Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Stolen iPhone - Criminals have full control and Apple cannot help!
- Thread starter danclara
- Start date
- Sort by reaction score
I don't see it say anywhere that a passcode must override the biometrics.I agree, but the 'fix' isn't just an Apple problem, it needs the entire industry, since passkeys are a standard. The entire passkey specification would need to be changed.
"When a user is asked to sign-in to an app or website, the user approves the sign-in with the same biometric or PIN that the user has to unlock the device (phone, computer or security key). The app or website can use this mechanism instead of the traditional (and insecure) username and password."
Passkeys - FIDO Alliance
Payment service providers and banks are evolving service delivery to online payments from physical branches. Using Passkeys for Payments with FIDO’s open and scalable authentication standards offers a faster and easier way to secure online payments.fidoalliance.org
As such, there's nothing for Apple to fix, the system is working as designed until a point at which it is redesigned.
Either way if it stayed the way it works now passkeys will flop (or never take off) once theft and hacking begins to rise and negative publicity takes over. There is already a precedent for keeping the passcode out of things with banking apps. Perhaps some expansion to disabling pin fallback is in order?
Your device always falls back to your passcode when Face ID or Touch ID fails (apart from specific apps).
Passkeys are designed to actually be more secure than our existing systems. You just need to make sure no one finds out what your device passcode is.
And when setting up screentime I’m also asked to provide an Apple ID (email) and password that can be used to reset the screen time passwords. So what they then need to do is to just ask for a reset of the screen time password and check my email (which is on the phone).First off,
Let me just say I am extremely sorry this has happened to you. I can only imagine the fear and panic you must be going through since this occurred.
The only advice I could possibly give at this juncture is for future reference:
------------------
How to use Screen Time to stop thieves from messing with your Apple ID
To start, head to Settings > Screen Time > Use Screen Time Passcode, if you haven’t set one up already. Make sure it’s not the same passcode you use for your iPhone, since we’re going to assume a thief knows those digits already. Jump to Content & Privacy Restrictions, and choose down to Account Changes. Punch in your Screen Time passcode, then choose “Don’t Allow.”
When you return to the main Settings menu, you’ll find your name is grayed out at the top. Not only have you blocked access to your recovery key settings, you’ve blocked access to anything having to do with your Apple ID.
------------------
I currently use this method, hopefully I never have to find out how good it works...
I hope this method will save you heart ache and headache in the future, friend.
Cheers!
Here is the link to the original article:
How Screen Time Can Save You When Your iPhone Is Stolen
This usage monitoring app can actually help keep your Apple ID data out of a hacker's hands.lifehacker.com
Allowing Screen Time password to be reset by Apple ID is optional.
From earlier posts in this thread my understanding is that even if you do allow this, the reset process puts a useful delay in the process, it is not an instant reset.
Easy. My PIN is ten randomly generated digits, and I can remember it just fine.
Have you read the whole story? I think you've missed the point.
Gaining control of the phone itself by knowing the PIN is fair game. No one is disputing that. But gaining control of the entire iCloud account by knowing just a device PIN is an unbelievably, mindblowingly HUGE security flaw. Once you set up a physical key and generate a recovery key, resetting the Apple Id password without at least one of them should be absolutely impossible no matter what.
‘Like it or not, it is the way it is.
That's exactly what this thread is about. We know this is the way it is, and we don't like it. Because it's utterly stupid.
Huh? What does the Fido Alliance have to do with the fact that Apple decided to reset the iCloud password with the device PIN to make it more convenient to careless users?
The Fido Alliance designed the passkey standard, which appears to be what Apple are using to authenticate access to iCloud.
By design, the device PIN becomes the master password for services that make use of a passkey. It’s a much more secure way of logging into online services because it doesn’t require password storage or transmission.
If you want that changed, you will need to speak to the Fido Alliance to change the standard.
User’s must ensure they protect their device PIN when using passkeys on that device as that PIN becomes the keys to the kingdom.
Last edited:
I hope you never meet a doctor with the same attitude to life
Awesome! The setup process for screen time was just pretty insistent/nudging me to setup reset with Apple ID.
