Stolen iPhone - Criminals have full control and Apple cannot help!

[Mike Boreham]

I have my phone locked down as tight as I can. If my phone gets lost or stolen, whoever has the phone won’t be able access most of the phone. Almost all of my apps require FaceID to open

Where are the settings to disable passcode unlock if Face ID fails?

My UK banking apps require Face ID and can't be opened with PIN, but as far as I can see other apps are a mixture. Some will revert to passcode if Face ID fails and some wont, including 1Password, which requires the full master password if Face ID fails.

 

[russell_314]

A PIN alone doesn’t allow a complete reset of an Apple account password. Here, try it. Mine is elmerQ. Completely reset my Apple account without my device in your possession.

I think you’ll find that’s quite difficult to do.

I think you know my what I mean. Obviously in this whole scenario, the person has stolen the phone. Let me be more specific

With the iPhone in hand, the PIN alone should not be enough to reset an Apple ID password.

 

[Apple_Robert]

I strongly encourage you to setup Face ID on all your apps and turn off Siri access when the phone is locked. Setup a long alphanumeric passcode. If your phone is lost or stolen, access to your personal information will much more secure.

 

[russell_314]

Where are the settings to disable passcode unlock if Face ID fails?

I don't think there is one and how would this work? What would you use to unlock the device that would allow the criminal to use the same information to take over your account. It couldn't be your Apple ID password because the fact that they can reset it and then have it is the whole problem.


The security vulnerability is the fact that they can reset your Apple ID password with the PIN.

 

[mrochester]

Yes, there is something to patch. A PIN alone should not allow a complete reset of your Apple account password. This is the issue not the fact that they can get into the phone but they can reset your Apple password and take over your account.. This is a security vulnerability that needs to be patched. I'm sure Apple is going to fix this. It's a cat and mouse game and criminals will always try something new, so there is going to be patches

This is how passkeys work, the device passcode becomes the master password for your accounts.

 

[russell_314]

I strongly encourage you to setup Face ID on all your apps and turn off Siri access when the phone is locked. Setup a long alphanumeric passcode. If your phone is lost or stolen, access to your personal information will much more secure.

The advantage of using an alpha numeric password would be it would be more difficult to observe with someone shoulder surfing. You couldn't use actual words, because that would be almost as easy to observe as a PIN. It would have to be a random long string of letters and numbers. Long and random enough to make it difficult for most people to remember quickly.

I think the biggest take away from this is watch your surroundings. This is happening at bars usually where people are relaxed, perhaps slightly inebriated, and their guard is down. The thief takes advantage of an easy to remember six digit number, then grabs the phone.

 

[mrochester]

I don't think there is one and how would this work? What would you use to unlock the device that would allow the criminal to use the same information to take over your account. It couldn't be your Apple ID password because the fact that they can reset it and then have it is the whole problem.


The security vulnerability is the fact that they can reset your Apple ID password with the PIN.

It's not a security vulnerability, it's how passkeys appear to be designed to work.

 

[onenorth]

The security vulnerability is the fact that they can reset your Apple ID password with the PIN.

Agreed that this is the issue we are discussing here. The passcode works as it should, but it has a vulnerability that is difficult to mitigate. The only existing mitigations presented here are to 1) hide your passcode from everyone or 2) use Screen Time to lock out password changes with the passcode.

All I would like to see is Apple giving us an option to prevent resetting the AppleID password with the passcode and the device. Maybe the Screen Time feature is all we will get. But I'm not sure why others here are pushing back on the idea of having Apple provide another solution at least as an option to what presently exists.

 

[mrochester]

Where are the settings to disable passcode unlock if Face ID fails?

My UK banking apps require Face ID and can't be opened with PIN, but as far as I can see other apps are a mixture. Some will revert to passcode if Face ID fails and some wont, including 1Password, which requires the full master password if Face ID fails.

That's a different password to your device passcode/word (unless of course you make them the same!).

