Be careful when using Apple Security Keys (2FA) as there is no way to recover your account if you lose your keys.
A word of warning to anyone considering using hardware/security keys to protect their Apple account, but please don't get me wrong - I'm a big fan of 2FA, passkeys, and hardware/security keys, just be aware of the limitations and do it right.
As of today (Nov 2024), there is no recovery option if you added Security Keys and are not logged into any device - or at least I didn't manage to find one despite opening several support cases.
Unfortunately, I learned that hard way.
Context:
- I have 2 Apple IDs primary and secondary - both added to the same 'family' and both configured with the same custom domain,
- I lost all my security keys in Jun this year,
- I'm not logged in with the secondary account on any device.
What I still have/know:
- I know the password,
- I know the passcode,
- I have access to trusted phone number (it's the same on both accounts),
- I have recovery contact (both ways between my primary and secondary account and some other people as well),
- I have legacy contact (both ways between my primary and secondary account),
- I still have access to that secondary account email,
- I still have all the devices I was using in the past with that secondary account (so, serial numbers can be verified and confirmed),
- I'm the owner/creator of the 'family' where both accounts are joined,
- I'm the legal owner of the custom domain connected to iCloud/all accounts.
So, I have most of the puzzles, just missing a Security Key and still I'm screwed.
I made several calls and opened several support cases (it took me 5 months), and the answer was always the same - there was no way to recover access to my account even though I had everything else.
This is super surprising and confusing for several reasons:
- This is just a 2FA, not the main/only login method!!
- No proper warning when adding a Security Key neither via MacBook nor iPhone,
- No proper warning on the webpage - Apple's webpage just says that 'you might lose' access, but not necessarily that 'you will lose access for sure with no recovery possible',
- When combined with other articles like 'account recovery' and 'recovery contacts' I got the impression that recovery is still possible - but that's not true,
- Adding Recovery Contacts is still possible even after setting up Security Key - there is no single hint, that will be completely useless in the feature!
- Other companies have procedures to recover if you lose your 2FA but still have other puzzles.
Ok, I lost access to my account, but that's not the worst part! As a bonus, I lost access to my custom domain addresses assigned to that account!
Apparently custom domain address is locked to the account, and the only way to re-assign that address is if both parties (old user and new user) confirm the transfer via a push notification sent to the logged device...
Because I'm not logged in with my second account on any device, I cannot confirm that notification - and there is no other way to approve that transfer.
And again there is no way to recover that address - even if that's my domain and I'm legal owner of that domain.
I see no reason why the 'old user' has to agree to transfer the address which I own - it's my property I should be able to transfer it as I wish.
I can easily confirm my ownership of that domain, so there should be some other method to transfer address, something like admin/owner override - all other companies allows that, that industry standard!
Also as an admin/owner I can easily switch my domain to another email provider, so Apple is not really protecting here anything.
I get (kind of) that account is extra protected, but custom (not apple now) domain - why? I'm the owner, so what they care?
