I just tried, and it doesn't. The option is "Use your screen lock." There is no fallback for entering the device PIN.
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Is the 'change Apple ID password with stolen passcode' issue fixed in iOS 17?
- Thread starter LuisNeto
- Start date
- Sort by reaction score
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
Again, read the beginning of the article.The article says exactly how passkeys work on the iPhone, including how resetting the Apple ID password works.
What is mentions is about using biometrics authentication. Not the Passcode.
Passkeys replace passwords.
The idea is that you can use Passkeys - which are stored encrypted on the phone.
You authorise their usage by using biometrics.
Just because an iPhone has been unlocked, it should not allow any person holding it to also change the Apple ID password just by entering the Passcode.
It should request your biometrics (FaceID or TouchID) to authorise the usage of the Apple ID account Passkey!
The screenlock is the device PIN LOL.I just tried, and it doesn't. The option is "Use your screen lock." There is no fallback for entering the device PIN.
The point of 2FA is you need two methods! It is by no means LESS secure to require the password in addition to the "passkey" (trusted device, when authenticated).Passkeys are more secure than passwords, which is why the password on your Google/Apple can be reset once you have authenticated access using the device that holds the passkey.
When your device biometric authentication fails, it asks you for the device PIN to continue...Again, read the beginning of the article.
What is mentions is about using biometrics authentication. Not the Passcode.
Passkeys replace passwords.
The idea is that you can use Passkeys - which are stored encrypted on the phone.
You authorise their usage by using biometrics.
Just because an iPhone has been unlocked, it should not allow any person holding it to also change the Apple ID password just by entering the Passcode.
It should request your biometrics (FaceID or TouchID) to authorise the usage of the Apple ID account Passkey!
No, it's the fingerprint. I have the device in my hand, why are you arguing with me about this?The screenlock is the device PIN LOL.
Passkeys are by definition 2FA, you need the phyiscal device, and the device passcode (or touch ID or face ID).The point of 2FA is you need two methods! It is by no means LESS secure to require the password in addition to the "passkey" (trusted device, when authenticated).
Where does it say that all Passkey implementations have to work like that?When your device biometric authentication fails, it asks you for the device PIN to continue...
When touch ID/Face ID fails, your phone will ask for the device passcode, the same passcode that you need to authenticate access to an account that uses passkeys, and the same passcode that can then reset the password of that account.No, it's the fingerprint. I have the device in my hand, why are you arguing with me about this?
I really don't know how to explain this more clearly. With passkeys, your device and it's passcode (or touch ID/face ID) become the master keys to the kingdom. That's how they work, how the specification says they work, how they'll probably continue to work, and how they'll work when you inevitably start using them for all your online accounts (and which you are already using for your Apple account).
Are we clear now?
Last edited:
In the passkey specification:Where does it say that all Passkey implementations have to work like that?
The user experience will be familiar and consistent across many of the user’s devices – a simple verification of their fingerprint or face, or a device PIN, the same simple action that consumers take multiple times each day to unlock their devices.
That doesn't specify that every implementation is required to allow the PIN (iPhone Passcode).The user experience will be familiar and consistent across many of the user’s devices – a simple verification of their fingerprint or face, or a device PIN, the same simple action that consumers take multiple times each day to unlock their devices.
Apple can very well choose to only enable the authorisation of the Passkey associated with Apple ID via FaceID or TouchID Passcode when someone wants to change the Apple ID password.
(Edit: expanded and amended the last sentence)
Last edited:
I tried authenticating yet another way (using the phone), and Google still sends the email about the 6-hour waiting period. I'm done with this experimentation – it seems clear that, at minimum, Google requires additional steps that Apple does not. (And it's an "Account recovery" process, not simply a "Change password" process like it is with an iPhone and Apple ID.)
You'd be going off-spec by ONLY allowing touch ID or Face ID to authenticate since the spec calls for ANY method that unlocks the device to be valid.That doesn't specify that every implementation is required to allow the PIN (iPhone Passcode).
Apple can very well choose to only enable the authorisation Apple ID Passkey via FaceID or TouchID Passcode when someone wants to change the Apple ID password.
