Two-Factor in the Real World

I’m locked out of my Apple account.

I know my password. I still have my cell phone number that is set as a recovery number.

So how could I be locked out?

Several months back, I changed my cell carrier to Project Fi — the Google amalgamation of T-Mobile, Sprint, and WiFi networks to provide better coverage at lower cost. I’ve been thrilled with the service (like, seriously ecstatic), but there are some odd issues that have cropped up.

For one, it seems that text messages from SMS ‘short codes‘ don’t go through.  This has been a known issue for some time now with Project Fi. I first found out about it when trying to set up Google Wallet with USAA — which runs through an automated SMS short codes system. Many automated texts do work without issue — Dropbox, for one.

At this point, it should be noted that Project Fi is not listed on the list of carriers that Apple officially supports for sending out two-factor login codes.

So I just spent a full hour (I clocked it at the end) on the phone with a very empathetic and understand customer service rep from Apple.  Unfortunately:

  • I don’t have any iOS or OSX devices currently logged into my iCloud account (I had just voluntarily switched my primary computer to Windows for work)
  • I can’t receive txt messages from their automated system at the phone number I have on file (despite the fact that I called them from that number and they can call me back at that same number)
  • I don’t have my recovery key (it was about three years back when I first turned on two-factor authentication, and I have absolutely no idea where I would have stored it)

So there is absolutely nothing that they can do for me, it seems.

I mean, I understand this to a point. The rep I had on the phone was very apologetic, but the system that they built just doesn’t account for the fact that perhaps sometimes phone numbers lose the ability to receive text messages.

They knew I was who I said I was — I was calling from my number on file, I had all my credit card information, I could authenticate the first step of logging in.  They could even call me at the phone number they have on file.  But because they couldn’t text me, they couldn’t — not wouldn’t, but actually couldn’t — help me.

But this isn’t meant to be a sob story, or a tirade against Apple. Okay, maybe a little bit of a gripe, but I’d like it to be more a focus on the importance of considering edge cases in development.

The customer support reps are incredibly constrained. They knew without a doubt that I could receive calls at the phone number in question. But they weren’t empowered to do anything about it. They escalated the issue, and it seems no-one was about to do anything, apart from offering their condolences that I won’t be able to log into my account.

If there is one take-away from this, I suppose it’s to enable your customer support reps to actually do their jobs. I know Apple has gotten burned in the past on hackers gaming the system, but it’s the importance of being judicious when dealing with requests, not barring the doors against any.

As a semi-related note, I’m heading up the group working on bringing Two-Factor support to WordPress core.  Two-Factor is something that I believe in deeply, I just also believe in the importance of carefully building out the systems that serve as back ends to such methods of authentication.

Update: I’m learning that it’s possible to get some short codes unblocked for a single account specifically … maybe.  Apple authentication texts seem to come from a number `50472` and I’ll be reaching out to Project Fi support tomorrow to see if I can get them to manually unblock that number for my account.

7 thoughts on “Two-Factor in the Real World

  1. You know, I wondered why I wasn’t getting my 2fa text codes from my bank. Luckily I have two other means (phone call or email) to get the code, so I didn’t think much about it. Will be quite interested in seeing what you find out.

  2. It’s 2017, and I seem to be experiencing the same issue with Apple and local mobility provider Execulink. The old two-step authentication is active on one of our Apple accounts. We successfully received a short code from Apple back in August of 2016 when we were on Rogers. Now that we are on Execulink, no codes. Have been on numerous calls with Apple and Execulink, and they are both pointing the finger at each other, and at me. “Maybe you entered the number wrong”, despite the fact that I replicated the issue with an Execulink rep, successfully triggering a short code to their personal Virgin phone and having their Execulink test phone fail to receive the code within minutes of each other.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s