Does Apple lock IDs on a Schedule?

When I got up this morning, my iPhone had a message about needing to reenter my password to access some Apple services. Annoying but not a major hassle. However, when I did so, I was told that my Apple ID was locked and needed to be unlocked. I was asked, whether I wish to do so by email or to answer some security questions?

This was more than annoying. It was outright anger-inducing. Why would Apple behave so? They gave no indication about why the lock happened. I was able to unlock my ID.

From my email, they last did this to me in June. Are they going to do this every few months for as long as I am an Apple user?

Having a security mindset isn’t necessarily a bad thing; however, it can be overdone. If you make security protocols too complex and difficult, they tend to eventually result in the protocols being ignored and actively worked around.

Has anyone else seen this sort of thing from Apple? (Are they just picking on me? :-))

I haven’t and it would drive me nuts. I think it’s bad enough I have to periodically enter my passcode to unlock my phone and iPad instead of using Touch or Face ID.

My suspicion is that there’s an automated process that triggers this if you have a security issue – perhaps someone tried to enter your account with the wrong password multiple times and therefore they locked your ID just in case.

It would be nice if Apple would let you know the cause – perhaps you can ask someone there and see if they’ll tell you what happened?

1 Like

Apple locks an account when someone tries to access it multiple times unsuccessfully. I have two iCloud accounts, and I don’t recall either of them, one of them dating back to the iTools days, ever being locked. In contrast, my friend’s daughter’s account gets locked multiple times a year. Some individuals in Brazil, Italy, NYC, and possibly other locations think her daughter’s Apple ID is theirs. I suspect every once in a while, one of them might realize something is wrong when they don’t receive an email they expect. They’ll unsuccessfully try to access the account multiple times and get it locked.

I get that it can be annoying when you discover your account has been locked, but I don’t think the blame should be directed at Apple, who is just trying to keep your account secure. The blame lies with the people who, for whatever reason, tried to access your account. It could be an innocent mistake, or it could be a miscreant trying to break into your account.

3 Likes

I agree, but I think companies take it a bit too far.

I think it makes perfect sense to lock an account if there are repeated password failures. That could indicate an attempt to hack an account. If you don’t lock it (or at least impose substantial delays), then a brute-force attack can succeed.

On the other hand, I’ve seen accounts locked when the password is correct and the 2FA code fails to match. I don’t see the purpose of that. Nobody can brute-force a 2FA code, because the code changes more rapidly than a script can run through every possible 6-digit number. Especially if the server imposes a few seconds delay between attempts. So there’s no need to lock anything there - just alert the account owner and leave it at that.

Or am I missing something important here?

1 Like

Oh, yes, a correct user & password with multiple wrong 2fa codes should lock an account. It may be after several attempts - definitely not one or two - but that’s definitely something I want as a user. If my password has leaked due to someone hacking a server I don’t want just six digits protecting me for even more than a few minutes.

Yes, I periodically get requests from iOS to re-enter my AppleID info into iOS Settings. However, nothing seems to happen if I ignore the request,

Speaking of 2FA, I also get periodic requests from Apple (and others) to request and enter a code because I’m using a “new computer”. This is on a computer I’ve been using since 2012!

Perhaps this is because Apple doesn’t track users so it has to annoy them by repeatedly demanding its users prove themselves. :laughing:

I find the roughly weekly requirement to re-enter my iPhone password instead of using FaceID quite annoying. Not so much because of the idea in itself, but because I have no way of knowing ahead of time when it will be required and when it does kick in it always seems to be at the absolutely worst possible moment.

I agree with @shamino about 2FA codes. Notify me about repeated attempts. But don’t just block the account. That’s what 2FA is there for. Just because some dunce is trying to brute force it doesn’t mean anybody needs to have a cow.

1 Like

This page under “security safeguards” details the rules for when a passcode is required.

It’s a good idea to require this periodically to ensure that people use their passcode enough so that it is not forgotten.

1 Like

Since Apple says the interval is a bit over six days, just manually force a non-Face ID login in a shorter time frame. Especially since you may need to access the iPhone while wearing a face mask, that’s an easy requirement to meet.

Alternatively, practice the emergency SOS power-off sequence (pressing a volume button and the side button simultaneously). You will need to login via passcode and start the countdown then.

