromised or stolen Apple ID password.
NEVER, EVER call your bank and cancel your lost or stolen card until you have reset your Apple ID password and removed the lost credit card and replaced it with one in your possession.
Lastly, remember you cannot count on Find My Device if your Apple ID account gets compromised. Apple only allows ONE e-mail address and most people used the Apple e-mail assigned to them when they first got their Apple ID. Once established, this e-mail address can never be changed.
If your password gets compromised or someone changes it without your knowledge, not only does every app you ever downloaded from the App Store stop working (even if you have everything backed up multiple ways) but when Apple sends you an e-mail telling you that your password has been changed or that your device has been located, they will send it to that one e-mail you no longer have an access to use.
When I had a house burglary, I lost my Mac, my iPhone, and my wallet with my credit cards. I was locked out of my Apple ID for 32 days. Even after I bought $5,000 worth of replacement gear, nothing was really usable until I got my Apple ID restored. And when they contact you that it is your turn to get a new password set up, you have only 4 hours to act, otherwise you get to go to the end of the line and wait even longer.
If you use a non-apple email address for the apple ID you can change it. When possible, use unique addresses as well as passwords for every account you create. Makes credential stuffing that much harder, and it also makes it much less likely that someone trying to break into āyourā apple ID with a more easily found email for you will manage to lock your account.
Too bad I didnāt know that when I first set up the account the year that Apple started offering Apple ID.
If Apple lets you change a third party e-mail address linked to your Apple ID, why not allow me to substitute a third party e-mail address for my Apple E-Mail address?
Or offer at least the ability to add an alternate or second e-mail address for any mail coming from Apple directly (i.e. your password was changed or your computer called home) . . .
I have three short, simple, unique and extremely desirable Apple IDs dating back to hour one of iTools (I was furiously registering names within a minute of Jobsā announcement and āā¦Steve is already takenā¦ ā); these IDs are under constant attacks and (bizarrely, to me) multiple people mistakenly thinking the newest @icloud.com iteration is theirs for the taking. Sooooooooo many of these ignorant people go so fas as to register my address under @iCloud.com, that Iām often on a daily basis Unsubscribing from whatever store, hotel, bank or job finding service theyāve tried to use; and I get account-locked notifications several times per week.
Most of the time I just leave it locked, as it causes no harm until Iām under a need to reauthorize a particular device, and I just unlock with email or 2FA.
Since I use them strictly under their @mac.com faces, I can typically just route most @iCloud and @me spam/communication to the trash; but Iām really uncomfortable when itās associated with anything financial or denigrating, like porn or sex-trafficking, or obviously personal nature. I donāt want the risk of the FBI coming at me for the actions of others.
The worst is the people who think theyāre being clever by using [name]@me.com, to avoid getting spam they donāt want, Or to avoid contact with someone theyāve taken advantage of, only to dump all that garbage on me. I wonāt disgust you with descriptions of the intimate, personal messages and photos/videos Iāve received intended for some unknown lothario, save to say Iāve created numerous automated responses in at least eleven different languages.
Anyway, Iāve learned to take most of it in stride and donāt place my anger at all with Apple for taking appropriate, if occasionally inconvenient steps to protect my personal data and financial information.
Thanks to everyone who replied. My suspicion that Apple just pesters people about security may be wrong. The lock may have occurred because someone, either accidentally or intentionally, tried and failed to use my ID. So it goes.
