Account recovery contact security
Users can add up to five people they trust as account recovery contacts to help them recover their iCloud account and data, including all of their end-to-end encrypted data, whether or not they have turned on Advanced Data Protection. Neither Apple nor the recovery contact have the necessary information individually to recover the user’s end-to-end encrypted iCloud data.
Recovery Contact is designed with user privacy in mind. A user’s chosen recovery contacts aren’t known to Apple. Apple servers only learn information about a recovery contact late in the course of a recovery attempt after the user asks the contact for help and their contact begins actually assisting with the recovery. That information isn’t retained after the recovery completes.
Recovery contact security process
When a user sets up an Account Recovery Contact, the key to access the user’s iCloud data — including end-to-end encrypted CloudKit data — is encrypted with a strong random key. This random key is then split between the recovery contact and Apple. At recovery time, only when the two key shares are recombined, can the original key be recovered and the user’s iCloud data accessed.
To set up an Account Recovery Contact, the user’s device communicates with Apple servers to upload the share of the keying information Apple will hold. It then establishes an end-to-end encrypted CloudKit container with the recovery contact to share the portion the recovery contact needs. Both Apple and the recovery contact also receive the same authorisation secret from the user, which is needed later for recovery. The communication to invite and accept recovery contacts takes places through a mutually authenticated IDS channel. The recovery contact automatically stores the received information in their iCloud Keychain. Apple can’t access either the contents of the CloudKit container, nor the iCloud Keychain that stores this information. When the sharing is performed, Apple servers view only an anonymous ID for the recovery contact.
Later, when a user needs to recover their account and iCloud data, they can request help from their recovery contact. At that time, a recovery code is generated by the recovery contact’s device, which the recovery contact then provides to the user out of band (for example in person or over a phone call). The user then enters the recovery code on their device to establish a secure connection between devices using the SPAKE2+ protocol, the contents of which isn’t accessible by Apple. This interaction is orchestrated by Apple servers, but Apple can’t initiate the recovery process.
After the secure connection is established and all required security checks are completed, the recovery contact’s device returns their portion of the keying information and the previously established authorisation secret back to the user requesting recovery. The user presents this authorisation secret to an Apple server, which grants access to the keying information Apple is keeping. Providing the authorisation secret also authorises the account password reset to restore account access.
Finally, the user’s device recombines the keying information received from Apple and the Account Recovery Contact, and then uses it to decrypt and recover their iCloud data.
There are safeguards in place to prevent a recovery contact from initiating recovery without the user’s consent, which include a liveness check on the user’s account. If the account is in active use, recovery using a recovery contact also requires knowledge of a recent device passcode or the iCloud Security Code.