So thinking along Apple’s “convenience focused” guidelines, what will happen when you forget your Apple ID password and lose both/all of your ubikeys, but still have your iPhone? Will Apple allow you to reset it with just the passcode? If so, the thieves are in luck. Or has Apple raised the security threshold for ubikeys specifically and only allow account recovery in such a case?
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Stolen iPhone - Criminals have full control and Apple cannot help!
- Thread starter danclara
- Start date
- Sort by reaction score
I'm pretty sure they can take USB/NFC security keys off an iCloud account if they know the passcode (just like with alphanumeric recovery keys, which can be reset with passcode). The security key was an upgrade to recovery keys so you don't have to type in a code (and can't be phished of the recovery key) but it isn't meant to prevent a passcode-using device from modifying iCloud settings.
Following this thread with great interest. Thanks to all who have weighed in with good comments & suggestions. My best to the OP and I am glad that you seem to be regaining control of your digital spaces. For now, if I am reading things correctly, there are no surefire ways to avoid this trauma. You can only reduce the chances of harm by using Face ID & AW and avoiding the exposure of your passcode to criminal eyes. Clearly, more could done to make it difficult to access account information and Apple should be offering more optional security measures for those who want them.
Somewhat relevant anecdote: I upgraded to a new iPhone recently and stupidly forgot to deal with Google Authenticator before wiping the old one. I have managed to rectify the situation by dealing with the affected accounts one by one, adding them back into GA. You can do this by turning off 2fA for each account and then resetting it. The exception is the US federal government login.gov account which won't allow this. You have delete your old account, wait 24 hours, and then create a new account, adding GA at that time. I have no problem with this and I bet many here wouldn't either. Would a similar type of mandatory delay help prevent criminal access to iCloud & other accounts?
A question: is GA better or worse than Authy? I already use DuoMobile for access to university accounts and would prefer to keep that as the only use -- that app has its issues, too, but no choice there.
Somewhat relevant anecdote: I upgraded to a new iPhone recently and stupidly forgot to deal with Google Authenticator before wiping the old one. I have managed to rectify the situation by dealing with the affected accounts one by one, adding them back into GA. You can do this by turning off 2fA for each account and then resetting it. The exception is the US federal government login.gov account which won't allow this. You have delete your old account, wait 24 hours, and then create a new account, adding GA at that time. I have no problem with this and I bet many here wouldn't either. Would a similar type of mandatory delay help prevent criminal access to iCloud & other accounts?
A question: is GA better or worse than Authy? I already use DuoMobile for access to university accounts and would prefer to keep that as the only use -- that app has its issues, too, but no choice there.
It is not a flaw: even the strongest encryption is useless if you disclose the secret.
You have unwillingly disclosed that secret but it is not a flaw.
Correct. Apple says the hardware keys are to prevent phishing (external) attacks.
Here we are talking about a very specific issue, which is if someone steals both your device and passcode and then uses those in combination to defeat the Find My/lost device functions. It is a small but significant loophole in security, especially for a device that is so often used in public and has access to so much critical information.
I'd say it's a flaw. It's like if you lose your car keys and someone picks it up, they get to access all your bank accounts. If you knew that, you'd guard your car keys more closely. But if you aren't aware that your car keys give access to your bank accounts, you'd be less guarded, thinking losing your car keys will at most cause you to lose your car.
At some point, Apple changed the iPhone security setup so it became possible to grab all your digital life from only knowing your iPhone passcode plus having physical possession of the iPhone. Then they didn't let everyone know this is the case. I'd call that a big flaw.
This is a classic case of victim blaming.
I was kind of wondering if a physical security key like a UK would change this behavior. I'm tempted to buy one just to test it.
It's crazy how this topic has over 500 replies and this isn't the only thread with the exact same topic. I know there's another one with at least 250 replies, but it probably has more now.
I can summarize all these replies into three categories
You're holding it wrong. These are the replies that, regardless of what Apple does, it's right and you're doing something wrong if it's broken.
Of course it's terrible, it's Apple. These are the replies that regardless of what Apple does, they're going to say it's bad.
