General Find my iPhone *sucks*!!!

[dcp10]

Account recovery is for when a user is locked out. It’s for security to prevent unauthorized people from changing passwords. I’ve never seen a company not have some sort of waiting period. 24 hours isn’t arbitrary though, it’s 1 full day, 22 hours, that would be arbitrary. From your logic, why wouldn’t any number of days be arbitrary? Apple had to pick a number and obviously felt it was long enough in *most* cases.

Same thing with last location. Keeping a long history is a privacy issue which has possibles of being misused. Divorce cases are a common example cited where location data could be subpoenaed, Apple has said they’re not interested in playing that kind of role.

No security or privacy policy is going to be perfect unfortunately, and it’s a shame that this happened.

Don’t go to an Android though. Get a new iPad(some great deals on older models now) and spend some time at a Genius Bar learning the best way to set it up so this doesn’t happen again.

 

[C DM]

Account recovery is for when a user is locked out. It’s for security to prevent unauthorized people from changing passwords. I’ve never seen a company not have some sort of waiting period. 24 hours isn’t arbitrary though, it’s 1 full day, 22 hours, that would be arbitrary. From your logic, why wouldn’t any number of days be arbitrary? Apple had to pick a number and obviously felt it was long enough in *most* cases.

Same thing with last location. Keeping a long history is a privacy issue which has possibles of being misused. Divorce cases are a common example cited where location data could be subpoenaed, Apple has said they’re not interested in playing that kind of role.

No security or privacy policy is going to be perfect unfortunately, and it’s a shame that this happened.

Don’t go to an Android though. Get a new iPad(some great deals on older models now) and spend some time at a Genius Bar learning the best way to set it up so this doesn’t happen again.

Seems like the arbitrary part might be be more related to their being a delay in general, and perhaps it being something as long as 24 hours, rather than let's say a couple of hours, for example.

There are certainly many products and services that allow you to go through a password reset without any type of delay which in a sense ends up penalizing a user simply because the user might have forgotten their password and needs to access their account today if not now rather than tomorrow simply because they just need to wait for the sake of waiting.

In the cases when an account is locked for some reason in most cases it shouldn't be an issue in getting it unlocked by contacting customer care. If they are simply saying just to wait, seems like they aren't of much help in situations like that, which shouldn't be the case.

As for keeping last location and all that, things can certainly be said to make it rational when it comes to not doing it all, doing it only for a few hours, only 24 hours, a week, a month, indefinitely, etc. Ultimately in scenarios like this when it comes to something lost and a specific option to keep track of last known location being enabled by the user, seems like keeping that information for a period of more than 24 hours would have more rationale to it.
[doublepost=1540481379][/doublepost]

No security or privacy policy is going to be perfect unfortunately, and it’s a shame that this happened.

In the end though that's more or less what it comes down to, unfortunately, as you mentioned.

 

[Apple blogger]

So...what's with the 24 delay in order for one to recover/change password?

I guess he means that after he spoke to Apple, they must have recovered his password and allowed him to enter a new password. However, Apple must have asked them to Wait 24 hours before the changes take effect..

I think, (keeping his story aside) there seems to be a serious flaw in apple’s system. From what I read, if we don’t have our iCloud password, We can ask Apple to restore my password (if forgot password doesn’t work too), it looks like it takes 24 hrs form appms end... and since after resaetting the password, when we actually try to locate the device, it won’t be possible cause the location isn’t saved.

I think in this situation, Apple should save the last location for atleast 48 or 72 hours... because uf resting takes a day, the user should have enough time to locate his iPad too..

 

[charlituna]

During that 24 hour time, a thief could have done a lot of things with the iPad, including wiping it.

and if find my iPad was on then the thief has a pretty platter that he/she can do nothing with cause he/she doesn't know the iCloud account to unlock it.
[doublepost=1540537014][/doublepost]

From what I read, if we don’t have our iCloud password, We can ask Apple to restore my password (if forgot password doesn’t work too), it looks like it takes 24 hrs form appms end

only if you don't remember your security questions, don't have a trusted device and don't have access to the email being used with the account. which makes me think that said 'son' had an iCloud.com email with no recovery, only using it on that device without 2 step set up which would have allowed him to put in his phone number for receiving verification codes and probably put in BS answers to the security including perhaps a bogus birthdate

 

[DaveOP]

Yes
[doublepost=1540403049][/doublepost]

It is not. The fact that account recovery takes 24 hours and that the last location of the iPad is only stored for 24 hours are extremely arbitrary and brainless customer unfriendly decisions however. If you disagree, please tell me why instead of launching ad hominem attacks.

Did your son not have access to the e-mail address, didnt know the password, and didnt know the secret questions or have 2FA setup?

 

[960design]

and if find my iPad was on then the thief has a pretty platter that he/she can do nothing with cause he/she doesn't know the iCloud account to unlock it.

1. Thief picks up iPad before passcode lock or one that does not have passcode lock.
2. Thief immediately goes into iCloud and resets password ( that is why the OP could not get into account ).
3. Password reset gets sent to the iPad email ( most of us have the email account used for password recover logged in on our iPad )
4. Thief then removes Find My iPhone.
5. Thief then restores device.
6. Thief then sells on Ebay or Craig's list.

We are our own worst enemy.

Apple does provide a full proof way to prevent a device from every being sold off ( it can always be physically stolen or lost ). MDM and DEP, no way to get around that. Sadly, DEP is only available for Business and Education users right now.

 

[DaveOP]

1. Thief picks up iPad before passcode lock or one that does not have passcode lock.
2. Thief immediately goes into iCloud and resets password ( that is why the OP could not get into account ).
3. Password reset gets sent to the iPad email ( most of us have the email account used for password recover logged in on our iPad )
4. Thief then removes Find My iPhone.
5. Thief then restores device.
6. Thief then sells on Ebay or Craig's list.

We are our own worst enemy.

Apple does provide a full proof way to prevent a device from every being sold off ( it can always be physically stolen or lost ). MDM and DEP, no way to get around that. Sadly, DEP is only available for Business and Education users right now.

Your steps above are not on Apple, nobody should be using an iPad without a passcode enabled or they're asking for this to happen. To your point above, DEP is only available to those users, but JAMF Now is free for up to 5 users I believe, and will give you the added security you need. DEP is only needed to auto-assign the devices, configurator and JAMF Now can be used to resolve the rest. (I do enterprise MDM for a living, so while I agree with you that DEP and JAMF are great resources, DEP is not needed for personal users.)

 

[960design]

Your steps above are not on Apple...

Completely agree. Just mentioning a common case of believing iCloud will always save you, but it does not if you forget the simple things.

I do enterprise MDM for a living, so while I agree with you that DEP and JAMF are great resources, DEP is not needed for personal users.

Hey, not many of us around, been doing MDM management, research, coding(MDM specific) and pentesting/hardening for 10 years now.