iforgot.apple.com's "Enter Recovery Key" no longer accepts pasting

Whenever I need to unlock my Apple ID (often), I need to use iforgot.apple.com. It asks for my Recovery Key, which I have stored in a 1Password Secure Note. However, since Apple recently changed their site, I can no longer paste into that field - I have to remember the key and then type it into the field. This is a pain in general, but even more so on iPhone/iPad.


1Password Version: latest
Extension Version: latest
OS Version: latest
Sync Type: Not Provided

Comments

  • littlebobbytables
    littlebobbytables
    1Password Alumni

    Greetings @bkendig,

    I've never needed to unlock my Apple ID so I'm not too sure on the process. Does your recovery key change each time or do you keep using the same one? The reason I ask is what if you try creating a Login item for that page using our How to manually save a Login guide. Could you use 1Password to fill in the recovery key like it was a login page?

  • bkendig
    bkendig
    Community Member

    Good idea, but unfortunately that doesn't work either. Apple seems to have tried to make the recovery key page "smart", so that it requires the user to type in the recovery key; it won't allow pasting it (even piece-by-piece).

  • bkendig
    bkendig
    Community Member

    How do I submit this as a bug report or feature request for 1Password?

  • sjk
    sjk
    1Password Alumni
    edited December 2015

    Hi @bkendig,

    It sounds like Apple has made it impossible to paste a Recovery Key into the field where it's required on the iforgot.apple.com site, e.g. on a page like this (Apple Support image):

    However, since Apple recently changed their site, I can no longer paste into that field
    Apple seems to have tried to make the recovery key page "smart", so that it requires the user to type in the recovery key; it won't allow pasting it (even piece-by-piece).

    Have you tried copying text from somewhere else other than 1Password and pasting it into that field? If it also fails there's nothing 1Password will be able to do about it (edit: perhaps, and hopefully, I am wrong :)). Apple would have to allow pasting there again, essentially reverting the change you've mentioned.

    Whenever I need to unlock my Apple ID (often), I need to use iforgot.apple.com.

    Must admit I'm curious what requires you to unlock your Apple ID often, if you don't mind saying. Maybe there's something you can do to reduce how often you're doing that and lessen the hassle of manually entering the Recovery Key?

    How do I submit this as a bug report or feature request for 1Password?

    You'd want to submit that feedback to Apple through their site:

    Apple - Feedback

    Sorry I don't have a better answer for you; it's out of our control what Apple allows and disallows on their site.

  • bkendig
    bkendig
    Community Member

    Good thought; thank you. I can't paste anything into that field. I'll report it to Apple.

    As for why I need to unlock my Apple ID so often: I have a fairly common username @icloud.com. Lots of people all over the world think that my iCloud username is theirs. They keep trying to sign into my account and failing, but Apple then locks my account until I verify with two-factor authentication. (This happens several times a week.)

    I've gotten the unlock process down to about a minute or so: go to iforgot.apple.com, enter my iCloud username, get my recovery key from 1Password and enter it on the site, tell it to send the 4-digit validation code to my iPhone, type that into the site, tell it to unlock my account without changing the password, then autofill my password from 1Password. (I wish there were a way to automate this process, but I think that's too much to ask.)

    Since I see you work with AgileBits, may I make one small request? The mobile client's built-in web browser has a "Done" button that returns me to my password vault. As you can see, the process I have to go through involves going back and forth between the vault and the web page several times. At first I was worried about tapping "Done" because I wasn't actually done; I was afraid it was going to close the browser and lose my session. Turns out that "Done" doesn't actually close anything - it just sends me back to the vault. An earlier version of the 1Password mobile client used a different word other than "Done" that was more suitable (but I don't remember what it was - was it just an icon?). I liked that previous button better than the word "Done". Would you consider bringing it back in a future version?

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited December 2015

    @bkendig: I'm not quite sure how to get my Apple ID 'locked' and I'm not sure I want to tempt fate...but I did want to suggest one thing in case you haven't already tried it: right-click and paste via the contextual menu. I've encountered a lot of sites that disabled the keyboard shortcut, but the menu still worked. Does that help on a computer at least? You also may get different results depending on the browser. Definitely worth experimenting given how frequently you have to do this. :unamused:

    As for your predicament, I'd say using Apple's two-step verification is a great move, and frankly I'd contact Apple to see if they can make it so you don't get locked out due to bad password attempts, since two-step will prevent anyone from getting in even if they did manage to guess your password — which won't happen if you're using a generated password anyway. Just a thought. :chuffed:

    I liked that previous button better than the word "Done". Would you consider bringing it back in a future version?

    That's something we can certainly consider. I definitely appreciate your perspective on this. However, just having the icon was confusing in a different way, so I'm not sure that's the right solution. We'll see if we can find a way to improve this that makes it clear for everyone. Thanks for the feedback! :)

  • bkendig
    bkendig
    Community Member

    The contextual menu "paste" doesn't work either. (If you'd like to see for yourself: go to https://iforgot.apple.com/, enter your Apple ID email address, then you'll see the "Enter Recovery Key" field. Don't worry; nothing you do at that step will affect your account.)

