Apple's New iPhone Security Setting Keeps Thieves Out of Your Digital Accounts

According to the Wall Street Journal, Apple is including new Stolen Device Protection in iOS 17.3 that requires authentication through Face ID or Touch ID to perform certain actions. The Verge reports: The new feature appears to come in response to the concerns raised in previous reports by The Wall Street Journal describing how thieves watch their victims type in their iPhone passcodes and then steal their devices. This gives thieves access to a trove of personal and financial information stored on the device, allowing them to lock victims out of their iCloud accounts and spend thousands of dollars using saved payment information.

If you opt in to the feature, you would have to verify your identity with face or fingerprint biometrics when doing things like viewing your saved passwords in iCloud Keychain, applying for a new Apple Card, factory resetting your device, using saved payment methods in Safari, and turning off Lost Mode. This way, thieves wouldn't be able to steal your information even if they have your phone and the passcode.

For even more sensitive actions, like changing your Apple ID password, changing your iPhone passcode, or turning off Find My, the new Stolen Device Protection feature adds an additional hurdle if the device is somewhere other than locations you often frequent, like at home or in the office. It requires you to not only verify your identity with Face ID or Touch ID but also wait one hour and then repeat the authentication process again.

I have an iPhone and a Mac

[93 Escort Wagon]

I gotta tell you - remember that "Mac versus PC" ad years ago where they made fun of all the Windows pop-ups asking you whether process A should be given access to service B? That sort of thing happens on Macs and iPhones all the bloody time now.

Re:I have an iPhone and a Mac

[Kisai]

Things would be a whole lot more simple if people didn't want to do crimes, wouldn't it?

Simply knowing that a stolen phone is useless is enough to dissuade all but the dumbest opportunistic thieves.

You know all the right-to-repair shit? Wouldn't be a thing either if stolen phones aren't a source of chop-shop parts.

The entire problem is that it's "too easy" for the operator of the phone, or someone near them to steal it or socially engineer them into doing something stupid with it.

Like imagine if there was a QR code that unlocked the device by simply waving it in front of the camera, you know how many people would fall for that? Lots.

Re:

[tlhIngan]

You know all the right-to-repair shit? Wouldn't be a thing either if stolen phones aren't a source of chop-shop parts.

And recyclers and groups like iFixit always complain about it. They whine about throwing away valuable computers and phones and other electronics that work, but are locked up, preventing them from actually reselling it.

And iFixit and the like complain about serialized parts - perhaps because they know they've probably been buying up stolen parts for years. I mean, they never seem to be touti

Re:

[ctilsie242]

This came from the Blackberry world, and it is a compromise. The alternative is to give the user a manifest of what an app wants to do, with toggle switches of what the app can do on install... which means a user may just hit "allow" permitting an app that shouldn't have permissions free reign. However, ask on first use seems to be better, as if an app asks for access to all pictures, contacts, and health data out of the blue, a user can deny that.

No real 100% absolute best solution, but ask on first use

Fuck All That

[registrations_suck]

I don't want to use Face ID or Touch ID for these features. How about just letting me use a second, different passcode?

Bunch of assholes.

Re:

[drinkypoo]

If you want that, make your passcode longer. You will achieve just as much.

Re:

[NotEmmanuelGoldstein]

... different passcode?

That's what Microsoft does, called a Recovery Code. Can you access your recovery code today? I'm assuming that you wrote it down.

Google also allows a "less secure" method like OTP to be your back-up authentication, should you lose the pass-code, I mean phone or security key.

Re:

[ctilsie242]

The ironic thing is that a second passcode is present -- Screen Time. It would be nice if Apple had options to prompt for that passcode to be used as well, since generally one isn't using that passcode on their phone often.

Re:

[AmiMoJo]

If you use a long password instead of a 4 digit PIN, most thieves won't bother you anyway. It's much harder to observe a little keyboard and 15 characters.

Re:

[SniffTheGlove]

Agree, would be so much easier especially if it's a long passphrase.