 

[mrochester]

Agreed that this is the issue we are discussing here. The passcode works as it should, but it has a vulnerability that is difficult to mitigate. The only existing mitigations presented here are to 1) hide your passcode from everyone or 2) use Screen Time to lock out password changes with the passcode.

All I would like to see is Apple giving us an option to prevent resetting the AppleID password with the passcode and the device. Maybe the Screen Time feature is all we will get. But I'm not sure why others here are pushing back on the idea of having Apple provide another solution at least as an option to what presently exists.

It's not so much 'pushing back', it's recognising that this is how device and account security is going to work in the future. Your device passcode is going to be the master password for many different accounts.

 

[Mike Boreham]

I tested this and it helps a little but you can reset screen time if you have the passcode?

Not with the main passcode. Changing anything in Screen Time settings requires the screen time passcode but the thief won't have this. Yes it is another passcode to remember I am willing to do this.

 

[russell_314]

This is how passkeys work, the device passcode becomes the master password for your accounts.

Regardless of how passkeys work, the number used to unlock your phone should not be the same one that can reset your password. I have a banking app that allows me to use a PIN. I cannot use that PIN to reset my banking account password.

The "oh that's just how it works" answer is not reasonable when it comes to security vulnerabilities. Criminals have found a vulnerability and are exploiting it. Sure that's how it works now and it's being exploited. This is where software developers come in and figure out a way to patch the vulnerability.


At one time we had SMS 2FA verification and unfortunately we still have too much of it. Someone might say well that's just how 2FA works, what do you want me to do? No no that's not how it works. It needs to be changed.

 

[russell_314]

Not with the main passcode. Changing anything in Screen Time settings requires the screen time passcode but the thief won't have this. Yes it is another passcode to remember I am willing to do this.

I was told there is somehow a workaround for this as well. I don't know for sure though, so maybe it's something to slow them down

 

[onenorth]

It's not a security vulnerability, it's how passkeys appear to be designed to work.

It is a vulnerability since people have had their phones and passcodes stolen and used maliciously. It may work as designed but it has a particular weakness that allows a malicious actor to exploit the convenience of resetting the AppleID password with the passcode and the device. And apparently it is not too hard for a thief to do this in a public setting.

If the future is one device one passcode then there should be options to lock it down even if it causes an inconvenience to the user. All security is an inconvenience to some extent.

 

[mrochester]

Regardless of how passkeys work, the number used to unlock your phone should not be the same one that can reset your password. I have a banking app that allows me to use a PIN. I cannot use that PIN to reset my banking account password.

The "oh that's just how it works" answer is not reasonable when it comes to security vulnerabilities. Criminals have found a vulnerability and are exploiting it. Sure that's how it works now and it's being exploited. This is where software developers come in and figure out a way to patch the vulnerability.


At one time we had SMS 2FA verification and unfortunately we still have too much of it. Someone might say well that's just how 2FA works, what do you want me to do? No no that's not how it works. It needs to be changed.

It looks like the future is precisely that; your device passcode is going to become the master password for many different accounts and will be what you need to enter to reset passwords to your online accounts.

It's going to become ever more important to protect your device passcode as we move away from accounts being authenticated by password/2fa and instead authenticated by a trusted device.

Passkeys & Passkey Authentication: Secure Passwordless Login and Auth

Passkeys and passkey authentication provide secure, passwordless sign-ins through passkey login, passkey auth, and passkeys authentication. Experience seamless authentication with biometrics, PIN, or pattern for enhanced security.

www.passkeys.com

 

[russell_314]

Agreed that this is the issue we are discussing here. The passcode works as it should, but it has a vulnerability that is difficult to mitigate.

No, the passcode does not work as it should. The pass code should work to unlock the phone and that's it.

At least give users the option to disable resetting their Apple ID password with the unlock PIN without a second form of verification separate of that device. It could be something as simple as asking a security question. What's your favorite food? Yes, that's a stupid easy to figure out security answer but not for the random thief that grabs your phone.

 

[mrochester]

No, the passcode does not work as it should. The pass code should work to unlock the phone and that's it.