Now at least there’s an extra step and code they need to lure to do anything
Is there? I tried this, and selected NOT to use my Apple ID to reset the Screen Time password, but when I went back into screen time and selected to change the password, then clicked on "forgotten?" it STILL prompted me to enter and then reset (with my phone PIN only) my Apple ID password. *
Even if that doesn't then unlock the screentime password or disable screen time immediately I, as a thief, have just reset your Apple ID password, gotten access to it, and locked you out (as the old password is no longer valid).
Am I misunderstanding the process?
* Is this a bug?
I am going to shoot myself down. Screen Time is not the answer even with ID Recovery key set, and with "Recover screen time password with Apple ID" disabled. Though it does put some more obstacles in the thief’s path. Maybe some less knowledgeable thieves would be stopped. Some options to the sequence below put some delay in the Recovery process but the sequence below leads to instant break in.
I just went through these steps:
- Screen Time settings > Change Screen Time passcode.
- Click Forgot Passcode
- Enter Apple ID email but not password…click forgot Apple ID password
- This produces a screen asking for iPhone Passcode which thief has. Enter Passcode leads to screen to enter new Apple ID password.
Last edited:
Okay thanks. I just wondered because I’ve never had one pop up in the way this one did.
Sucks for the original poster that Apple didn’t at least have a 3-day hold period with any failed authentication. That would’ve given him time to wipe the phone remotely and brick 🧱 the phone as well.
For cases like this Apple needs to implement a hold period before any changes can happen. Apple also needs to implement verifying of emergency contacts to make any changes.
Apple makes it too easy for thieves with a passcode
For cases like this Apple needs to implement a hold period before any changes can happen. Apple also needs to implement verifying of emergency contacts to make any changes.
Apple makes it too easy for thieves with a passcode
TBH, if you lack security awareness, thieves will find another loophole with the newer process. It’s a cat and mouse game, and unfortunately, not many options exist if users don’t have basic opsec awareness. I hope Apple gives an additional safety layer with confirming change of password from a second trusted device or makes user enter password if there isnt another trusted device as an option, for those who enter passcodes in public.
One can learn from the mistakes, be more aware or shift the blame.
Last edited:
How is having to type the existing password going to help? The most likely reason someone is resetting a password is because they’ve forgotten it! You can’t have the old password as a requirement to change the password.
Oh ok I missed that part. Why couldn’t Apple work with the customer to get back control of his Apple ID account as long as he verified proof of purchase of the device and other important information that the thief would not know?
The problem here is ability to reset iCloud account with just the passcode. Some have concern about the passcode and device safety in public. Adding an extra optional layer of entering password will prevent a thief from using passcode to reset iCloud account, and ability to mark the device as stolen/wipe the phone.
For those forgotten password users, use a trusted second device to reset with just pass code. If there is no second device, make the password as optional. Let people chose, if the user is concerned about pin and theft of device, use an optional step requiring iCloud password.
It doesn’t have to be all or nothing, but adding this extra step is no guarantee, the thieves will figure out another creative way. Bottom line, security of physical device and keeping the passcodes/passwords safe is user responsibility.
Apple could implement an additional security layer to change anything by having the person verify something that the thief would not know like a emergency contacts full name and phone number.
Sucks for the original poster that Apple didn’t have additional security measures in place.
Hopefully 🤞 Apple fixes this at WWDC with iOS 17.
Apple quickly fixed the iCloud exploit with 2FA that exposed so many celebrity private photos
To all intents and purposes Apple only knows that an account belongs to a particular person because that person has the access and the account settings might contain some of their personal details.
But with access to the account, a thief can change all of those details, effectively making the account look like it belongs to them.
How does Apple then decide who the legitimate owner of the account is? It’s all just a balance of probability (based on the evidence, you probably own this account, so we’ll give you access).
You might have a concern, but unfortunately, it is by design that the iCloud password can be changed using a trusted device’s passcode. This is also likely the future of how we login and access more and more services so the lesson is to protect your device passcode.