Is the 'change Apple ID password with stolen passcode' issue fixed in iOS 17?

[mrochester]

I think you're discussing a different issue? If I pick up my (work) Pixel and go to change the pw to my Google account, I need my Google pw to do it. If I select Forgot my Pw, and go into Account Recovery, it requires my actual fingerprint on the screen lock (not the device passcode), or other recovery options that the thief may not have access to (i.e., a non-Gmail email address).

Meanwhile, on my iPhone, I can change my Apple ID pw simply by entering the device passkey.

I actually think you've got the wrong end of the stick here because you are likely talking about two different security methods (passwords vs passkeys).

Let's assume your iPhone is setup as a passkey for your Google account (as well as your Apple account).

To reset your Google password from your iPhone you would navigate to the Google website, login by authenticating with your device biometrics or passcode, then change the Google account password. At no point in changing that password is anything other than the iPhone passcode (or biometrics needed).

The process is the same for changing your Apple ID password (except you can do it on device rather than navigating to a website).

This is how passkeys work. Your trusted device (the physical iPhone, iPad etc) is the 1st factor, the passcode (or biometrics) is the 2nd factor. That's in comparison to traditional password method which is password (1st factor) and 2FA code (2nd factor).

 

[LuisNeto]

This is how passkeys work.

If that's the case, I'll say that just because passkeys are designed to work that way, it doesn't mean that it's enough security.
I don't care if that's how passkeys are designed to work.

The important thing is that problem is there: iPhone owners are getting their phone stolen and they are getting locked out of their accounts by the thieves.
Saying that it's just the way it's designed so that everything is fine is not something I can agree with.

As I wrote multiple times by now, at the very least Apple should give people the option to choose whether they want to allow it to work like this or not.
I certainly would not allow it.

 

[mrochester]

If that's the case, I'll say that just because passkeys are designed to work that way, it doesn't mean that it's enough security.
I don't care if that's how passkeys are designed to work.

The important thing is that problem is there: iPhone owners are getting their phone stolen and they are getting locked out of their accounts by the thieves.
Saying that it's just the way it's designed so that everything is fine is not something I can agree with.

As I wrote multiple times by now, at the very least Apple should give people the option to choose whether they want to allow it to work like this or not.
I certainly would not allow it.

It's more security than traditional passwords, which passkeys are designed to replace.

There is always going to be a tradeoff between security and convenience. It would be more secure for Apple to require 3rd factor authentication to change the Apple ID password rather than 2 factor authentication, but then that would be a lot less convenient. I can't think of many (any) online services that require 3rd factor authentication to reset a password (perhaps banking?).

Passkeys are an industry standard and work in a standard way. I think it would require a change to the industry standard specification to add additional options to the required passkey security.

 

[mpavilion]

Let's assume your iPhone is setup as a passkey for your Google account (as well as your Apple account).

To reset your Google password from your iPhone you would navigate to the Google website, login by authenticating with your device biometrics or passcode, then change the Google account password. At no point in changing that password is anything other than the iPhone passcode (or biometrics needed).

OK, I just tried this out. It is true that Google allows me to authenticate the pw reset request simply with the phone in my hand. But it also sends a text to my wife (whose phone no. I apparently have on file as an alternate), asking her if the pw reset was legitimate. Meanwhile, Google emails me a "Critical security alert" email, saying – "We’ll send a link to sign in to your account in 6 hours. If you didn't make this request, you can cancel it." Presumably the idea is to give the account's actual owner time to take some sort of action, if the request was initiated by a phone thief.

For changing my Apple ID pw, none of this is needed. I simply enter the device's passcode (which the thief would have observed in this scenario).

 

[LuisNeto]

(which the thief would have observed in this scenario).

Or by having forced the victim to reveal.
I want to emphasise this point, because quite a few people are not considering the different scenarios in which people are ending up being locked out, and are dismissing the seriousness by saying those people should be more responsible.