At least give users the option to disable resetting their Apple ID password with the unlock PIN without a second form of verification separate of that device. It could be something as simple as asking a security question. What's your favorite food? Yes, that's a stupid easy to figure out security answer but not for the random thief that grabs your phone.

That's not how passkeys work, or are going to work. By definition, the device that has the passkey stored is a secure device with access priviledges to make changes to your accounts. The device passcode, FaceID, TouchID becomes the master password for your accounts.

 

[onenorth]

No, the passcode does not work as it should. The pass code should work to unlock the phone and that's it.

At least give users the option to disable resetting their Apple ID password with the unlock PIN without a second form of verification separate of that device. It could be something as simple as asking a security question. What's your favorite food? Yes, that's a stupid easy to figure out security answer but not for the random thief that grabs your phone.

I agree with you on the second part but not on the first part. Apple designed the passcode to do more than unlock the phone. But there is a weakness in this strategy and right now there is no good way to mitigate it other than to never give a thief the opportunity, which is easier said than done when it comes to the way we use smart phones these days.

 

[russell_314]

It looks like the future is precisely that; your device passcode is going to become the master password for many different accounts and will be what you need to enter to reset passwords on your online accounts.

It's going to become ever more important to protect your device passcode.

Passkeys & Passkey Authentication: Secure Passwordless Login and Auth

Passkeys and passkey authentication provide secure, passwordless sign-ins through passkey login, passkey auth, and passkeys authentication. Experience seamless authentication with biometrics, PIN, or pattern for enhanced security.

www.passkeys.com

I'll make this really simple since we went from the unlock PIN to passkeys. Let's use a different number for the passkey than for the PIN to unlock the phone. Remember the old days when we had passwords and if you use the same password for everything and one account got hacked, everything was hacked? This is sounding really familiar right now. Maybe we should use different numbers for different things. Having one number to unlcok everything just sounds like something my grandmother would do.

 

[mrochester]

I'll make this really simple since we went from the unlock PIN to passkeys. Let's use a different number for the passkey than for the PIN to unlock the phone. Remember the old days when we had passwords and if you use the same password for everything and one account got hacked, everything was hacked? This is sounding really familiar right now. Maybe we should use different numbers for different things. Having one number to unlcok everything just sounds like something my grandmother would do.

Passkeys go in your keychain, they are protected by FaceID, touch ID or device passcode. They aren't designed to be a separate thing under a different lock and key, and I don't think they will be.

 

[russell_314]

there is no good way to mitigate it

give users the option to disable resetting their Apple ID password with the unlock PIN without a second form of verification

 

[Mike Boreham]

I have read the entire thread and not see anyone produce any evidence that a Screen Time password doesn't solve the problem.

Also tested on my iPhone.

You have the option of allowing Apple ID to recover the screen time passcode and it seems enabling this puts a crucial delay in the thief's ability to unlock screentime Hence take control. If you don't enable this I assume the thief is stopped.

Yes it is inconvenient if you want to do anything with your Apple ID but I dont do that often.

If the above is incorrect please give details.

 

[russell_314]

Passkeys go in your keychain, they are protected by FaceID, touch ID or device passcode. They aren't designed to be a separate thing under a different lock and key, and I don't think they will be as they are designed to be convenient and secure.

So you're telling me it's impossible to make the unlock code on a phone a different number than say the number to unlock my bank account? I find this a bit hard to believe.

 

[onenorth]

Passkeys go in your keychain, they are protected by FaceID, touch ID or device passcode. They aren't designed to be a separate thing under a different lock and key, and I don't think they will be.

The passkey concept still has a vulnerability because if someone knows your passcode and has your device they can reset the biometrics (finger or face).

 

[Apple_Robert]

Where are the settings to disable passcode unlock if Face ID fails?

My UK banking apps require Face ID and can't be opened with PIN, but as far as I can see other apps are a mixture. Some will revert to passcode if Face ID fails and some wont, including 1Password, which requires the full master password if Face ID fails.

There is no setting for that. If Face ID fails, you will be prompted to enter the passcode. When that happens, I exit out of the app and reopen with Face ID.