Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Stolen iPhone - Criminals have full control and Apple cannot help!
- Thread starter danclara
- Start date
- Sort by reaction score
If apple allowed users to use a Yubikey for the device passcode it could solve a lot of these types of problems.
I've not tried this, but I wonder if adding an "alternative appearance", which is sometimes used to allow a partner to access someone's phone, would work with the banking apps.
settings > Screen Time > limit content and privacy > DO NOT allow changes on: changing code + changing account data > go back > set 4 digit PIN for SCreen Time. Done. Your iCloud is now greyed out + Face ID setting is not available on the list. Even though they know your 6-digit code - they can't lock you out from your iCloud without knowing your 2nd 4 digit code. BTW. don't ever type your 6 digit code in public... That's the main issue basically.
EDIT: oh, someone mentioned it on the 5th page already.
EDIT: oh, someone mentioned it on the 5th page already.
Last edited:
As mentioned many times, setting a Screen Time pass code doesn't work, because Screen Time passcode can be turned off with the phone PIN (by going down the forgot password route).
Try it for yourself as detailed in this post.
But you assumed that the thief also knows our Apple ID email. Of course he can open Mail or Gmail and try 1 of the email accounts which is in most cases also used in these apps. But what if it's not?
EDIT: HAHA! if you enable Advanced data protection in your iCloud and click in Screen Type code recovery "I don't remember Apple ID or password" - then it wants to provide 28-digit Advanced Data Protection code. But if you don't click it and simply provide Apple ID email + then 6 digit code - FROM HERE a Thief is able to change iCloud account password..... WTFFFFFFFFF I just dit it and it changed my entire iCloud password. Apple... you need to work harder xD
Last edited:
Yes correct, but as you say, the Apple ID email is probably easy to discover. I think it would be extremely inconvenient not to use the Apple ID email as an active mail account on the device.
If the thief does not find the Apple ID email and clicks "forgot Apple ID" (not 'forgot password) when asked the Apple ID details, it starts down a recovery route which I think will take some time, and may delay the thief long enough to take other steps.
Thanks I didn't know that. I think it is only available in US at present anyway.
Nope, other countries than US are also able to set this up on their iPhones. I'm from Poland and I'm able to set up Advanced Data Protection in my iPhone iCloud settings without any problem.
Turns out that recovering the code of Screen Time function gives the possibility of what the function should guard against, which is changing the iCloud password... That's VERY unexpected behavior... I created a "Report a security or privacy vulnerability" to Apple. Maybe they will fix it after 5 years ;D
So why it requires to put 4 digit code to go through locked items? Because it kind of is a security feature. Small but still does some job. As you can read here - it almost prevents thiefs knowing 6-digit passcode to lock you out from your iPhone completely. If only they had anticipated all the possibilities when designing ;D
That's a good approach. Of course, if you use the keychain, while the passcode doesn't authenticate you on your banking app, a thief can access your keychain with your lock screen passcode....and then get into your bank.
And alas 2FA doesn't solve it because that SMS goes......right to your phone, and you can access your 2FA with that same Lock Screen passcode.
And if you got a little fancy and used email for your 2FA, that doesn't solve it either, since your Lock Screen passcode also opens your email there on your phone.
I guess the simple solution, until Apple stops forcing users to use the same passcode for the Lock Screen as for keychain as for almost every other OS level change on the phone is to not use keychain?
Yeah, I agree, Apple could mostly close this loop by allowing a different authentication be used for keychain versus the Lock Screen.
My concern about FaceID was a little different.
If FaceID allows access to your banking app, a thief doesn't need your special banking PIN to use your banking app.
They just need to go into Settings on the phone, and add their face to your phone. And all they need for that is the same screen unlock passcode they already have!
Then they back out to the banking app, and it lets them in with their face! They never needed your special banking app PIN.
Or at least that is how my bank's app works.
But this, luckily, is NOT required by Apple. That is, Apple allows the creators of the banking app to lock out all Face ID is the app notices that someone has added a new face to the phone's OS. That way, a thief cannot just add their face to the phone and use it to unlock an app that allowed use of the FaceID.
In such a scenario, the first time you try to use your banking app AFTER someone has added a FaceID to the OS, the banking app says "Nope sorry you need to use your app specific password before you can re-enable FaceID authentication as an option." Now, THAT is a smart way to code the app.
And I am sure glad option makes that an OPTION for app developers!
But it is not a mandatory feature, and, as I say, my banking app doesn't do that!!! So it actually means using my bank on a web browser may be more secure, or not using biometrics at all, or something like that.
Yes, it's shown for example under Settings / Family and the profile view in the Apple Store app. There's no guesswork involved either, because these locations specifically show the Apple ID address and nothing else.
Yeah and any security setup that relies on obfuscating the username is flawed from the start, anyway.....even if it would be a nice bonus. I hate web sites that require email for the username. Allowing use of a random, user generated username is a nice bonus layer of hassle for hackers, I am told. It doesn't thwart a targeted attack, but it lowers the odds of a drive by being successful.
Agreed. It also shows up in the Apple TV app.
Screen Time locks are not a solution to this problem. The Apple ID is easy to find.
While nice in theory, think about the general iPhone user.
If they have to jump through hoops, and why most still have default Apple Settings, they ain't gonna use it.
True, but at least having the OPTION to choose better security would be nice. At present, Apple doesn't even let the user choose to use a Yubi key that way.
Depending on what you are trying to do, you may be able to use the iCloud or Apple ID website, or have a code sent to another phone number (including landlines).
True...But for the more security conscious of us - think of the convenience and increased safety of only needing to tap your phone to your pocket or keychain with an NFC key - no passcode to enter, much quicker AND safer.
Last edited:
A positive about the notoriaty that this generated is that I've briefed my family to be more aware of your surroundings with a number of recommendations. Use longer alphanumber pass codes. In public venues be careful about entering your passcode. Use a screen time password to lock out certain features in case your phone is hijacked from your hands. Use a mail client such as outlook at can be set for requiring face id. Secure face id to require attention awareness. Also if desired, use an apple watch.
Security questions are a joke.
I still think one code to unlock device and another to change or view selected items (if turned on).