 

[mrochester]

OK, I just tried this out. It is true that Google allows me to authenticate the pw reset request simply with the phone in my hand. But it also sends a text to my wife (whose phone no. I apparently have on file as an alternate), asking her if the pw reset was legitimate. Meanwhile, Google emails me a "Critical security alert" email, saying – "We’ll send a link to sign in to your account in 6 hours. If you didn't make this request, you can cancel it." Presumably the idea is to give the account's actual owner time to take some sort of action, if the request was initiated by a phone thief.

For changing my Apple ID pw, none of this is needed. I simply enter the device's passcode (which the thief would have observed in this scenario).

I don’t get any of that when changing the Google password, only an email after the fact to say the password has just been changed, the same way Apple does.

 

[mrochester]

Or by having forced the victim to reveal.
I want to emphasise this point, because quite a few people are not considering the different scenarios in which people are ending up being locked out, and are dismissing the seriousness by saying those people should be more responsible.

To be fair, it doesn’t really matter what you say, it’s unlikely to change anything. The specification isn’t going to bend to your requirements.

 

[addamas]

This issue should be all over the YouTube, Press and Reddit maybe to Apple fear of losing income to change this crappy implementation with very low security level.

I am out of ideas how to make them understand how big this issue is… and any of us is.

Few security reports were sent - in each of them it’s told as a required feature to have this ability…

At least make iCloud password blocked unless FIDO physical key is used for these who want to buy them…

 

[mpavilion]

I don’t get any of that when changing the Google password, only an email after the fact to say the password has just been changed, the same way Apple does.

Did you click the "Forgot password?" link? That's the scenario here – not "Change password," which requires knowing/entering the existing password (which the thief doesn't have).

 

[mrochester]

Did you click the "Forgot password?" link? That's the scenario here – not "Change password," which requires knowing/entering the existing password (which the thief doesn't have).

You don’t need to know the existing password to change the Google password when you access the account using a passkey. That’s the whole point of using passkeys, it supersedes passwords!

 

[LuisNeto]

To be fair, it doesn’t really matter what you say, it’s unlikely to change anything. The specification isn’t going to bend to your requirements.

It matters for the purpose of discussing it in this thread.
If you don't think this is an issue, good for you.

 

[mrochester]

This issue should be all over the YouTube, Press and Reddit maybe to Apple fear of losing income to change this crappy implementation with very low security level.

I am out of ideas how to make them understand how big this issue is… and any of us is.

Few security reports were sent - in each of them it’s told as a required feature to have this ability…

At least make iCloud password blocked unless FIDO physical key is used for these who want to buy them…

There’s nothing to report here though. This is how the industry standard passkey system works, and it’s already more secure than our existing password/2FA security systems that are commonplace.

 

[mpavilion]

You don’t need to know the existing password to change the Google password when you access the account using a passkey. That’s the whole point of using passkeys, it supersedes passwords!

But that's not how it's working, when I try it, on either my iPhone or Pixel. I cannot change my Google pw simply by possessing the unlocked device, or knowing its PIN code (at least without going through the complicated account recovery steps detailed above).

 

[mrochester]

But that's not how it's working, when I try it, on either my iPhone or Pixel. I cannot change my Google pw simply by possessing the unlocked device, or knowing its PIN code (at least without going through the complicated account recovery steps detailed above).

Have you setup a passkey on that device to access your Google account?

How do I sign in with a passkey instead of a password? - Google Account Help

Passkeys are a simple and secure alternative to passwords. With a passkey, you can sign in to your Google Account with your fingerprint, face scan, or phone screen lock, like a PIN. Important: If

support.google.com

 

[mpavilion]

Have you setup a passkey on that device to access your Google account?

