Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

Regain Access

One of the most unsettling things that can happen to your Mac and your data is when you are locked out from your computer. It’s rare, and you can prepare against the possibility so that your recovery is quick—or at least feasible, if not fast.

Prepare for a Future Lockout

An ounce of prevention saves a metric kiloton of care when it comes to accounts and access. If you follow the following advice ahead of time, you can avoid serious downtime and loss of data.

Keep Fresh Backups

I’ve said this repeatedly throughout this book—and I guarantee you I will say once more in the next chapter—but backups are the strongest protection you can have against theft, destruction, and loss, including “loss of access.”

If you have nightly backup of all your data on site (via Time Machine or third-party software), copies of your startup volume and external drives offsite, active cloud-hosted backups happening all the time, or use a sync service to ensure multiple copies and a version history of your active documents—losing access to your Mac still has a sting, but you haven’t lost any data, or at least very very little data.

In a case where you can’t get back into your current Mac, such as a FileVault failure or the loss of a Recovery Key, but you can erase the computer and set it up again, restoring from a full backup puts you right back in business. Or you may be able to use an external drive or synced files to get back to work on another machine—perhaps a borrowed one—while you plot unlocking the Mac you can’t get to.

Passwords

You should have a go-to, secure place for all the passwords and keys you may need in the event of a disaster or lockout. These include:

Passwords for one or more administrator accounts on your Mac
The firmware password, if one is set (see Firmware Password (Intel Macs))
The Recovery Key for FileVault, if enabled and displayed (see Enable and Manage FileVault)
The Recovery Key for your Apple ID account (an option with iOS/iPadOS 14 and Big Sur, and discussed below)
The account name and password for your iCloud account associated with the Mac
The password for your password manager (which may be the sole item you memorize, and you may also provide a copy to a lawyer, sibling, or trusted party to hold securely)

This secure password repository should preferably be available from a device or location that isn’t tied to where you keep your Mac.

Check Trusted Devices, Numbers, and Apps

With two-factor authentication (2FA) enabled on your Apple ID and other accounts, you might be locked out permanently if you lose access to trusted devices (Apple ID), trusted phone numbers for SMS and automated voice calls (Apple ID and most systems), authentication code generating apps (nearly everybody except Apple), and a list of backup codes that can be used once each in an emergency to login (many account systems, but not Apple).

Put a PIN on Your Carrier Account

You need to add an extra PIN for account access to your wireless carrier or home telephone service immediately if you don’t have one now. While this may seem unrelated to Mac security, because an Apple ID is used for iCloud logins, and Macs allow iCloud as an option to store a FileVault Recovery Key, it’s directly related.

Crackers will often target people individually and use social engineering and easily available online information to convince a carrier customer-service representative that they are the legitimate account holder, and get a phone number migrated to a new phone. (Are you likely to be targeted? Probably not unless you meet the heightened risk discussed back in Determine Your Risk Profile. Yet someone may target your account at random to launch an attack against other people or perform phishing against your contacts.)

Carriers’ security and training is still seemingly poor, but all U.S. carriers added the option for a customer to set a PIN that has to be provided for account access. The PIN sets a higher bar, because a cracker might have your phone number, financial details, and other information, depending on data breaches floating around.

Trusted Apple ID Items

Any Apple device logged in to an iCloud account with 2FA active is a so-called trusted device. You can tell that this is working when you try to log in via a browser to the Apple ID website, as every trusted device will display a notification for the 2FA code needed to confirm the login.

If one of your trusted devices doesn’t show that check in Settings > account name > iCloud (iOS/iPadOS), System Preferences > iCloud (Mojave or earlier), or System Preferences > Apple ID > iCloud (Catalina or later) that you’re correctly logged in. If all looks well, log out of iCloud and back in.

This can take a while and prompt you to answer a lot of questions about synced data—the answer for most is “keep data stored on this Mac.” When you log back in to iCloud on the device, you agree to merge data, which should avoid duplication and deletion.

You should also check that trusted phone numbers are still properly registered:

Log in at the Apple ID website.
Instead of entering a 2FA code, click “Didn’t get a registration code?”
Click Use Phone Number.
Select a trusted number.
Enter the code that’s sent or use the autofill option in Safari.

If you never receive the code, log in with a trusted device, check the phone number, and remove and add it. I also recommend having multiple trusted phone numbers as backups.

If you have willing friends, colleagues, or families, having their number as a backup in case your phone isn’t available doesn’t really reduce security, as they would need to know your Apple ID username and password, or have access to an unlocked Mac that has your credentials stored for autofilling into Safari. (This won’t work on an iPhone or iPad, which requires a passcode, Touch ID, or Face ID to fill a stored password.)

2FA Codes via SMS, Voice, and Authentication Apps

For important accounts, I recommend routinely logging in—if you don’t already—to make sure that you can receive the 2FA confirmation via SMS or an automated voice call, or use an authentication app, like Google Authenticator or Authy. (That capability is also built into 1Password.)

Google and some other ecosystems with native iPhone/iPad and Android apps may also let you authenticate by opening the app and confirming your login. This is generally considered nearly as good as 2FA, because the account has already been set up and confirmed, and mobile devices are protected with a passcode or biometric login.

Backup Codes

Many sites and systems that use 2FA have a “break glass” option in case you lose access to your phone number, mobile phone, authenticator app, and so forth. These backup codes are typically generated in a browser while setting up 2FA for your account, displayed once, and then deleted.

I recommend, as above, using a password manager that syncs and lets you store arbitrary text in it to store your backup codes. Each code can be used once only; cross it out with strikethrough formatting or other notation when you use it.

