Apple iCloud activation lock: The Perfect Storm

So I’ve heard of horror stories where someone has two factor authentication on for their iCloud/Apple ID and they lose the backup password/code and in doing so they are basically screwed, there’s no way for Apple to let you back in and it for the most part is for good reason.  There are many people out there who utilize social engineering and attempt to gain access to other users’ accounts.

Then there is me, and in this case it is my son’s Apple iPhone 5S that I gifted him recently.  I created a separate iCloud/Apple ID account for him.  I had my personal e-mail address as an additional e-mail address on his account.  I also had three security questions setup but forgot to the answers to.  This past weekend I needed to gain access to the account but forgot the security questions.  I went ahead and had the e-mail confirmation sent to my backup e-mail I had on file.  This went through ok.  I also needed to change the password of the account, long story short I was in the midst of disciplining my son.  So I change the password, and stupidly did not write the password down as I again, became sidetracked by receiving a call back from my son.  In turn, the password was changed, I did not write it down, the three security questions were some how blown away, and then my secondary e-mail address was also removed.  I don’t remember doing either of those two things but it happened.

My son starts telling me that his phone keeps asking for his iCloud password.  I attempt to use the last known good one that I had but that did not work.  I try resetting it but find that it will only send the e-mail recovery to the actual iCloud account.  That doesn’t help us at all since we don’t know the password and the recovery options are all blown away.  I schedule a call with Apple Support and am told that there is a way for them to reset the password but they need two pieces of information to identify and confirm that it is who I say I am.  And that is understandable and it goes back to my point I made earlier that it’s for security reasons and if they’re lax, hacking can become a major problem as it was in the past.  I understand that.

So I can only get one piece of information confirmed and the guy says I’m out of luck but that I can get the activation lock removed by sending in proof of purchase which I did.  After restoring it in DFU mode it’s still locked by way of activation so I have to call back tomorrow.  But I guess the lesson learned here is be careful with your account.  The only reason why the account didn’t have a CC on file is because my son doesn’t have a credit card or debit card and I did not want to have mine on file.

I now plan to look into banks or credit unions and have my son signed up for his own account so we can have at least two pieces of information on file to recover the password if this happens again.

It sucks but again it doesn’t because of the way the system works.  It’s damned if you do, damned if you don’t.  The bad guys want everything lax so they can get into the account and do whatever it is they do.  But in the process of it the good guys who really use it for what it’s meant to be used for and are just there to enjoy the ride get shafted too, sometimes.