    I use two-factor authentication everywhere I can, including with my Apple ID. Apple's policy of locking an account after a number of unsuccessful login attempts is an "added security measure", though a very annoying one. (At least it could be worse - at various points in the past, they would require a password reset each time the account was locked; sometimes I had to change my Apple ID password more than once per day. Fortunately, they backed down from that.)

    I never imagined how Mr. Jobs could ever use his steve@mac.com account - I imagine that must have been locked every time he tried to use it, with all the people trying (unsuccessfully) to log into it.

  • AGAlumB
    AGAlumB
    1Password Alumni

    The contextual menu "paste" doesn't work either.

    @bkendig: Dang it! :angry:

    (If you'd like to see for yourself: go to https://iforgot.apple.com/, enter your Apple ID email address, then you'll see the "Enter Recovery Key" field. Don't worry; nothing you do at that step will affect your account.)

    Hmm. I tried going there earlier too, but for some reason I'm not seeing a "recovery key" option, only "Get an email"
    or "Answer security questions".

    I use two-factor authentication everywhere I can, including with my Apple ID. Apple's policy of locking an account after a number of unsuccessful login attempts is an "added security measure", though a very annoying one. (At least it could be worse - at various points in the past, they would require a password reset each time the account was locked; sometimes I had to change my Apple ID password more than once per day. Fortunately, they backed down from that.)

    Ouch. I can't even imagine how frustrating that would be. It sounds like you're managing it well though!

    I never imagined how Mr. Jobs could ever use his steve@mac.com account - I imagine that must have been locked every time he tried to use it, with all the people trying (unsuccessfully) to log into it.

    I literally just LOL'd for 5 minutes straight. :lol:

    I suspect Steve's email address would have gotten an exception (though I heard that he used steve@apple.com, so maybe it didn't apply...and there was probably a guy whose job it was to make sure that nothing like that every happened to Mr. Jobs...or he was out of a job).

    I hope that Apple (and other service providers — I imagine there's a steve@gmail.com in a similar predicament!) are able to loosen some of the more archaic 'security measures' in time for all of us. I can't imagine what purpose it serves with two-step enabled, since they could simply throttle the code generation. These institutional processes are built up slowly over time and, unfortunately, die even more slowly. :unamused:

  • littlebobbytables
    littlebobbytables
    1Password Alumni

    Hello @bkendig,

    Try the following for me please.

    1. Open 1Password and use the menu option File > New Item > Login.
    2. Set the username of the item to your recovery code key minus the bit Apple fill in for you. For me that's two characters and a dash but I don't know if that's the same for everybody or not. Keep the internal dashes.
    3. Set the website field to https://iforgot.apple.com/
    4. For testing purposes change the submit option from the default Submit when enabled to Never submit.

    Try filling in with this new item. I found 1Password didn't bring up the 1Password Save Login window but a manually created item would fill in the field for me and the Continue button on the page became enabled. I apologise for not testing further but I wasn't too keen as I don't know what other hoops you routinely have to go through and it turns out I'm a bit of a coward when it comes to my Apple ID.

    If you find that works I believe this will be the most streamlined approach going forward.

    1. Add https://iforgot.apple.com/ to your normal Apple ID Login item.
    2. Fill the first page of the recovery process using your Apple ID Login item. This will fill in the username of this item which will be your email address associated with your Apple ID.
    3. Fill the second page of the recovery process using the item you created above. We're using the fact that one of our filling behaviours will attempt to fill in the username of a Login item into a text field to force it to fill in the recovery code field.

    Hopefully that works and makes the process a bit faster :smile:

  • bkendig
    bkendig
    Community Member

    Well, wouldn'tchaknowit, that works. Thank you very much for the idea!

    I did file a request with Apple to fix the form to work with 1Password, anyway. It's annoying that they've put effort into making their form be incompatible.

  • thightower
    thightower
    Community Member
    edited December 2015

    @bkendig

    I don't know how much of a security issue this may be but the following suggestion was written by a fellow 1Password user. http://www.prioritized.net/blog/re-enabling-password-pasting-on-annoying-web-forms/

    Cc @littlebobbytables @brenty This was suggested some time ago here in the forums. Is this a secure option ?

  • littlebobbytables
    littlebobbytables
    1Password Alumni

    @thightower, I can't see any reason why it should be considered insecure. Assuming the linked bookmarklet code doesn't change then it does seem to be doing only what it purports to be doing, checking all input fields and if they are of the password type then it's altering an attribute. Now it wouldn't help with the above issue because the field in question wasn't a password field and seems to using something other than the onpaste attribute (double whammy).

    I believe the bookmarklet could be tweaked to simply remove the onpaste attribute wherever it is found although it would be nice to know about a site or two that does stop paste from working. The example the link gave seems to be no longer true, most likely due to another change on their site.

    You do have to wonder why sites sometimes seem hellbent on making life harder for the users but oh well.

This discussion has been closed.