You may recall my previous post about Apple’s two-step verification and how I reluctantly disabled it for a long trip outside the US. Now I find out that the government of Australia came to the same conclusion. Only one of us seems to be troubled by it, however.

Australian government tells citizens to turn off two-factor authentication
When going abroad, turn off additional security. What could possibly go wrong?

I’m not going to get into any conspiracy theories about why the Australian government might wish to discourage the use of better authentication methods. If they wanted to get into someone’s government services account, I presume they have other ways to do it than hope they can guess at their lousy password.

But putting out the suggestion that two factor auth is something maybe not so important? There’s the real offense. “Go ahead and enjoy your holiday, don’t bother your pretty little head about that complicated security thing.”

Yes, the problems of handling two factor auth when swapping SIMs are a concern. A concern for the people who design these systems that are complex and cumbersome to use and seem to forget that real people don’t conveniently stay put all the time. But how about we talk about that instead of discouraging people from using them?

I wish I could make a joke and say this is some new country music dance I’ve invented. But authorization problems are not very funny, particularly when it’s with something that is supposed to be helping me.

I’m going out of the country for a while, so in addition to the usual figuring out how to fit 10 pounds of travel gear in a 5 pound suitcase, I’m preparing my digital equipment as well. It started off simply enough, making sure I have the latest operating systems on all my devices. (Well, not really, but I’ll spare you the tedious Genius Bar conversations.)

The real problem is with my Apple ID and Apple’s two-step verification.

I have been using two-step verification, what the security world calls two-factor authentication, which means when I do certain things involving logging in with my Apple ID, I have to enter a code that is sent to my phone. That’s all well and good, to make sure the person logging in is actually me.

But what happens when you don’t have that phone? Or, relevant to my situation, when you’ve replaced your usual SIM with one you’ve bought in another country. Suddenly you can’t get those messages anymore, and you aren’t allowed to do whatever it was you were trying to do.

In theory, I could just register my other SIM as a “new device.” But to do that you need to have access to both devices at the same time, the old one to login to your account to make changes, and the new one to authorize it. But I don’t know what my phone number will be when I get there (my SIM from the last trip might have expired) so I can’t do it before I leave. And my home SIM may or may not work (or be hideously expensive to use) in my destination country. And in either case, since it’s only one physical phone, I can’t have both of them active at the same time. I have other devices, but this process requires one that can receive SMS and the wifi-only devices can’t.

Because of all this, I decided to disable two-step verification while I’m away.

Hugely Important Reminder: you should make any updates to your Apple ID before you leave, while you still have access to your regular phone number.

So I login, and disable two-step verification. Now that I’m not using it, I’m required to set security questions for my account. Security questions are horrible, and the way they are used make your account less secure, not more. (Here’s an article about that: Study: password resetting ‘security questions’ easily guessed.) But this is what Apple requires, so here I am making up yet more passwords that I have to remember.

I pick the set of questions I’m going to answer, open up my trusty password manager, and generate a bunch of random text strings like I do for passwords. I copy the first string and paste it into the appropriate field. I copy the second string, but when I switch back to the browser, it resets what I just put in for the first one. This means that I have to actually type each security question answer. That is a recipe for fail if I manage to mess up the complicated string I’ve just generated. So it’s back to using real words that I can (usually) get correct the first time.

If you want to know why I don’t like to do this, you can read this on Wikipedia about a particular type of password cracking: Dictionary attack.

I then compose a phrase for each question and save those in my password manager. I go to type it into the form and I can’t because it’s too long. The answer field is size limited, so my carefully crafted phrases are useless. I have to come up with shorter (less secure) phrases, that I can type without errors, and they must be unique. I make one, and then start sticking numbers in it for each question. Of course, I can’t do anything helpful like include information about the individual question, because that reduces the randomness. In a short string particularly, if any part of it is less random that severely reduces its password strength.

Now I decide to set a recovery email, which Apple will use to notify you of authentication matters regarding your Apple ID. It’s a good idea, because if somehow you lose access to your primary email you can check a different account and get the alerts. I make up a new email address (because I can do that) and save everything.

I’m not really done, because I haven’t responded to the recovery email verification message, but I’ll get to that in a minute. Now I get to repeat the process for my second Apple ID. (FYI: very not recommended, it has been nothing but problems and I wish I hadn’t been forced to.)

I get through everything for my second Apple ID, and go to set the recovery email. I use the same email address that I created earlier, which it happily accepts. Now I go look at the emails generated by this process: most are confirmations, but the ones about the recovery email need to have the address verified. Ok, fine.

First ID recovery email: go to the link in the message, type in Apple ID number one, it says that email address can’t be used. What?? So now they tell me that I can’t use the same recovery email for multiple accounts. And because of this, I can’t verify it. I have to go back and login as each ID (answering the security questions which, thankfully, can indeed be pasted from the password manager) and change the recovery email addresses to something else. Yet another thing that has to be saved in my password manager, in such a way so I don’t later confuse them between the two accounts.

NOW finally I’ve disabled two-step verification. I have six new unique passphrases and two new email addresses to keep track of, and my accounts are less secure than before. Win?