Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Stolen iPhone - Criminals have full control and Apple cannot help!
- Thread starter danclara
- Start date
- Sort by reaction score
I set up my phone with two YubiKeys. Then locked the phone, unlocked it, and removed the YubiKeys. All I had to do was enter my passcode to remove the keys. I’ve done this twice just to be sure. I’m running the latest iOS.
I have YubiKeys registered on my account, but it is letting me change my password through Settings -> Apple ID -> Password & Security -> Change Password without any challenge, other than the device PIN. I didn’t have to remove the YubiKeys. What am I missing?
Yubikeys are not meant to secure the account from passcode change etc. The keys are setup to authenticate the validation of a new device account.
There is no way to secure one's account further. Apple will need to implement an OS update to allow for stronger account security.
I didn't think so, but the last few posts above are claiming it prevents password changes.
That would be a good way to solve this problem.
That is not entirely accurate (re: previous posts). The best we can do at this point is have a strong alphanumeric passcode, not enter the passcode in public, secure apps with Face ID, and make sure erase phone is toggled on (re: failed passcode attempts).
Don't waste your money on a YubiKey for this purpose. I just tested it, and changed my own password without needing it. There is no prompt asking for it.
Also, Apple makes it super convenient for the criminal when he’s changing your password because it asks if he wants to sign you out of all other devices to completely lock you out. Not only has he taken over your account but all your other Apple devices are activation locked so you can't use them either 🤦♂️🤣
It was worth a shot though
Also FYI, the same vulnerability exists on macOS so be careful when typing in your Mac password
All of the latest security schemes combine something you have (device) with something you know or are (password, PIN, fingerprint, etc.). This works fine for desktops and laptops but as not well for mobile devices that are frequently unlocked in public places where someone can surreptitiously obtain the "something you know" part and then steal the device (which is easy). So for mobile devices something else needs to be done.
Biometrics are good because it avoids the situation where you have to type something in. But they don't always work. The best solution for now is to avoid entering your passcode in public if at all possible. But there are 1.5 billion iPhone users around the world and there is no way that everyone is going to be that diligent about it. So blaming victims of device and passcode theft for not being responsible enough about security is absurd, especially if they have done everything else they could, such as using strong PINs and enabling 2FA.
I've got my phone locked down in every way I can think of but if someone gets my phone and passcode they could still do a lot of damage because I can't completely erect a firewall for my email, iMessage, iCloud, Apple Store, Apple Wallet, etc.
There is no way to prevent someone with the device and passcode from doing harm especially within the first few minutes before the owner can remotely lock the device. I don't know what the best solution is but there's got to be a better way to deal with this situation.
Biometrics are good because it avoids the situation where you have to type something in. But they don't always work. The best solution for now is to avoid entering your passcode in public if at all possible. But there are 1.5 billion iPhone users around the world and there is no way that everyone is going to be that diligent about it. So blaming victims of device and passcode theft for not being responsible enough about security is absurd, especially if they have done everything else they could, such as using strong PINs and enabling 2FA.
I've got my phone locked down in every way I can think of but if someone gets my phone and passcode they could still do a lot of damage because I can't completely erect a firewall for my email, iMessage, iCloud, Apple Store, Apple Wallet, etc.
There is no way to prevent someone with the device and passcode from doing harm especially within the first few minutes before the owner can remotely lock the device. I don't know what the best solution is but there's got to be a better way to deal with this situation.
This is why Apple needs to stop letting the passcode be the key to everything on the phone. Separate authentication methods (at least other passcodes) need to be in place for unlocking the phone screen versus changing account settings, spending money, etc. I'd love to have a biometric lock on my email -- and one that IF a new biometric has been added to the phone, the next time I try to use my biometric unlock of my email I am ALSO required to enter a unique specific passcode (eg, the 1Password app functionality) for the app that is DIFFERENT from my unlock passcode.
I'm not too hopeful though since even my bank's app doesn't get this right.
That is quite strange. I wonder why it only needs the device passcode on your device to remove the Yubikeys but requires the Apple ID passcode on mine. I don't recall enabling any special setting. I've attached a screenshot as proof.
Does the type of device matter? I'm using an iPhone 14 Pro Max for what it's worth. Not that there's any logical difference for it to differ between devices but who knows.
Attachments
I am not sure. Do you have two factor authentication turned on?
I also have a recovery key set up on my phone (iPhone 14 Pro with latest iOS). This allows me to recover my Apple ID account using either my passcode or the 28-character recovery key. So the recovery key is not needed if the passcode is known. I also have iCloud Advanced Data Protection turned on and I've disallowed passcode changes in Screen Time.
Two-factor authentication is turned on in my account and there is no way to disable it.
I don't have a recovery key. I used to have one, but the setting turned itself off once I first registered my Yubikeys on my Apple ID and I just assumed it was because using Yubikeys for account recovery is more secure or something.
I don't have iCloud Advanced Data Protection enabled.
I disallowed passcode changes in Screen Time as well.
Seems like the main difference between our accounts is presence of a recovery key (I don't think iCloud Advanced Data Protection is relevant). I'm basing this solely on what you have mentioned only, but it seems like account recovery can be done with either the 28-character recovery key or the device passcode if a recovery key is set up — could that be why it asks for your passcode instead?
