Account recovery contact security
Users can add up to five people they trust as account recovery contacts to help them recover their iCloud account and data, including all of their end-to-end encrypted data, whether or not they have turned on Advanced Data Protection. Neither Apple nor the recovery contact have the necessary information individually to recover the user’s end-to-end encrypted iCloud data.
Recovery Contact is designed with user privacy in mind. A user’s chosen recovery contacts aren’t known to Apple. Apple servers only learn information about a recovery contact late in the course of a recovery attempt after the user asks the contact for help and their contact begins actually assisting with the recovery. That information isn’t retained after the recovery completes.
Recovery contact security process
When a user sets up an Account Recovery Contact, a key associated with that contact is generated. This key protects access to the user’s iCloud data—including end-to-end encrypted CloudKit Data. Next, a random 256-bit AES key is generated and used to encrypt the Recovery Contact key to create a Recovery Contact Packet. The encrypted packet is sent to the Recovery Contact for safekeeping, and the random AES key is stored with Apple. Neither the AES key nor the packet provides any information about the underlying key by itself. At recovery time, after the user’s device successfully obtains both the Recovery Contact Packet from their Recovery Contact and the AES key from Apple, it can combine the two to recover the original key and access the user’s iCloud data.
To set up an Account Recovery Contact, the user’s device communicates with Apple servers to upload the share of the keying information Apple will hold (the AES key mentioned above). It then establishes an end-to-end encrypted CloudKit container with the recovery contact to share the portion the recovery contact needs (the Recovery Contact Packet encrypted using the AES key). An authorization secret, created by Apple, is also shared with the recovery contact. This will be used to recover the account and help reset the password on the account. The communication to invite and accept recovery contacts takes places through a mutually authenticated IDS channel. The recovery contact automatically stores the received information in their iCloud Keychain. Apple can’t access the contents of the CloudKit container, nor the iCloud Keychain that stores this information. When the sharing is performed, Apple servers view only an anonymous ID for the recovery contact.
Later, when a user needs to recover their account and iCloud data, they can request help from their recovery contact. At that time a recovery code is generated by the recovery contact’s device, which the recovery contact then provides to the user out of band (for example in person or over a phone call). The user then enters the recovery code on their device to establish a secure connection between devices using the SPAKE2+ protocol, the contents of which isn’t accessible by Apple. This interaction is orchestrated by Apple servers, but Apple can’t initiate the recovery process.
After the secure connection is established and all required security checks are completed, the recovery contact’s device returns their portion of the keying information and the previously established authorization secret back to the user requesting recovery. The user presents this authorization secret to an Apple server, which grants access to the keying information Apple is keeping. Providing the authorization secret also authorizes the account password reset to restore account access.
Finally, the user’s device recombines the keying information received from Apple and the Account Recovery Contact, and then uses it to decrypt and recover their iCloud data.
There are safeguards in place to prevent a recovery contact from initiating recovery without the user’s consent, which include a liveness check on the user’s account. If the account is in active use, recovery using a Recovery Contact also requires knowledge of a recent device passcode or the iCloud Security Code.