Maybe we could do this another way. These are the replies that say well I can see the problem and I bet there's someway we can fix this. I feel this is the most constructive because my fixing this it's if done correctly it will solve this problem with minimal impact on the user credit of course anytime you add security, there is some impact. Just having your phone locked is adding to the difficulty of using it.
What has me excited is the fact that this is getting so much attention, so Apple is clearly aware of this. I don't believe they're just going to ignore this completely. I think if they do that it's going to get much worse as more criminals become aware of this exploit and actively use it. This is going to encourage criminals to rob people of their iPhone, and eventually someone will get seriously hurt or killed. Apple doesn't want that news story in the press. This is why they're holding on to activation lock with everything they have. There are a lot of people against activation lock, because that means stolen phones aren't being reused, thus a negative environmental impact. Apple has determined that an increase of negative publicity about iPhone thefts is worse than the environmental impact.
To all in this thread: have you read this?
@melusine : did you in fact go all the way trying either or both “Settings > Apple ID > Password and Security > Change Password)” and/or via “Emergency Reset / Safety Check” and did you always hit the security key (ubikey) wall?
I agree with you in the sense, but I also feel the victim is partly responsible because they failed to secure the information. Even if the victim is partly to blame, this does not negate the fact of this being a problem.
On one hand, you can blame the victim because perhaps they something they did contributed to the crime but on the other hand if you can make it safer, then that's the ideal situation. Computers have protection against malware and viruses. If every user was smart and didn't do risky stuff, then this wouldn't be needed. We still have it because the ultimate goal is to keep people safe.
A lot of the time, the victim is at fault.
I tried removing all my security keys at once from that screen, and it asked for my Apple ID password before allowing me to proceed. Same for adding a new key or removing individual keys. So I guess it's safe because the thief will only know your passcode and not your Apple ID password. Obviously this means you can't save your Apple ID password in iCloud Keychain or Notes and will have to actually memorise it.
Separately, I also note that Screen Time can protect that page from being accessed completely (under Content and Privacy Restrictions, disallow Account Changes, and Apple ID settings will be greyed out entirely) if one needs another layer of protection, but it's not really necessary.
This isn't the same as leaving your wallet or keys out for grabs. Apple has provided a fair amount of assurance via Find My and other security techniques that we should be ok if the phone is stolen. And that leads to complacency. Really, the only way to deal with this is to never use a smart phone in public. That's not a reasonable expectation. The user is taking reasonable steps to prevent theft, but it still happens.
I disagree with your premise about what Apple claims. Another poster had it right earlier. The premise of a secret code is that you keep it a secret. If you don't, all bets are off.
Don't get drunk around others! Don't advertise your phone's passcode around others! It's common freaking sense!
Last edited by a moderator:
This issue includes situations where the owner took reasonable steps to secure the information and it still was stolen. Apple insists on having you enter your passcode at random times even when you have Face ID set up, so it contributes to the problem. I know that if I pick up my phone a few times, such as walking around my house, and it wakes up but fails to validate my face each time, eventually it defaults back to passcode. I don't know how many failed attempts it takes but it is not too many. And even with my Apple Watch on, it doesn't always unlock the phone - only when it sees enough of my face to know it is someone's face but not enough to validate it.
All bets are off is too harsh a punishment. The technology exists to mitigate this. Apple has not done enough.
I don't disagree. If it is important enough to people, they should go buy phones that implement that technology.
It's funny - this seems like such a no-brainer, but I never thought to do this. Done!
Sorry to the OP that you're having to deal with this, but thank you for detailing out the issues, even if it means taking some abuse. I don't care how security savvy someone thinks they might be, it's always a good idea to think it all through from time to time to see if anything obvious is being missed.
Even if you have Face ID set up, sometimes the phone still requires a passcode. That shouldn't happen as easily as it seems to. Apple can fix this if they choose to. There are many possibilities. But the current way of doing things is not sufficient.
I'm not convinced that this is a complete solution. Any device signed into the same Apple ID will be a trusted device, even if it doesn't have a phone number.
I would not know. I don't use FaceID. Probably because it seems like such a PITA.