Recent 'MFA Bombing' Attacks Targeting Apple Users
Apple’s MFA and Account Recovery Design
- Many criticize Apple’s security key support: you can’t reliably disable all other 2FA paths, and trusted devices can still be used in some flows.
- Security keys are treated similarly to trusted devices; a trusted device can remove a key, so keys can expand rather than shrink the attack surface.
- Push-based MFA and password-reset prompts can be spammed; watch “quiet”/focus modes don’t always suppress them, raising both annoyance and fat‑finger risk.
Recovery Keys, Lockout Risk, and Backups
- Recovery keys and Advanced Data Protection are seen as strong defenses and a way to prevent Apple (or coerced Apple) from accessing data.
- Big concern: lose the recovery key and all trusted devices and you’re permanently locked out.
- Users propose various backup schemes: paper copies in safes or safe deposit boxes, geographically separated stashes, encrypted files, secret-sharing, or trusted recovery contacts.
- Debate over whether this is acceptable self‑custody risk or too harsh for typical users.
How the Attack Actually Works
- Clarified by commenters: tapping “Allow” on the reset prompt does not directly hand the account to attackers; it lets the user reset on their own device, often via a code shown locally.
- Attackers then call with spoofed Apple Support numbers and try to socially engineer the code or new password.
- Some criticize the original article for implying that an accidental tap alone could compromise the account; later edits added nuance.
Rate Limiting and UX Defenses
- Many are surprised Apple allows rapid, repeated reset attempts and unbounded push prompts.
- Suggested mitigations: exponential backoff, OS‑level suppression, “bombed mode” with extra confirmation, or blocking obviously abusive flows.
- Others warn strict per‑user rate limits can be turned into denial‑of‑service against account recovery.
Phone Numbers, SMS, and Identity
- Strong sentiment that phone numbers and SMS are poor as identifiers and 2FA: public, SIM‑swappable, and now often central to digital identity.
- Counterpoint: in some financial settings, SMS attacks were rarely observed compared to phishing and password reuse; device loss complicates stronger factors for the mass market.
Broader Themes
- Push MFA is widely disliked; many prefer entering codes.
- Hardware tokens (YubiKeys/HSMs) are advocated by some, but others see cost/complexity and limited benefit if trusted devices remain.
- Underlying frustration: trillion‑dollar companies ship easily abusable flows, and users are expected to carry the security burden amid a constant background of digital crime.