This is the idea that Apple protected by a patent. The basic idea is that a familiar peripheral could serve as a vault for the recovery process of lost credentials.
Claim 1: A method of storing a password recovery secret on a power adapter, the method comprising:
- receiving a password recovery secret associated with a computing device at an electrical power adapter via an interface with the computing device; and
- storing the password recovery secret on a memory in the electrical power.
The peripheral would store the memorized password encrypted with a identifier unique to the main device. This means that there is a pairing between the device and the peripheral. In other words, it is useless to steal the peripheral to try to extract the stored password. The claims specifically cites electrical power adapter and non-transitory computer-readable storage medium.
To recover the lost password, you will have to start a procedure of recovery. The recovery procedure returns the encrypted password that can be decrypted if recovered by the proper device. It can also share the secret between the peripheral and a remote server.
You may already have spotted the tricky part of the game: how do you trigger the recovery procedure? The patent does not tackle this issue. If Alice is able to trigger it only because she has access to both the portable and the power adapter, then of course game over. Steal both of them, then you can get access to the computer by recovering the secret and changing the password. It would make the system even weaker than before. If Alice needs a secret to trigger it, then we’re back to the starting point. The likelihood that she forgot this recovery secret is even higher than forgetting the day to day password! By the way, this is always one of the difficult parts of every recovery system.
Will we see that in one of the next MacBook generations?