Another thing which is happening is that thieves are beginning to target phones which are in use (ie currently unlocked), they steal the phone from the user and make their getaway on the back of a motorbike/moped while keep touching the screen to prevent the phone from locking, once at a safe distance they then set about draining the accounts etc and keeping the phone from locking. Had this happen to a work colleague a few weeks back, so we

Wait, what?

[dgatwood]

I'm confused. Viewing passwords or autofilling a password already required Touch ID authentication or Face ID authentication. That's what unlocks the keychain. And it always has required that.

Ah. Now I found out the actual story. When Stolen Device Protection mode is enabled, the device checks to see if it is at home or at work, and if the device is at an unusual location, then it requires *both* passcode *and* either Touch ID or Face ID, whereas without that mode turned on (or on previous versions of iOS), it requires passcode *or* Touch ID or Face ID.

Re:Wait, what?

[ctilsie242]

It also has a time delay of an hour and a second ID check. This is a good mechanism to keep a shoulder-surfer from being able to catch a PIN entered, then swipe the device (or jack the device's owner). It might also be a good feature to deter armed-robbery of iCloud IDs (because locking all devices attached to an ID can mean good ransom money, especially if blackmail is thrown in on what is stored in iCloud proper.)

I'm sure Apple is still working out the details, but it is something that Apple needed to make. It is just too easy for someone to lose not just their phone, but a good chunk of their life's work, not to mention access to the iDevices/Macs which are not cheap either.

Overall, a good thing, and beats having to make a domain and put all devices into AFP and a MDM to ensure that account lost doesn't mean the loss of all devices.

Re:

[fahrbot-bot]

When Stolen Device Protection mode is enabled, the device checks to see if it is at home or at work, and if the device is at an unusual location, then it requires *both* passcode *and* either Touch ID or Face ID, whereas without that mode turned on (or on previous versions of iOS), it requires passcode *or* Touch ID or Face ID.

Great. So when I wake up in the burn ward at the hospital and want to use my iPhone ... /s

[A third option of, say, an absurdly long passphrase would be nice, like "My niece has beautiful green eyes, but uses them to stare at TikTok all day, even when walking the dog and that makes Spot sad."]

Re:

[dgatwood]

When Stolen Device Protection mode is enabled, the device checks to see if it is at home or at work, and if the device is at an unusual location, then it requires *both* passcode *and* either Touch ID or Face ID, whereas without that mode turned on (or on previous versions of iOS), it requires passcode *or* Touch ID or Face ID.

Great. So when I wake up in the burn ward at the hospital and want to use my iPhone ... /s

[A third option of, say, an absurdly long passphrase would be nice, like "My niece has beautiful green eyes, but uses them to stare at TikTok all day, even when walking the dog and that makes Spot sad."]

Putting back the fingerprint reader (like every other phone on the planet) would be a nice improvement. Just saying.

Also ...

[PPH]

... not tying my digital accounts to an iDevice helps keep thieves out as well.

No need for that

[Pravetz-82]

Just blacklist the device once declared stolen - and cut off access to anything icloud from it.
I am sure the device has unique ID that can survive a reset. Make it so that it reports location, but refuses to connect to icloud for regular services, unless the original owner lifts the ban. This would make the device practically useless if stolen.
With what they plan to do, some people are going to loose fingers.

Re:

[tlhIngan]

Just blacklist the device once declared stolen - and cut off access to anything icloud from it.
I am sure the device has unique ID that can survive a reset. Make it so that it reports location, but refuses to connect to icloud for regular services, unless the original owner lifts the ban. This would make the device practically useless if stolen.
With what they plan to do, some people are going to loose fingers.

And guess what? Thieves have figured that out!

They see the user enter their passcode. Then they stea

NEWSFLASH

[Monoman]

MFA (typically) improves security.

Re:

[tlhIngan]

MFA (typically) improves security.

Apple forces everyone to use 2FA - if you register any hardware that device becomes your 2FA device.

Of course, the problem is, your now stolen phone means thieves got your 2FA device as well.

Sure you can try using another device, but then you have to consider the fraction of users who only have one Apple device.