It asks for the Apple ID password first. What bypass options do you get if you choose the "Forgot password" option?
It first asks for my phone number (just to verify that it's correct, I don't actually receive any OTP via SMS).
Then once I key in the correct phone number, it sends a password reset approval notification to all my other devices that are signed in with my Apple ID.
I ignored the notifications on my other devices, and I selected the option that says that I can't access any of my other devices.
Then it asks me to present my hardware security keys instead. If I select the option that says that I don't have my keys, it tells me that I can learn how to use my other devices to reset the password (which just leads to a help page), stop resetting my password, or cancel (the 2nd and 3rd options are basically the same). There is no other option or bypass available.
Attachments
I don't think the Advanced Data Protection is relevant either, but I'm not certain since by turning it on Apple says I'm on my own for recovery now (account recovery is turned off). That might enable device passcode authentication, but again, I'm not certain how all of these settings interplay.
When I add the YubiKeys, it does not turn off my recovery key. And I don't think it should, at least not without letting me know. Turning off the recovery key usually reverts to trusted device authentication using the six-digit codes.
I think the recovery key option, which allows account recovery using the 28-character key or the device passcode, might be the difference here.
Oh it did let me know, which is why I'm aware that my recovery key was no longer in use. I can't recall what the exact wording and options were because it was quite some time ago, but I'm fairly certain that I didn't have a choice in the matter (or maybe I did and I chose to turn it off, but I honestly can't remember).
Ever since I registered the Yubikeys (and the recovery key got turned off), I'm never asked for six-digit codes on any of my other devices (or via SMS) anymore. If I want to sign in using my Apple ID on a new device or browser, I must present the key on that device or I simply cannot sign in. No ifs or buts.
That seems like the way it should work for new devices or browsers.
I was hoping that the YubiKey would prevent someone from changing my Apple ID password without the YubiKey.
But it seems like if someone steals my device and passcode, they can simply remove the YubiKeys with the passcode, which defeats the purpose of the YubiKeys.
Maybe I have too many recovery options turned on. I am not using the YubiKey right now because it's not compatible with iCloud for Windows. But maybe I should choose one and only one recovery method. I haven't figured this out yet.
Thank you both for your efforts. The takeaway is there may be some potential in the ubikeys. We will only find out after getting our heads around the configuration options.
@onenorth : member @melusine clearly states that in his / her configuration, the ubikeys cannot be removed by using only the passcode and also the icloud password cannot be reset by only the passcode. Both actions require the ubikey/icloud password. All I am getting at here is that apparently at least one configuration exists that meets our requirements.
@onenorth : member @melusine clearly states that in his / her configuration, the ubikeys cannot be removed by using only the passcode and also the icloud password cannot be reset by only the passcode. Both actions require the ubikey/icloud password. All I am getting at here is that apparently at least one configuration exists that meets our requirements.
This could be pivotal. Apple may consider as follows:
with the 28-character recovery key activated, the account holder isn’t eligible for account recovery by Apple, so the only way to access the account is by remembering the icloud password (and by using the yubikey for 2FA). So what if the user messes up and loses one or the other? Permanent account lockout, which Apple may feel is too strict a policy, so in configurations with ubikey and 28-character recovery key, they apply fallback to passcode enabled icloud password reset.
Does this scan?
Also, let us not forget that these policies may well change from one iOS version to the next. So even if we follow this through until we have a viable solution, it could all fall apart at apples will in one of the upcoming updates.
It would be refreshing to be able to talk to someone at apples design team about this, but of course that is out of the question.
In the mean time I’ll just get one of those lanyard compatible iPhone cases and tie the phone to my jacket when Im off to the bar.
It would be refreshing to be able to talk to someone at apples design team about this, but of course that is out of the question.
In the mean time I’ll just get one of those lanyard compatible iPhone cases and tie the phone to my jacket when Im off to the bar.
Seems possible although the passcode seems to be the default not the fallback.
I am sticking with the recovery key since YubiKey is not compatible with iCloud for Windows and I still use iTunes on my PC. I remember another poster in another thread a couple of months ago also saying that the YubiKey prevented password changes so I was surprised when I saw that I could just remove the keys with my passcode. Probably it's because I have the recovery key and that setup overrides everything else.
I would be interested to read any white papers on the subject of Apple security, although you're right that it could all change again in iOS 17 or some future update. I just noticed that the YubiKeys I had already set up in Google were not working since I turned on passkey. I had to delete them and add them back under the passkey setup screen. Google has many recovery options and I've been thinking that we need to pick just one or two and not try to use all of them because there could be adverse interactions between them.
With my banking apps, the phone passcode won't get you into it. If Face ID fails it gives you the option to use the password for your online bank (Not your Apple password) and with the other it gives you an option for a PIN, but it's not the same or related to the passcode for your iPhone.
However, if you're like me you probably also access your bank account in the browser so if your account passwords are saved on your iPhone and they take over your Apple account, they have all your passwords. This isn't a security flaw in the banking app, but rather a security flaw in Apple's operating systems.