SCREW THAT!!
Why are people so hell bent on dictating stuff to others?
If you want to use Face ID, have at it. Leave the rest of us alone.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Stolen iPhone - Criminals have full control and Apple cannot help!
- Thread starter danclara
- Start date
- Sort by reaction score
SCREW THAT!!
Why are people so hell bent on dictating stuff to others?
If you want to use Face ID, have at it. Leave the rest of us alone.
That’s not a security flaw. That’s how it was designed. Remember big hue and cry about people forgetting passwords and wanting to reset through pin/2FA. And it’s a flaw when you disclose the pin and lose the device.
I've seen a couple of people mention this, but i can't find the setting anywhere on my phone/ipad. does anyone know where it is?
Yes, and use special characters too. But at the end of the day, don’t disclose your passcode/pin out in the open. I am just thankful for Faceid and AW as back up if Face ID doesn’t work.
A simple prevention would be to require a key code to change passwords.
It would add relatively little to the cost of the device and solve the issue of people changing the password illicitly.
Include the code in the box with the phone. Kind of like how some locks come with a key code used to order a replacement key or cut a replacement key. Alternatively, allow the user to specify a key code when the device is set up (a bit more effort on Apple's part).
The key code would be required to change existing password or factory reset the device. It could also be used to initiate locking out the device remotely, whenever it makes a network connection.
I can see people whining "what if you lose the code?" I say, you know what? You need to have SOME personal responsibility in your life. This is one of those times. Lose your key code and you just can't change your password anymore. Too bad for you. For people DUMB ENOUGH to store the code on their device, I say too bad, you can't fix stupid.
Most people never change their device password anyway. It would be a minimally intrusive method to stop the kind of thing the OP is complaining about.
It would add relatively little to the cost of the device and solve the issue of people changing the password illicitly.
Include the code in the box with the phone. Kind of like how some locks come with a key code used to order a replacement key or cut a replacement key. Alternatively, allow the user to specify a key code when the device is set up (a bit more effort on Apple's part).
The key code would be required to change existing password or factory reset the device. It could also be used to initiate locking out the device remotely, whenever it makes a network connection.
I can see people whining "what if you lose the code?" I say, you know what? You need to have SOME personal responsibility in your life. This is one of those times. Lose your key code and you just can't change your password anymore. Too bad for you. For people DUMB ENOUGH to store the code on their device, I say too bad, you can't fix stupid.
Most people never change their device password anyway. It would be a minimally intrusive method to stop the kind of thing the OP is complaining about.
Apple is just gonna say to use a alphanumeric password with special characters if you want additional layers of security. It’s already built in the system as a option
Oh, I was not claiming that Apple would implement this solution. Not really their problem if you give someone your password (intentionally or otherwise).
Nevertheless, just relying on a complex password doesn't prevent someone who knows your password from changing it. My solution does.
Maybe this will bring more Apple Watch orders for the company if you can authenticate with Apple Watch and not just the passcode as a backup. Apple is not lacking on watch orders. I may buy a Watch SE, but not for this purpose. It’s a nice feature to have though because the watch is on you most of the time. I say they should add the Airtag as a authentication as well
Screen Time passcode is NOT a solution.
https://forums.macrumors.com/thread...p.2388366/page-15?post=32142508#post-32142508
I’ve been following this thread for days and this has scared me enough to change the passcode on my phone from six digits to alphanumeric. Also told my partner.
It’s crazy that your passcode can unravel all your secrets in the Apple ecosystem.
It’s crazy that your passcode can unravel all your secrets in the Apple ecosystem.
I rarely carry or use my wallet. I use card at Costco gas, Home Depot and a rare trip to Kroger or Walmart. I pretty much use faceID 80% of the time, and tap the AW for apple if I can’t use Face ID, mostly in bars and restaurants where the card reader is usually behind the counter.
You would surprised what can unravel if you lose password of a system. Lot of hacks at enterprise level happen with ex employees, are social engineering passwords.