This sounds good in principal, but in practice remembering to do so is annoying. The logical thing is to set up a once-a-week reminder — except Apple’s silly 6.5 day timeline ruins that since 7 days is too long. :rage:

1 Like

If someone other than me is being prompted for the 2FA code, it means they somehow got my password. I’d rather get the account locked in that case.

3 Likes

FWIW, it’s never happened to me.

Jeremy

You all keep talking about 2FA codes but if he had to answer security questions then he isn’t using 2FA. Accounts probably being locked by someone trying to hack his password.

1 Like

I won’t bore you with all the details, other than to remind you that anyone that gets your 6 digit unlock code to your iPhone has the power to change your AppleID password from your iPhone, without logging in.

Apple still allows this. Plus, Apple illegally uses your credit card on file to restore a lost, compromised or stolen Apple ID password.

NEVER, EVER call your bank and cancel your lost or stolen card until you have reset your Apple ID password and removed the lost credit card and replaced it with one in your possession.

Lastly, remember you cannot count on Find My Device if your Apple ID account gets compromised. Apple only allows ONE e-mail address and most people used the Apple e-mail assigned to them when they first got their Apple ID. Once established, this e-mail address can never be changed.

If your password gets compromised or someone changes it without your knowledge, not only does every app you ever downloaded from the App Store stop working (even if you have everything backed up multiple ways) but when Apple sends you an e-mail telling you that your password has been changed or that your device has been located, they will send it to that one e-mail you no longer have an access to use.

When I had a house burglary, I lost my Mac, my iPhone, and my wallet with my credit cards. I was locked out of my Apple ID for 32 days. Even after I bought $5,000 worth of replacement gear, nothing was really usable until I got my Apple ID restored. And when they contact you that it is your turn to get a new password set up, you have only 4 hours to act, otherwise you get to go to the end of the line and wait even longer.

If you use a non-apple email address for the apple ID you can change it. When possible, use unique addresses as well as passwords for every account you create. Makes credential stuffing that much harder, and it also makes it much less likely that someone trying to break into ‘your’ apple ID with a more easily found email for you will manage to lock your account.

Too bad I didn’t know that when I first set up the account the year that Apple started offering Apple ID.

If Apple lets you change a third party e-mail address linked to your Apple ID, why not allow me to substitute a third party e-mail address for my Apple E-Mail address?

Or offer at least the ability to add an alternate or second e-mail address for any mail coming from Apple directly (i.e. your password was changed or your computer called home) . . .

I have three short, simple, unique and extremely desirable Apple IDs dating back to hour one of iTools (I was furiously registering names within a minute of Jobs’ announcement and “…Steve is already taken… “); these IDs are under constant attacks and (bizarrely, to me) multiple people mistakenly thinking the newest @icloud.com iteration is theirs for the taking. Sooooooooo many of these ignorant people go so fas as to register my address under @iCloud.com, that I’m often on a daily basis Unsubscribing from whatever store, hotel, bank or job finding service they’ve tried to use; and I get account-locked notifications several times per week.

Most of the time I just leave it locked, as it causes no harm until I’m under a need to reauthorize a particular device, and I just unlock with email or 2FA.

Since I use them strictly under their @mac.com faces, I can typically just route most @iCloud and @me spam/communication to the trash; but I’m really uncomfortable when it’s associated with anything financial or denigrating, like porn or sex-trafficking, or obviously personal nature. I don’t want the risk of the FBI coming at me for the actions of others.

The worst is the people who think they’re being clever by using [name]@me.com, to avoid getting spam they don’t want, Or to avoid contact with someone they’ve taken advantage of, only to dump all that garbage on me. I won’t disgust you with descriptions of the intimate, personal messages and photos/videos I’ve received intended for some unknown lothario, save to say I’ve created numerous automated responses in at least eleven different languages.

Anyway, I’ve learned to take most of it in stride and don’t place my anger at all with Apple for taking appropriate, if occasionally inconvenient steps to protect my personal data and financial information.

Cheers

F

2 Likes

Thanks to everyone who replied. My suspicion that Apple just pesters people about security may be wrong. The lock may have occurred because someone, either accidentally or intentionally, tried and failed to use my ID. So it goes.

1 Like

Apple can restore your ID so you can change your password, but it can take up to a month.