How do I sign in with a passkey instead of a password? - Google Account Help

Passkeys are a simple and secure alternative to passwords. With a passkey, you can sign in to your Google Account with your fingerprint, face scan, or phone screen lock, like a PIN. Important: If

support.google.com

I don't know, I'd have to click around on this page and explore. But if it turns out I haven't, doesn't that prove the point? – with Google, you have to opt in to that (less secure) authentication method for changing your pw, whereas it is the default (and only) option for changing your Apple ID pw with an iPhone.

 

[sk1ski1]

One possible solution Apple could implement is a time delay. When a request is made to change the Apple ID password on a phone, but the user does not remember the old password, there could be a time delay. Maybe 4 hours, 8 hours, or 24 hours, before the change can be made without the old password. This additional layer of security could be turned on optional. This will help prevent this issue.

 

[LuisNeto]

There’s nothing to report here though. This is how the industry standard passkey system works, and it’s already more secure than our existing password/2FA security systems that are commonplace.

I am reading more about passkeys and I think you should read too.

My understanding is that the problem being described in this thread isn't exactly the result of Apple having implemented Passkeys.

In this ZDNET article published last week, 6th of March, where you can read on the first paragraph:

Apple announced today that it will be implementing its Passkey feature across iOS and macOS devices, enabling users to manage accounts via biometric authentication. You'll be able to use either Face ID or Touch ID to automatically fill in your log in information when accessing apps, websites, and programs on your iPhone, iPad, MacBook, or iMac device.

So what we have today is not a proper implementation of the Passkeys that you think it is.

 

[mpavilion]

^^Yes – fwiw, that's what my Pixel seemed to require for changing my Google pw; biometric identification (my actual fingerprint on the sensor).

 

[mrochester]

I don't know, I'd have to click around on this page and explore. But if it turns out I haven't, doesn't that prove the point? – with Google, you have to opt in to that (less secure) authentication method for changing your pw, whereas it is the default (and only) option for changing your Apple ID pw with an iPhone.

Right information, wrong conclusion.

The reason with Google you have to opt in to using passkeys is because they are new.

The reason you can reset the underlying password when accessing the account using a passkey authenticated device is because passkeys are more secure than passwords.

 

[mrochester]

^^Yes – fwiw, that's what my Pixel seemed to require for changing my Google pw; biometric identification (my actual fingerprint on the sensor).

And when your fingerprint fails, what does your phone ask you to input? That’s right, your passcode!

Face ID/Touch ID is just a more convenient version of your device passcode. If someone knows your device passcode, they can get around any request for face/Touch ID where the fallback method is the device passcode. This includes passkeys.

 

[mpavilion]

And when your fingerprint fails, what does your phone ask you to input? That’s right, your passcode!

Face ID/Touch ID is just a more convenient version of your device passcode.

No, I don't think it would do that – that's the point

 

[mpavilion]

Right information, wrong conclusion.

The reason with Google you have to opt in to using passkeys is because they are new.

The reason you can reset the underlying password when accessing the account using a passkey authenticated device is because passkeys are more secure than passwords.

Sorry, I just don't follow you here ("they are new")? It seems like Google has thought through the implementation in more detail.

 

[mrochester]

I am reading more about passkeys and I think you should read too.

My understanding is that the problem being described in this thread isn't exactly the result of Apple having implemented Passkeys.

In this ZDNET article published last week, 6th of March, where you can read on the first paragraph:


So what we have today is not a proper implementation of the Passkeys that you think it is.

The article says exactly how passkeys work on the iPhone, including how resetting the Apple ID password works.

 

[mrochester]

No, I don't think it would do that – that's the point

It will. Try it.

 

[mrochester]

Sorry, I just don't follow you here ("they are new")? It seems like Google has thought through the implementation in more detail.

Passkeys are a new type of way of securing your Google account. This is why they are opt-in right now.

Passkeys are more secure than passwords, which is why the password on your Google/Apple can be reset once you have authenticated access using the device that holds the passkey.

Apple don’t use the old less secure method, and instead just use the new, more secure passkey method.