Regain Access

One of the most unsettling things that can happen to your Mac and your data is when you are locked out from your computer. It’s rare, and you can prepare against the possibility so that your recovery is quick—or at least feasible, if not fast.

Prepare for a Future Lockout

An ounce of prevention saves a metric kiloton of care when it comes to accounts and access. If you follow the following advice ahead of time, you can avoid serious downtime and loss of data.

Keep Fresh Backups

I’ve said this repeatedly throughout this book, but backups are the strongest protection you can have against theft, destruction, and loss, including “loss of access.”

If you have daily backups of all your data on site (via Time Machine or third-party software), copies of your startup volume and external drives offsite, active continuous or daily cloud-hosted backups, or use a sync service to ensure multiple copies and a version history of your active documents, losing access to your Mac still has a sting, but you likely will lose very little data, if any.

In some cases, you might be locked out of your current Mac, such as with a FileVault failure or the loss of a Recovery Key. In those cases, you can erase the computer and restore from a full backup, putting you right back in business. Or you may be able to use an external drive or synced files to get back to work on another machine—perhaps a borrowed one—while you plot unlocking the Mac you can’t get to.

Passwords

You should have a go-to, secure place for all passwords and other login and encryption keys you may need in the event of a disaster, including:

  • Passwords for one or more administrator accounts on your Mac

  • The Recovery Key for FileVault, if enabled and displayed; see Enable and Manage FileVault

  • The account name and password for your iCloud account associated with the Mac

  • The password for your password manager (which may be the sole item you memorize, and you may also provide a copy to a lawyer, sibling, or trusted party to hold securely)

  • For Intel Macs, the firmware password, if one is set; see Firmware Password (Intel Macs)

This secure password repository should preferably be available from a device or location that isn’t tied to where you keep your Mac.

For my part, I rely on 1Password for this, because it offers a central secure store and access from any number of secure endpoints, such as with Face ID on my iPhone; you might prefer to use iCloud Keychain.

With a password manager as my central point of storage, I only have to memorize the main vault password for access on trusted devices. I use 1Password’s Emergency Kit: a piece of paper printed out and stored for emergency backup access if everything I owned were lost. Apple doesn’t provide password recovery with iCloud Keychain, but has other account recovery options that may let you regain access.

Check Trusted Security Elements

With two-factor authentication (2FA) enabled on your Apple ID, you might be locked out permanently if you lose access to trusted devices, and trusted phone numbers for SMS and automated voice calls, or can’t find hardware security keys that can be used with an Apple ID account and increasingly with major websites.

With other 2FA systems, you can lose access forever if you no longer can receive messages at a phone number, can’t pull up a confirmation factor from an authenticator app (like Authy, 1Password, or Apple’s Passwords starting in fall 2021), and didn’t generate or retain a list of one-time-use backup codes created by a site for emergencies.

Finally, you could lose access to an account protected with a passkey login if you can’t access any of your iCloud-linked devices and didn’t retain one-time-use backup codes when you enrolled at a website.

Trusted Apple ID Items

Any Apple device logged in to an iCloud account with 2FA active is a so-called trusted device. You can tell that this is working when you try to log in via a browser to the Apple ID website, as every trusted device will display a notification for the 2FA code needed to confirm the login.

If one of your trusted devices doesn’t show that check in System Preferences > Apple ID > iCloud (Monterey and earlier) or System Settings > Account Name (Ventura) that you’re correctly logged in. If all looks well, log out of iCloud and back in.

This can take a while and prompt you to answer a lot of questions about synced data—the answer for most is “keep data stored on this Mac.” When you log back in to iCloud on the device, you agree to merge data, which should avoid duplication and deletion.

You should also check that trusted phone numbers are still properly registered:

  1. Log in at the Apple ID website. If you have Touch ID active, click “Use a different Apple ID” and then enter your ID and password.

  2. Instead of entering a 2FA code, click “Didn’t get a verification code?”

  3. Click Text Me. (This will be labeled differently if you marked any or all trusted phone numbers as receiving automatic voice calls instead of text messages.)

  4. Select a trusted number if more than one is available; if only one, Apple texts that number.

  5. Enter the code that’s sent or use the autofill option in Safari.

If you never receive the code, log in with a trusted device, check the phone number, and remove and add it. I also recommend having multiple trusted phone numbers as backups.

If you have willing friends, colleagues, or families, having their number as a backup in case your phone isn’t available doesn’t really reduce security, as they would need to know your Apple ID username and password, or have access to an unlocked Mac that has your credentials stored for autofilling into Safari. (This won’t work on an iPhone or iPad, which requires a passcode, Touch ID, or Face ID to fill a stored password.)

