Although Apple keeps improving iCloud Keychain’s interface and capabilities, if someone surreptitiously observes an iPhone user entering their passcode and then steals the phone, it is shockingly easy for the thief to change the user’s Apple ID password. With the new password, they can disable Find My, which makes it impossible for the iPhone’s owner to erase it remotely. Then they may use Apple Pay to buy things and access passwords stored in iCloud Keychain. They can even look in Photos for pictures of documents containing confidential information, such as credit cards and ID cards.
After that, they may transfer money from bank accounts, apply for an Apple Card and more, all while keeping the user locked out of their account. Typically, thieves would eventually resell the iPhone. (Apparently, Android users are susceptible to similar attacks, but Android phones have a lower resale value, so they aren’t being targeted as much.) Victims have reported thefts of tens of thousands of dollars, and many of them remain unable to access their Apple accounts.
We hope Apple addresses this vulnerability in iOS 17, if not before. At a minimum, Apple should require users to enter their current Apple ID password before allowing it to be changed, much as the company requires at the Apple ID website. Plus, Apple would ideally do more to protect access to iCloud Keychain passwords from a passcode-wielding iPhone thief. (The closest we have now is enabling a different Screen Time passcode, which can prevent account changes, but it blocks access to so many settings that most people will find it too annoying and turn it off. See below for our recommendation about how to turn it on!)
Even if you think the chances of someone observing you enter your passcode and stealing your iPhone are low, the consequences of a passcode theft are so severe that it’s worth taking steps to deter the malicious use of your passcode. With luck, you’re already doing many of these things, but if not, take some time to re-evaluate your broader security assumptions and behavior.
Always Use Face ID or Touch ID When Unlocking Your iPhone in Public
The easiest thing you can do to protect yourself from opportunistic attacks is to rely solely on Face ID or Touch ID when using your iPhone in public. This prevents a thief from watching you enter a passcode to use after stealing your phone.
We know people who avoid Face ID or Touch ID based on the misguided belief that Apple controls their biometric information, but nothing could be further from the truth. Your fingerprint or facial information is stored solely on the device in the Secure Enclave, which is much more secure than passcode entry in nearly all circumstances.
We’ve also run across people for whom Face ID or Touch ID works poorly—if that’s you, conceal your passcode from anyone watching, just as you would when entering your PIN at an ATM.
Use a Strong Passcode
By default, iPhone passcodes are six digits. You can downgrade that security to four digits, but don’t—that’s asking for trouble. You can also upgrade the security to an alphanumeric passcode that can be as long as you like, but that’s overkill, in our opinion. Video would still capture you entering it, and if you’re focused on entering it accurately, you’re less likely to be aware of someone shoulder-surfing behind you.
That said, make sure your passcode isn’t trivially simple. Basic patterns like 333333 and 123456 are far more easily observed or even guessed. There’s no reason not to use a passcode that’s memorable but unguessable, such as your high school graduating class combined with your best friend’s birth month.
Don’t Share Your Passcode Beyond Trusted Family Members
Even those who don’t have motivated thieves targeting them need to be careful to protect their passcode. Our simple rule of thumb is that if you wouldn’t give someone complete access to your bank account, you shouldn’t give them your passcode. If extreme circumstances require you to trust a person outside that circle temporarily, reset the passcode to something they’ll remember and change it back as soon as they return your iPhone.
Delete Photos Containing Identification Numbers
Many people take photos of their important documents as a backup in case the original is lost. That’s a good idea, but storing photos of your driver’s license, passport, Social Security card, credit cards, insurance card and more in Photos leaves them vulnerable to a thief who has your iPhone and your passcode. With the information in those cards, the thief has a much better chance of impersonating you when opening credit cards, accessing financial accounts, and more. Instead, store those card photos—or at least the information on them—in your password manager.
Switch from iCloud Keychain to a Third-Party Password Manager
Having all your Internet passwords accessible to a thief who has your iPhone and passcode is unacceptable. Instead, we suggest you use 1Password, a third-party password manager. Even when a third-party password manager allows easier unlocking with Face ID or Touch ID (which 1Password does), they fall back on their master password, not the device’s passcode. After you move your passwords from iCloud Keychain to another password manager, be sure to delete everything from iCloud Keychain.
Additional Security Layer for Advanced Protection
As noted, if you want to protect access to your Apple ID further, you can enable Screen Time restrictions. This will require a separate 4-digit passcode. So, even if a thief manages to obtain your iPhone and your passcode, they cannot change your Apple ID password without also knowing your screen time passcode.
Turn on Screen Time
- Go to Settings > Screen Time
- Tap Turn On Screen Time, then tap it again
- Select This is My iPhone
Set a Screen Time Passcode
- Go to Settings and tap Screen Time.
- Tap Use Screen Time Passcode, then enter a passcode when prompted. Re-enter the passcode to confirm.
- Enter your Apple ID and password. This can be used to reset your Screen Time passcode if you forget it.
- Store this in 1Password. (You are going to use 1Password, right?!?)
Restrict Access to Account Changes
- Go to Settings and tap Screen Time
- Tap Content & Privacy Restrictions
- Turn on Content & Privacy Restrictions at the top
- Enter Screen Time Passcode
- Scroll down to ALLOW CHANGES Section
- Tap Account Changes
- Tap Don’t Allow
Note: You will need to know the 4-digit code if you ever change your Apple ID password.
Taking these steps will give you an extra layer of security and peace of mind.
arobasegroup has been consulting with clients and advising the best use of Apple Technology since 1998. We listen to our customers and solve problems by addressing their specific, unique needs; we never rely on a one-size-fits-all solution or require them to use a specific product. arobasegroup is your advocate in all things related to information technology. Contact us to learn how we can help: email@example.com.
Keep Up-to-Date: An Invitation
Keep on top of all the latest Apple-related news via our social media feed. When you follow us on our social media channels, you will always be up-to-date with the most relevant Apple news and have easy access to tips and useful articles relevant for Apple, iPhone, iPad and Apple Watch users. You won’t want to miss these articles and suggestions. Please follow arobasegroup on LinkedIn by tapping here. Thank you!