Recent 'MFA Bombing' Attacks Targeting Apple Users

Apple’s MFA and Account Recovery Design

  • Many criticize Apple’s security key support: you can’t reliably disable all other 2FA paths, and trusted devices can still be used in some flows.
  • Security keys are treated similarly to trusted devices; a trusted device can remove a key, so keys can expand rather than shrink the attack surface.
  • Push-based MFA and password-reset prompts can be spammed; watch “quiet”/focus modes don’t always suppress them, raising both annoyance and fat‑finger risk.

Recovery Keys, Lockout Risk, and Backups

  • Recovery keys and Advanced Data Protection are seen as strong defenses and a way to prevent Apple (or coerced Apple) from accessing data.
  • Big concern: lose the recovery key and all trusted devices and you’re permanently locked out.
  • Users propose various backup schemes: paper copies in safes or safe deposit boxes, geographically separated stashes, encrypted files, secret-sharing, or trusted recovery contacts.
  • Debate over whether this is acceptable self‑custody risk or too harsh for typical users.

How the Attack Actually Works

  • Clarified by commenters: tapping “Allow” on the reset prompt does not directly hand the account to attackers; it lets the user reset on their own device, often via a code shown locally.
  • Attackers then call with spoofed Apple Support numbers and try to socially engineer the code or new password.
  • Some criticize the original article for implying that an accidental tap alone could compromise the account; later edits added nuance.

Rate Limiting and UX Defenses

  • Many are surprised Apple allows rapid, repeated reset attempts and unbounded push prompts.
  • Suggested mitigations: exponential backoff, OS‑level suppression, “bombed mode” with extra confirmation, or blocking obviously abusive flows.
  • Others warn strict per‑user rate limits can be turned into denial‑of‑service against account recovery.

Phone Numbers, SMS, and Identity

  • Strong sentiment that phone numbers and SMS are poor as identifiers and 2FA: public, SIM‑swappable, and now often central to digital identity.
  • Counterpoint: in some financial settings, SMS attacks were rarely observed compared to phishing and password reuse; device loss complicates stronger factors for the mass market.

Broader Themes

  • Push MFA is widely disliked; many prefer entering codes.
  • Hardware tokens (YubiKeys/HSMs) are advocated by some, but others see cost/complexity and limited benefit if trusted devices remain.
  • Underlying frustration: trillion‑dollar companies ship easily abusable flows, and users are expected to carry the security burden amid a constant background of digital crime.