2FA Codes via SMS, Voice, and Authentication Apps

For important accounts, I recommend routinely logging in—if you don’t already—to make sure that you can receive a 2FA confirmation code—usually just a few digits long. You can often use SMS or an automated voice call, but I highly recommend you use an authentication app, like Google Authenticator or Authy, or password managers like 1Password—or Apple’s Passwords feature!

Generate 2FA Codes in Safari 15 or later

Starting in Safari 15 for Catalina and later (and in iOS 15/iPadOS 15), you can also use built-in support. Apple lets you add a code via any site’s enrollment page for 2FA. This is stored alongside a website’s password entry in Safari > Preferences > Passwords in Catalina and Big Sur, System Preferences > Passwords in Monterey, and System Settings > Passwords in Ventura.

On an enrollment page, Control-click a QR code, choose Set Up Verification Code, and then in Safari (Big Sur or earlier) or Passwords (Monterey), select the website login to associate it with (Figure 63).

Now you can go to the password entry to get the current code or, better, Safari automatically suggests it as an autofill value (validated with Touch ID if available) when you’re prompted for a verification code, second factor, or TOTP on a website after you log in.

You can also enter the 2FA seed code if it’s presented in text form in a password entry: go to the entry, click Edit, click Enter Setup Key, paste the code in, and click OK.

Figure 63: Just Control-click an enrollment code to set it up.
Figure 63: Just Control-click an enrollment code to set it up.
Store and Sync Codes via Authy

If a password-focused app or Apple’s Passwords feature doesn’t float your boat, I strongly recommend Authy, designed exclusively to store 2FA tokens and generate codes. It’s free and securely across devices. (Authy’s owner, Twilo, makes its money from other services.)

Confirm a 2FA Login in a Native App

Google and some other ecosystems with native iPhone/iPad and Android apps may also let you authenticate by opening the app and confirming your login. This is generally considered nearly as good as 2FA, because the account has already been set up and confirmed, and mobile devices are protected with a passcode or biometric login.

Hardware Security Keys

As I noted earlier, you should treat hardware security keys as if they were irreplaceable keys to the castle—like a passphrase for a cryptocurrency wallet or a password for a vault that self-destructs when you’re one number off in a Dan Brown novel. They’re extremely secure, absolutely vital, and also can be used by other people!

Apple requires that you enroll at least two hardware security keys for an Apple ID account. Most sites only require a single hardware key, or won’t let you enroll more than one. If you lose the key, most sites offer a workaround that requires more forms of validation to gain access. Apple does not.

However, Apple has left a security flaw in place at present that acts as a workaround. If you can’t find your hardware security keys (or they’re irretrievable, stolen, or busted), but do have access to any of your Apple devices, you can go to Settings or System Settings > Account Name > Password & Security > Security Keys and remove all hardware security keys. Then you can use code-based 2FA to log in.

Backup Codes

Many sites and systems that use 2FA and all those that let you enrolled in passkey logins have a “break glass” option in case you lose access to your phone number, mobile phone, authenticator app, and so forth. These backup codes are typically generated in a browser while enrolling to use 2FA or a passkey for your account, displayed once, and then deleted.

I recommend, as above, using a password manager that syncs and lets you store arbitrary text in it to store your backup codes. Each code can be used a single time; cross it out with strikethrough formatting or other notation when you use it.

A backup code is really a key that unlocks account information on the service side, which in turn lets you reset your 2FA or passkey access.

Recover Access to an Account

We are all fallible, and the way of all flesh is to age—and sometimes we forget things. I can’t tell you how many times I have “forgotten” a password because I try to remember it, but fortunately then try to use my fingers to type it and they “remember” for me.

If you can’t log in to your main account on your Mac because the password isn’t accepted, you have several options.

Use Another Administrator Account

Is there another account you’ve created and can log in to, or another user on the Mac with administrator access? First, log in to that administrator account. Then follow these steps:

  • In Monterey and earlier: Go to System Preferences > Users & Groups and Unlock the Pane or Setting. Select your locked-out account and click Reset Password.

  • In Ventura or later: Go to System Settings > Users & Groups, click the info icon on the locked-out account, and click Reset Password. When prompted, enter your administrator password.

Now enter and verify the password, adding a hint if you want, and click Change Password. Log out or use fast user switching and log in to your account with that password.

If that fails, move on to the next item.

Reset Password via Apple ID (No Secure Enclave)

Apple is cagey about which conditions will let you reset your password by providing the Apple ID credentials for the account your macOS account is linked to. It says it’s available in “some macOS versions.”

Here’s how it will appear if it’s available to you:

  1. Try to login by entering the wrong password three times. (Your password hint, if any, will be shown at some point, too.)