(Edit: expanded on the last sentence)
It's the act of being able to unlock the device that indicates that it is the authenticated user present.
Have you setup a passkey on your phone for your google account?I tried authenticating yet another way (using the phone), and Google still sends the email about the 6-hour waiting period. I'm done with this experimentation – it seems clear that, at minimum, Google requires additional steps that Apple does not. (And it's an "Account recovery" process, not simply a "Change password" process like it is with an iPhone and Apple ID.)
As I said before – I'm not sure, but if not (and it's opt-in only), it proves my point!Have you setup a passkey on your phone for your google account?
That'll be why you are having to jump through all those additional steps, because you haven't setup your phone as a trusted device.As I said before – I'm not sure, but if not (and it's opt-in only), it proves my point!
You proactively have to set them up when using a Google account. It happens automatically on an Apple device.
Be accurate!You'd be going off-spec by ONLY allowing touch ID or Face ID to authenticate since the spec calls for ANY method that unlocks the device to be valid.
Nothing that you shared shows that the Passkeys spec says that every company implementing it is forced to allow ANY method that unlocks the device.
Again, are you able to show me anywhere where that is stated?
Nothing happens automatically on an iPhone when I go to change my Apple ID, other than it lets me do it by entering my device PIN. No email with a waiting period, no text to a backup phone number, etc.That'll be why you are having to jump through all those additional steps, because you haven't setup your phone as a trusted device.
You proactively have to set them up when using a Google account. It happens automatically on an Apple device.
It's up to the user to decide which method they use. A user doesn't have to have setup face id or touch id, they can choose to just use their device passcode. They must have a device passcode though, you can't use passkeys without at least a device passcode.Be accurate!
Nothing that you shared shows that the Passkeys spec says that every company implementing it is forced to allow ANY method that unlocks the device.
Again, are you able to show me anywhere where that is stated?
It's not supposed to. Because you have been able to a) access the trusted device, b) unlock that trusted device, that gives you permission to administer your Apple ID (including changing the password). No further warning or check is needed as you have already completed the 2 factor authentication through step a and b.Nothing happens automatically on an iPhone when I go to change my Apple ID, other than it lets me do it by entering my device PIN. No email with a waiting period, no text to a backup phone number, etc.
Step A and B is all you need to change the password on your Google account too, once you have setup that device with a passkey for your Google account. It'll be all you need to change the password on any number of accounts in the future. This is why it is imperative to keep your device and passcode secure.
You will probably get an email from Apple after you have changed the password to inform you it has been changed.
Yes, and that is bad. That is what this thread is about. (And Google doesn't seem to make it that easy, at least without – according to the link you found – opting into something further.)It's not supposed to. Because you have been able to a) access the trusted device, b) unlock that trusted device, that gives you permission to administer your Apple ID (including changing the password). No further warning or check is needed as you have already completed the 2 factor authentication through step a and b.
Again, where is that written?They must have a device passcode though, you can't use passkeys without at least a device passcode.
The article I shared even says that Passkeys are about using biometrics.
Well it's a lot more secure than our current system of passwords, so I'm not sure what the point of calling it 'bad' is, when it's better than what we currently have.Yes, and that is bad. That is what this thread is about. (And Google doesn't seem to make it that easy, at least without – according to the link you found – opting into something further.)
Google is opt-in for now.
It is bad because if someone observes a device PIN being entered in public, and then steals the device (as seems to happen), they will have total control over the user's Apple ID – not just the device itself. It would be better if changing the Apple ID pw required add'l security measures.Well it's a lot more secure than our current system of passwords, so I'm not sure what the point of calling it 'bad' is, when it's better than what we currently have.
Google is opt-in for now.
You have been mixing things!It's not supposed to. Because you have been able to a) access the trusted device, b) unlock that trusted device, that gives you permission to administer your Apple ID (including changing the password). No further warning or check is needed as you have already completed the 2 factor authentication through step a and b.
Unlocking the device is one thing.
Authorising the usage of a particular Passkey stored in the device is another thing and requires a separate authentication.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.