How to recover Apple ID accounts with Enhanced Data Protection turned on

AppleInsider may earn an affiliate commission on purchases made through links on our site.

It could happen to all of us at some point: You just get confused as to which password was for what and enter the wrong one for your Apple ID too many times, or maybe someone else is trying to log into your Apple ID account. Suddenly you can’t access Apple’s myriad of services or your iCloud, and you’re not sure what to do.

For most users, the fix is ​​pretty simple:

1. On another device, go to the website https://iforgot.apple.com
2. Enter your Apple ID email address.
3. You will be asked to check your other devices for a verification code in the form of a text message or email.
4. Enter the verification code on the website.
5. Now you can enter a new unique Apple ID password and confirm it.

Apple will then text you a six-digit recovery code to your previously verified mobile number. It doesn’t need to be an iPhone or Android phone, but it does need to be able to receive SMS text messages.

Depending on the preference you chose when setting up your Apple ID account, Apple may email you the code instead. If you’ve accidentally chosen your Apple email account — @icloud.com, @me.com, or @mac.com — as your recovery email, this obviously won’t work and you’ll need to contact Apple directly for further assistance.

For those who chose a “landline” home phone or non-mobile number to receive the code when setting up their Apple ID, Apple will (as of this writing) continue to call and a robotic voice will tell you the recovery code. Apple is one of the last major tech companies to continue offering this method, and this service may disappear in the years to come, so be sure to update the method by which you’d like to receive any future recovery codes once your account is restored.

Once your new password is confirmed, you’ll need to sign back in on all your devices to re-enable Apple and iCloud services. As an integral part of the iCloud service, Apple encrypts approximately 14 types of user data both in transit and at rest, and this is now referred to as Standard data protection.

Some items in Standard Data Protection are fully end-to-end (E2EE) encrypted, which means that Apple doesn’t have the ability to decrypt those items—only authenticated users with trusted devices can do it. Health data, passwords stored in iCloud Keychain, payment information, and destinations in Apple Maps are examples of the types of iCloud user data that Apple doesn’t have access to.

With the release of iOS 16.2, PadOS 16.2 and macOS Ventura 13.1, Apple has added a new option for users: an extra layer of security for stuff stored in iCloud called Advanced Data Protection (ADP). E2EE also encrypts parts of the data that users sync or store in iCloud, and more importantly, makes the user and their devices trust, rather than Apple, responsible for handling the decryption.

We’ve already written about choosing this option and some of the caveats that come with it. ADP is intended as an optional feature for those who think they have data stored or backed up on iCloud which makes them a target for surveillance or hacking.

If you turn on ADP, your iCloud backups, along with other categories of stored data, are now end-to-end encrypted, but not anything it has decryption keys that only you control. Due to the need to be universally interoperable with other systems, iCloud Mail, your contacts and calendars are not part of advanced data protection.

These items are still encrypted both “in transit” over the Internet and while “at rest” on iCloud servers, but Apple keeps those decryption keys for compatibility reasons.

Some of the key concepts behind advanced data protection were introduced in 2020 with iCloud data recovery service. It debuted the idea of ​​creating a recovery contact, a trusted person other than yourself who could help you recover your Apple ID, and it also offered the option of setting up a recovery key that Apple doesn’t have access to.

Starting with iOS 16.3, Apple has also now added support for third-party physical security keys, which look like USB sticks to allow users to verify themselves, skipping the usual “verification code” step. For ADP recovery, Apple requires users to have two security keys, one presumably kept in a safe place, to avoid being permanently locked out if the keys are lost or malfunction.

It’s also worth noting that turning on ADP makes collaboration features in many Apple apps more difficult or problematic. By default, accessing iCloud.com through a web browser is disabled when ADP is turned on. Users can authorize a one-hour window on iCloud.com from a trusted device, and this temporarily makes website access only available to that trusted device.

Collaboration features in areas like Shared Notes, Shared iCloud Photo Library, or Shared Reminders won’t work if you have ADP turned on unless all your collaborators also have ADP turned on, according to Apple. Albums shared in Photos are not eligible for ADP protection and instead use standard data protection.

Similarly, collaboration features in iWork apps like Pages, Numbers, and Keynote don’t support enhanced data protection. When a user opens a shared document in those apps or from an iCloud shared folder, the encryption keys for that document are sent to Apple’s servers to coordinate document changes among participants.

There’s yet another caveat: Activating ADP means committing to keeping all your Apple devices — iPhone, iPad, Apple TV, Mac, and Apple Watch — fully up-to-date. If you have devices that can’t be upgraded to version 16.2 or later, they can’t be used to assist you with a crash.

If you feel that you are now or someday at risk of losing/forgetting two of your most important passwords as an Apple device user: your passcode and/or your Apple ID password, you might want to avoid turning on Enhanced Data Protection . The biggest risk is that if you lose access to your fallback verification methods, Apple can’t help you get back in — it’s possible to be permanently locked out of your account.

Of course, Apple doesn’t want that to happen, but the fundamental idea behind ADP is that in exchange for this additional encryption, Apple will no longer have the ability to decrypt protected data, even if served with a warrant. When setting up ADP, Apple may generate a unique 28-character recovery key that users can store, and it also encourages users to designate others they trust as contacts for account recovery.

However, both of these methods could fail over time: a recovery contact changes their contact information, for example, or you can’t find your recovery key record. Trying to change your Apple ID password in the usual way described above won’t work if ADP is turned on.

For this reason, Apple requires users using ADP to set up at least one alternate recovery method and encourages users to list multiple recovery contacts. Users should also keep at least one printed copy of the “recovery key” in a safe, disaster-proof location, such as a bank safe.

After some testing, you’ll want to set up at least one recovery contact before choosing to get a recovery key as well. As is the case throughout the process, Apple will repeatedly warn you of the importance of keeping your recovery contacts up to date and not losing your recovery key.

When setting up a recovery key, the generated key will be shown to you with an option to print it, then you will be prompted to verify the key by pasting or typing it. Once the recovery key method is up and running, you can go back and add more recovery contacts as well if you like.

With ADP configured and active, your devices should continue to function as usual, with users logging in using a passcode (iPhone, iPad) or password (Mac) on their trusted devices. Periodically, or when you log into the App Store to make a purchase, even if the item is free, you’ll need to confirm your Apple ID password as you have done in the past, and everything should go as expected.

However, if you repeatedly mistype or forget your Apple ID password, your save operation will be significantly different than for those who don’t have ADP turned on, as listed above. Apple has not yet detailed the complete ADP reset procedure, but it is similar to the procedure used by the iCloud data recovery service.

If you are unable to unlock your Apple ID password and the account is locked out, the recovery web page will first ask if you want to recover your account by entering the recovery key you created earlier. This is why Apple encourages users to print and securely store the recovery key.

It is important, if you choose this route, to enter the 28-digit key very carefully. It’s currently unknown how many attempts you’ll have to enter the key correctly, but it won’t be many and could be as little as a single attempt.

If this method fails, you will be offered to choose from all the recovery contacts that you have previously stored. The previously designated person will receive a text message or email from Apple with a validation code that they will need to provide to you shortly.

You’ll then enter the submitted verification code, after which you’ll be taken to the usual Apple ID password reset page where you’ll create and confirm a new, secure Apple ID password. As usual, all of your other devices will need to sign back into your Apple ID using your new password.

Once this is done, the E2EE information stored in iCloud will once again be accessible and decrypted on demand by your devices as before. Remember to periodically review and update your recovery contacts’ information to ensure that Apple can reach them if we ever need them.