Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I do wonder how you guard against the threat of you walking down the street staring at your phone and having someone snatch it out of your hand while it's still unlocked. A saavy thief could then disable the auto-sleep and as long as it doesn't run out of battery they could leave your phone plugged in and hence will never require the passcode again. A few apps (at least on iOS) give you the option to require your passcode again to access them (e.g. if you lock a note), but for the most part an unlocked phone is a treasure trove of personal information for the thief.


It's probably worse than that. How would you guard against the threat of someone forcing you to unlock your phone at gunpoint? Call their bluff and just throw the phone in the gutter and run away? Stall for time like you forgot the password?


Yeah I don't think you can defend against a gunpoint threat, but my guess that's much less common than a casual petty thief who just snatches your phone out of your hand and runs.


The "trick" unfortunately is to buy a second apple device (macbook, iphone, etc.), sign it into your iCloud account, and make sure it can be used for two-factor authentication. Then if you lose one of your devices, you can use the other device to 2FA into your account without using a phone number.

Another, cheaper but potentially more risky option, is to use a Google Voice number as your 2FA SMS line.

If the OP's brother had either of those options in place, I'm pretty sure he could have recovered his account and removed the stolen iPhone from the list of authorized devices.


Ideally, you want a separate Google Voice number as your trusted phone number and to have no unauthenticated access to that Google account from the phone. I also just checked and you actually can’t even change the trusted phone number without logging into applied.apple.com, and you can also register the numbers of trusted friends or family members as a backup to recover access. So the situation is not as concerning as the original post suggested, if you’re careful.


Even for online banking, many suggest to use a google voice number for 2FA SMS, thanks to sim swap attacks. However, some banks don't allow google voice numbers.


It really all boils down to "Part 1: Locked out of iCloud". Without that step you can remotely put the device in lost mode and it will lock. That loophole needs a fix.


Disabling autosleep should be behind an authentication step.


Even in that case, they could just install and start a game, which would also prevent autosleep. Or they could just start playing an extremely long video (e.g. x days long black screen) or a video stream.



Also airplane mode




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: