iOS 11 Security Concern

[Feenician]

Just to be clear for my self.

There are two types of passcodes in the device. 6 pin and 4 pin. 6 pin is the same i see on the lock screen and in some settings. while 4 pin is only asked when i want to perform a major change to a device.
Are you being asked for 4 or 6 pin passcode?
Because that is where i always got confused with ios.

I’m not too sure what’s up with having 6 and 4 digit ones. The passcode you put in the lock screen is the device pin. That should be requested if you want to, say, change your fingerprints or do a reset of settings. You shouldn’t be asked for a different pin than that. If you want to change some iCloud things that should (in your setup, with no 2FA set up) ask you for your iCloud password, which I definitely hope isn’t a 4 digit code (if it is, change it!).

 

[dk001]

Works as the OP describes for me as well.

Same here.

 

[KGB7]

I’m not too sure what’s up with having 6 and 4 digit ones. The passcode you put in the lock screen is the device pin. That should be requested if you want to, say, change your fingerprints or do a reset of settings. You shouldn’t be asked for a different pin than that. If you want to change some iCloud things that should (in your setup, with no 2FA set up) ask you for your iCloud password, which I definitely hope isn’t a 4 digit code (if it is, change it!).

Example.
If i want to reset my device back to factory default, im asked for 6 pin code and a 4 pin code. There was point in time during initial setting i was asked to set up a 4 pin code. On both devices; iphone 6s plus and 2017 ipad.
Perhaps 2FA doesnt ask for both?

I had to go through same steps in ios 10.3.3.

 

[Feenician]

Example.
If i want to reset my device back to factory default, im asked for 6 pin code and a 4 pin code. There was point in time during initial setting i was asked to set up a 4 pin code. On both devices; iphone 6s plus and 2017 ipad.
Perhaps 2FA doesnt ask for both?

I had to go through same steps in ios 10.3.3.

And these are just pins you have memorized?

 

[KGB7]

And these are just pins you have memorized?

Pin #s that i have chosen, ios did not give me numbers to memorize.

 

[NoBoMac]

[Passcode] should be requested if you want to, say, change your fingerprints or do a reset of settings. You shouldn’t be asked for a different pin than that.

And this is what's going on with OP scenario.

With 2FA on, you need to enter the device passcode/password. Once past that screen, you now have the screen for new password.

Not really a security issue, imo. If a bad guy has got access to your AppleID, you are dead to begin with (eg. can lock your device, make it no longer trusted). With 2FA on, still need to enter device's passcode, just like fingerprint change: if you have that weak a passcode on the device that bad guy can guess, shame on you. So even if you leave your device lying around unlocked, bad guy still has a layer of security to get past. Locked device, you need the passcode or lift a finger print or trick the FaceID. And then back to having the passcode to enter on the first screen for password change.

 

[Chazzle]

Pin #s that i have chosen, ios did not give me numbers to memorize.

That is very odd. Can you post screenshots (obviously without divulging any private info) of the prompts you are given? I'm wondering if one of the is the iCloud Keychain passcode.

 

[Feenician]

Pin #s that i have chosen, ios did not give me numbers to memorize.

I honestly don’t understand what’s going on there then Maybe someone else can make sense of it.

 

[JerseyDoug]

Example.
If i want to reset my device back to factory default, im asked for 6 pin code and a 4 pin code. There was point in time during initial setting i was asked to set up a 4 pin code. On both devices; iphone 6s plus and 2017 ipad.
Perhaps 2FA doesnt ask for both?

I had to go through same steps in ios 10.3.3.

I have a 6 digit passcode. I've never been asked for a 4 digit pin.

 

[KGB7]

That is very odd. Can you post screenshots (obviously without divulging any private info) of the prompts you are given? I'm wondering if one of the is the iCloud Keychain passcode.

I honestly don’t understand what’s going on there then Maybe someone else can make sense of it.

Example.

Settings - General - Reset- Reset All Settings. Im asked for 6 pin and a 4 pin.

 

[Feenician]

Settings - General - reset- Reset All Setttings. Im asked for 6 pin and a 4 pin.



Example.

Settings - General - Reset- Reset All Settings. Im asked for 6 pin and a 4 pin.

I’m just asked for my passcode (a long password for me but your 6 pin) and then it would confirm and do it.

 

[KGB7]

I’m just asked for my passcode (a long password for me but your 6 pin) and then it would confirm and do it.

Dude, im honestly not trying to be a pain in the butt. But i had this security feature in ios 10.3.3. I had to wipe my ipad through itunes because i didnt remember my 4 pin pass code.

ill post a screenshot in a min. It doesnt show much.

 

[Feenician]

Dude, im honestly not trying to be a pain in the butt. But i had this security feature in ios 10.3.3. I had to wipe my ipad through itunes because i didnt remember my 4 pin pass code.

ill post a screenshot in a min. It doesnt show much.

Yeah no problem. Not sure I'll have the answers but no harm in looking

 

[KGB7]

Yeah no problem. Not sure I'll have the answers but no harm in looking

Screenshot from iPhone.

 

[Feenician]

Screenshot from iPhone.
View attachment 720181

Ah ha! Settings -> General -> Restrictions. Review those and if you don't have a good reason for them you can switch them off

 

[KGB7]

[doublepost=1506116461][/doublepost]

Ah ha! Settings -> General -> Restrictions. Review those and if you don't have a good reason for them you can switch them off

I like the 2FA 4 pin code, thats my 2FA.

This is posted from iPad.

 

[Feenician]

This is posted from iPad.
[doublepost=1506116461][/doublepost]

I like the 2FA 4 pin code, thats my 2FA.

If you want to leave it on it shouldn’t cause you any problems. I do recommend you set up actual 2FA on your Apple ID though. It’s your call

 

[KGB7]

If you want to leave it on it shouldn’t cause you any problems. I do recommend you set up actual 2FA on your Apple ID though. It’s your call

2FA doesnt play nice with Cydia Impactor. wink wink

And i dont store any peronal or financial info on my icloud to care for anyone if it gets hacked. My icloud password is solid.

 

[dialogos]

I also realised as another person mentioned here that not only I can change my Apple ID password with my passcode only but if I go to settings -> Name -> Password & Security -> Change Password , the system will only ask for my passcode once. If I type it in and click cancel , after that I can change my password with out being asked for passcode!

Funny thing is that after this test I had to give my iPad to my wife and she could literally change my apple ID password without any passcode asked!! Good that I trust her !!!!!

I tested this on two of my friends iPhones and they had the same issue.

I do think it's a huge concern. In this case as long as anybody can change the apple id with a passcode only why not having a passcode for apple ID password? What's the point to having strong passwords if a six digit number can change it?

 

[simonsi]

I also realised as another person mentioned here that not only I can change my Apple ID password with my passcode only but if I go to settings -> Name -> Password & Security -> Change Password , the system will only ask for my passcode once. If I type it in and click cancel , after that I can change my password with out being asked for passcode!

Funny thing is that after this test I had to give my iPad to my wife and she could literally change my apple ID password without any passcode asked!! Good that I trust her !!!!!

I tested this on two of my friends iPhones and they had the same issue.

I do think it's a huge concern. In this case as long as anybody can change the apple id with a passcode only why not having a passcode for apple ID password? What's the point to having strong passwords if a six digit number can change it?

Because your AppleID password can be attacked on the web - logging in from your trusted device is already 2 factor, it needs your passcode AND it is from a trusted device - its not ideal or how I would want it but it doesnt mean your AppleID password may as well be a 4 or 6 digit passcode...

 

[Feenician]

I also realised as another person mentioned here that not only I can change my Apple ID password with my passcode only but if I go to settings -> Name -> Password & Security -> Change Password , the system will only ask for my passcode once. If I type it in and click cancel , after that I can change my password with out being asked for passcode!

Funny thing is that after this test I had to give my iPad to my wife and she could literally change my apple ID password without any passcode asked!! Good that I trust her !!!!!

I tested this on two of my friends iPhones and they had the same issue.

I do think it's a huge concern. In this case as long as anybody can change the apple id with a passcode only why not having a passcode for apple ID password? What's the point to having strong passwords if a six digit number can change it?

That theoretical person would have to have another, secondary device signed in on your iCloud account. They would then have to be able to authenticate on that device by password\passcode, face or finger to approve the 2fa request. Honestly, if that’s the case, you’ve got big problems.

 

[dialogos]

That theoretical person would have to have another, secondary device signed in on your iCloud account. They would then have to be able to authenticate on that device by password\passcode, face or finger to approve the 2fa request. Honestly, if that’s the case, you’ve got big problems.

I don't think it's like that. Anybody who has my iPad passcode can just change my apple ID password without the need of another secondary device.

Let's assume this scenario.

A thief is watching you unlocking your iPhone with your 6 digit passcode. It's an assumption but it's real life and it can happen. That's why we have a strong apple password. Let's assume now he steals your iphone.

After that he can unlock your iphone, change your apple password easily with your passcode and on top of that he has on his hands your secondary device.

He can even remotely erase all your other devices just by going to find my iphone. Find my Iphone doesn't even require a secondary device. He can use it with your apple ID password which has already been changed.

 

[Feenician]

I don't think it's like that. Anybody who has my iPad passcode can just change my apple ID password without the need of another secondary device.

Let's assume this scenario.

A thief is watching you unlocking your iPhone with your 6 digit passcode. It's an assumption but it's real life and it can happen. That's why we have a strong apple password. Let's assume now he steals your iphone.

Not with 2FA Enabled. The clue is in the name 2 Factor. It’s not just a pin code. iOS will send a request to iCloud and iCloud will send a request to all other devices that first shows the location of the request, asks you to approve it, then gives you unique one-time code to input on the requesting device. Several of us did exactly that last night.

2FA = something you know (your pin or passcode) and something you have (another device, signed in on your account)

With that said, if you think you’ve found an issue, error or bypass for this please, for all our sakes, report it directly to Apple. They certain have made some mistakes in the past.

 

[dialogos]

Not with 2FA Enabled. The clue is in the name 2 Factor. It’s not just a pin code. iOS will send a request to iCloud and iCloud will send a request to all other devices that first shows the location of the request, asks you to approve it, then gives you unique one-time code to input on the requesting device. Several of us did exactly that last night.

2FA = something you know (your pin or passcode) and something you have (another device, signed in on your account)

With that said, if you think you’ve found an issue, error or bypass for this please, for all our sakes, report it directly to Apple. They certain have made some mistakes in the past.

I'm reporting it right away to Apple. Thank you very much for your time and help

 

[Feenician]

I'm reporting it right away to Apple. Thank you very much for your time and help

Thanks for helping us all out.