Earlier this week, Owen Williams of The Next Web found his Apple iCloud account locked. Williams was smart and enabled two-factor authentication on his account after reading the sad story of Wired's Mat Honan, whose Apple and Google accounts were hacked through a social engineering trick in which the attackers got his password reset over the phone.
Williams, unfortunately, couldn't access his iCloud account because he'd forgotten the recovery code. Does this mean we should all dismiss two-factor authentication?
Sound and Fury
No. Absolutely not. Zero, zilch, nada, no way. Can I make this any clearer? In fact, Williams himself makes clear that turning on two-factor authentication saved the day: "I discovered that not only had my iCloud account been locked, but someone had tried to break in. Two-factor had done its job and kept the attacker out, however, it had also inadvertently locked me out."
So what? The important thing is it worked. Your stuff is safe. Williams tried to call Apple to see if they could reset his password. No dice, the guy on the phone said. That's exactly what should happen. Honan's attackers were able to trick an Apple support employee into resetting his password over the phone. There was absolutely no way for Williams to prove he wasn't an attacker trying the very same thing. Good for the Apple employee for not resetting the password. (And I mean that.)
By the way, Williams eventually found his recovery key, so there's technically no harm here. The only valid point in the whole article is that Apple's support page kind of lies when it says you can use a combination of your old password and a trusted device to get a new recovery key. As Williams found out, if your account is disabled for security reasons, that trick won't work.
Stick With Two-Factor
So what's the moral of the story here? It's to keep your recovery key in a safe place. I keep all of mine in my hope chest. (I'm kidding, of course; I keep them in a manly tool box buried in the backyard.) At no point should you consider not using two-factor authentication wherever possible, especially if you're a journalist or other high-profile person whom hackers would love to attack. It's frustrating when someone won't believe you are who you claim you are, but look at it from their point of view. Why should they believe you? On the Internet, no one knows that you're a dog, but they also don't know that you're not really firstname.lastname@example.org.
Most so-called hacking gets accomplished through social engineering, which appeals to people's human foibles to circumvent established safeguards. If you really, truly want security in a nameless, faceless cyberworld, then certain things we once took for granted -- like appealing to a human -- will have to go out the window.