Yes better to be safe than sorry. This situation can happen to anyone if your not careful. The alphanumeric is hard to luckily guess or remember for a thief. You should also add special characters to the alphanumeric password as well to make it even more difficult for the thief
Even scarier is the fact that a criminal can simply delete our FaceID, and then every lock we previously had with FaceID can now be opened with the passcode. 😬
Furthermore, I just tested out the scenario of having to frantically log in to iCloud.com to put my iPhone in lost mode, and guess what that does? It sends a request to my iPhone (which the criminal has) asking to Allow or Deny the login. Once the criminal hits Deny, Apple conveniently asks them if they want to change the AppleID password, and takes them directly to that page:
No need to even put in the old password. Jesus Christ, Apple.
Furthermore, I just tested out the scenario of having to frantically log in to iCloud.com to put my iPhone in lost mode, and guess what that does? It sends a request to my iPhone (which the criminal has) asking to Allow or Deny the login. Once the criminal hits Deny, Apple conveniently asks them if they want to change the AppleID password, and takes them directly to that page:
No need to even put in the old password. Jesus Christ, Apple.
I think a lot of the skeptics wouldn't know or acknowledge the truth if they stepped in it. But some of the "skeptics" are just trolls too.
Yep. I feel that I’m pretty security conscious as well (I enable 2FA for everything and try to use different passwords for everything, including symbols etc), but I think most of us don’t think about when we are entering our passcode in public.
It needs to be a complex passphrase, not a numeric passcode, but that would work too. The utility of security questions is mixed, because most of the information in them in easily available on social media or from previous breaches.
We can debate specifics, but definitely agree - that account-level alterations need to be subject to additional authentication and validation that's completely independent from the operational credentials.
Honestly, I was stunned that someone could remove the recovery devices without needing extra authentication. The logical recovery means should have been to have one of those be able to lock out the account and reset the apple id password.
Attackers will force the authentication system to fail back to a less secure and more easily bypassed method. Passkeys fail back to less secure methods (and what happens if you lose all your devices - in a fire for example - at once?). We still haven't solve the 'must know something' as the ultimate secret authenticator.
In this specific case, the problem is that the phone is secured by an easily compromised 6 digit passcode in most cases (especially if the 10 and wipe is turned off), so it's not really MFA anymore. It's a single hardware token that unlocks the world. There needs to be a two-level approach. For normal daily/operational use passkeys are fine. But to change the account, especially recovery methods, there needs to be a second non-operational authenticator to validate those changes.
I am doubting a lot of this. Both my Barclays and NatWest bank accounts use FaceID. If FaceID fails or is disabled then a dedicated app passcode is required. This passcode is user set on both banks. My Barclays, NatWest and iPhone pin are all different.
Surely someone so adept at online security you won't have the same pin surely?
Surely someone so adept at online security you won't have the same pin surely?
The issue is that is still less secure than my 32 character apple ID password. I don't want my phone passcode to unlock my apple life, because it will *always* be less secure than a password. That's because the device passcode has to be human-rememberable, and regularly enterable. My password isn't (thank you 1Password). Account level changes should not be allowed by an inherently less secure authenticator.
The password for my Mac is 31 characters. All my financial stuff is on an encrypted disk image that has to be mounted. The password on that is 29 characters. But to be fair, it's a lot easier to type on my Mac than my phone.
You know what would help a lot? If Apple requires login to the iCloud website to change that password.
No real reason to allow it from the phone. Inconvenience would be minimal since most people never change it anyway (most likely).
For that matter...they could require that for a device password that is logged into an iCloud account too. That way, even if someone knows the device password, they wouldn't be able to change it without ALSO knowing the corresponding iCloud password.
No real reason to allow it from the phone. Inconvenience would be minimal since most people never change it anyway (most likely).
For that matter...they could require that for a device password that is logged into an iCloud account too. That way, even if someone knows the device password, they wouldn't be able to change it without ALSO knowing the corresponding iCloud password.
It’s little dramatic case for sure. The chase, Bank of America and US Bank apps don’t allow pin to bypass the login. They all require password if Face ID doesn’t work.
It just says face not recognized and doesn’t give an option to override password to bank accounts with phone PIN.