  2. If available, you are prompted to click to enter your Apple ID credentials to reset your password. Enter those.

  3. Reset and verify your password.

  4. Your Mac restarts.

  5. Enter the new password you set.

Reset Password via Activation Lock (T2/M-Series)

Although Apple doesn’t make this clear, it appears that on Macs with a Secure Enclave processor, you can use your Apple ID via Activation Lock—which requires a Secure Enclave—to reset your password. (This may work differently with FileVault turned off.)

Here’s how to carry out the process:

  1. Enter your password incorrectly three times at the login window.

  2. On the third time, macOS displays “Restart and show password reset options” (Figure 64). Click that link.

    Figure 64: You can trigger this reset option.
    Figure 64: You can trigger this reset option.

  3. Your Mac restarts, and displays an Activation Lock login (Figure 65). It shows you part of your associated Apple ID. Enter your Apple ID, click Next, then enter the password, and click Next.

    Figure 65: Activation Lock allows you to bypass macOS password login to reset your password.
    Figure 65: Activation Lock allows you to bypass macOS password login to reset your password.

  4. If successful, a screen appears that notes “Authentication succeeded.” Click Exit to Recovery Utilities.

  5. Choose Utilities > Terminal.

  6. Type resetpassword and press Return. This opens the utility shown ahead in Figure 66.

  7. Select “I forgot my password” and click Next.

  8. Create a new password as above: enter, verify, and add a hint. Click Reset Password. Your Mac restarts.

  9. Log in with your account and new password.

Reset Password with FileVault

If FileVault is enabled, you can use a streamlined password recovery method that requires a bit of waiting:

  1. Shut down your Mac via the login screen method and power it up.

  2. At the FileVault login screen—which looks like an ordinary login screen—wait about a minute. FileVault will tell you can use the power button to trigger a password reset prompt. (If the login screen doesn’t appear, FileVault is not enabled.)

  3. Press and hold the power button until your Mac powers down, then press it again to start it up.

  4. A Reset Password dialog appears (Figure 66). Select “I forgot my password” and click Next.

  5. Enter and verify your new password, and add a hint if desired.

  6. Click Change Password and your Mac restarts.

  7. Log in with your account and new password.

    Figure 66: The Reset Password utility, available only in recovery mode, offers help when you can’t log in.
    Figure 66: The Reset Password utility, available only in recovery mode, offers help when you can’t log in.

Reset Password with FileVault Recovery Key

If the above option doesn’t work and you opted to keep your Recovery Key instead of escrowing it with your iCloud account, you can try this second option. Follow these steps using that key:

  1. Shut down your Mac via the login screen method and power it up.

  2. At the FileVault login screen, enter your password incorrectly three times, at which point macOS tells you that you can use Recovery Key to reset your password. (If it doesn’t appear, FileVault isn’t turned on.)

  3. Click the arrow icon next to the password field. The field now says Recovery Key.

  4. Enter your Recovery Key in uppercase, including its dashes.

  5. Create a new password as above: enter, verify, and add a hint. Click Reset Password. Your Mac restarts.

  6. Log in with your account and new password.

Reset Password from Recovery Mode

There’s a command-line password reset utility available in recovery mode, also, which you can use without having to know the administrator password.

On an Intel-Based Mac:

  1. Restart your Mac or start it up, holding down ⌘-R.

  2. Choose Utilities > Terminal.

  3. Type resetpassword and press Return. This opens the utility shown in Figure 66.

  4. Select “My password doesn’t work when logging in” and click Next.

  5. Create a new password as above: enter, verify, and add a hint. Click Reset Password. Your Mac restarts.

  6. Log in with your account and new password.

On an M-Series Mac:

  1. Choose Apple  > Shut Down. When you see your Mac has powered down, hold down the power button until you see a prompt that says “Loading startup options.”

  2. Click Options.

  3. Click “Forgot all passwords?”

  4. Choose Utilities > Terminal.

  5. Type resetpassword and press Return. This opens the utility shown in Figure 66.

  6. Select “I forgot my password” and click Next.

  7. Create a new password as above: enter, verify, and add a hint. Click Reset Password. Your Mac restarts.

  8. Log in with your account and new password.

Recover from a Lost Firmware Password

If you set a firmware password on an Intel Mac, as described in Firmware Password (Intel Macs), you have to keep that password extremely well stored, because it’s quite difficult to regain access to all the features of your Mac if you lose it.

Apple has tools that they can use in their Apple Stores and that they make available to third-party authorized service providers to reset this password. However, there’s a high bar:

  • You have to have an in-person meeting.

  • You must bring the Mac with you.

  • You must have the original invoice or purchase receipt for this Mac—in your name.

That’s right: if you are a subsequent owner, even if you have the original device’s purchase history and a document showing you bought it from that person, Apple may (and typically does) refuse to reset the password.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.188.91.44