A backup code is really a key that unlocks account information on the service side, which in turn lets you reset your 2FA access.

Recover Access to an Account

We are all fallible, and the way of all flesh is to age—and sometimes we forget things. I can’t tell you how many times I have “forgotten” a password because I try to remember it, but fortunately then try to use my fingers to type it and they “remember” for me.

If you can’t log in to your main account on your Mac because the password isn’t accepted, you have several options.

Use Another Administrator Account

Is there another account you’ve created and can log in to, or another user on the Mac with administrator access? Follow these steps:

Log in to that account.
Open the Users & Groups preference pane.
Unlock the pane via any method listed in Unlock the Pane.
Select your locked-out account and click Reset Password.
Enter and verify the password, adding a hint if you want, and click Change Password.
Log out or use fast user switching and log in to your account with that password.

If that fails, move on to the next item.

Reset Password via Apple ID (No Secure Enclave)

Apple is cagey about which conditions will let you reset your password by providing the Apple ID credentials for the account your macOS account is linked to. It says it’s available in “some macOS versions.”

Here’s how it will appear if it’s available to you:

Try to login by entering the wrong password three times. (Your password hint, if any, will be shown at some point, too.)
If available, you are prompted to click to enter your Apple ID credentials to reset your password. Enter those.
Reset and verify your password.
Your Mac restarts.
Enter the new password you set.

Reset Password via Activation Lock (T2/M1)

Although Apple doesn’t make this clear, it appears that on Macs with a Secure Enclave processor, you can use your Apple ID via Activation Lock—which requires a Secure Enclave—to reset your password. (This may work differently with FileVault turned off.)

Here’s how to carry out the process:

Enter your password incorrectly three times at the login window.
On the third time, macOS displays “Restart and show password reset options” (Figure 43). Click that link.

Figure 43: You can trigger this reset option.
Your Mac restarts, and displays an Activation Lock login (Figure 44). It shows you part of your associated Apple ID. Enter your Apple ID, click Next, then enter the password, and click Next.

Figure 44: Activation Lock allows you to bypass macOS password login to reset your password.
If successful, a screen appears that notes “Authentication succeeded.” Click Exit to Recovery Utilities.
Choose Utilities > Terminal.
Type resetpassword and press Return. This opens the utility shown ahead in Figure 45.
Select “I forgot my password” and click Next.
Create a new password as above: enter, verify, and add a hint. Click Reset Password. Your Mac restarts.
Log in with your account and new password.

Reset Password with FileVault

If FileVault is enabled, you can use a streamlined password recovery method that requires a bit of waiting:

Shut down your Mac via the login screen method and power it up.
At the FileVault login screen—which looks like an ordinary login screen—wait about a minute. FileVault will tell you can use the power button to trigger a password reset prompt. (If the login screen doesn’t appear, FileVault is not enabled.)
Press and hold the power button until your Mac powers down, then press it again to start it up.
A Reset Password dialog appears (Figure 45). Select “I forgot my password” and click Next.

Figure 45: The Reset Password utility, available only in recovery mode, offers help when you can’t log in.
Enter and verify your new password, and add a hint if desired.
Click Change Password and your Mac restarts.
Log in with your account and new password.

Reset Password with FileVault Recovery Key

If the above option doesn’t work and you opted to keep your Recovery Key instead of escrowing it with your iCloud account, you can try this second option. Follow these steps using that key:

Shut down your Mac via the login screen method and power it up.
At the FileVault login screen, enter your password incorrectly three times, at which point macOS tells you that you can use Recovery Key to reset your password. (If it doesn’t appear, FileVault isn’t turned on.)
Click the arrow icon next to the password field. The field now says Recovery Key.
Enter your Recovery Key, using all uppercase and including its dashes.
Create a new password as above: enter, verify, and add a hint. Click Reset Password. Your Mac restarts.
Log in with your account and new password.

Reset Password from Recovery Mode

There’s a command-line password reset utility available in recovery mode, also, which you can use without having to know the administrator password.

On an Intel-Based Mac:

Restart your Mac or start it up, holding down ⌘-R.
Choose Utilities > Terminal.
Type resetpassword and press Return. This opens the utility shown in Figure 45.
Select “My password doesn’t work when logging in” and click Next.
Create a new password as above: enter, verify, and add a hint. Click Reset Password. Your Mac restarts.
Log in with your account and new password.

On an M-Series Mac:

Choose Apple  > Shut Down. When you see your Mac has powered down, hold down the power button until you see a prompt that says “Loading startup options.”
Click Options.
Click “Forgot all passwords?”
Choose Utilities > Terminal.
Type resetpassword and press Return. This opens the utility shown in Figure 45.
Select “I forgot my password” and click Next.
Create a new password as above: enter, verify, and add a hint. Click Reset Password. Your Mac restarts.
Log in with your account and new password.

Recover from a Lost Firmware Password

If you set a firmware password on an Intel Mac, as described in Firmware Password (Intel Macs), you have to keep that password extremely well stored, because it’s quite difficult to regain access to all the features of your Mac if you lose it.

Apple has tools that they can use in their Apple Stores and that they make available to third-party authorized service providers to reset this password. However, there’s a high bar:

You have to have an in-person meeting, problematic in pandemic times.
You must bring the Mac with you.
You must have the original invoice or purchase receipt for this Mac—in your name.

That’s right: if you are a subsequent owner, even if you have the original device’s purchase history and a document showing you bought it from that person, Apple may (and typically does) refuse to reset the password.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.