IMHO, the crazy part is that it is possible to create a new Recovery Key with just the iPhone passcode (and the iPhone). So basically, the iPhone passcode is mightier than the Recovery Key. The only purpose of the Recovery Key is to protect against SIM swapping attacks. I didn't know this.
So an attacker with the iPhone passcode can lock you out of your Apple account on all devices, even if they don't have your Apple ID password or your Recovery Key. Basically, the iPhone passcode is your only defense if you lose your iPhone. I had always assumed the Apple account password would be needed, and that the passcode is not as important as it is so common for it to be only four or six digits.
Under Screen Time, of all places, you can set an additional passcode, and under Screen Time privacy and content restrictions, at the very bottom, block changes to your passcode and to account changes for your apple id, which denies access to the whole icloud section in iOS settings.
Just don't forget you turned this in and then get confused why it's greyed out in settings when you go to change something in there.
For a non-techie like me this might as well be written in Urdu or Farsi. I'm so afraid of being locked out of my Apple account that I STILL refuse to use a password/passcode/FaceID/TouchID/2FA, much less a Recovery Key.
Right, even if you have already set up a recovery key, it will still allow it to be overriden (deleted and replaced) with just the phone passcode. This is completely stupid. Also using a Yubikey is not an option the way it is with enhanced iCloud security.
When I was robbed my attacker demanded my passcode at gunpoint, which he then used to unlock my phone and (as far as I could tell) to just watch Netflix. This was years ago, well before the passcode — and Find my iPhone, i.e. the ability to remotely brick your stolen phone — were standard security features. I imagine every thief these days will make every effort possible to get your passcode when they decide to take your phone.
At some point the computer science community needs to deal with, and fully embrace, the flaws, caveats and characteristics of the population it serves: the human beings.
It has: password managers, which both mobile operating system manufacturers have implemented, not to mention 3rd parties like 1Password. And then there is Login with Google/Microsoft/Apple/GitHub/Twitter/etc. And now also Passkey with Apple, Google, and Microsoft being on board.
I don't agree with much of what you're saying. Physical access is not game over, there should be additional layers of security (i.e. a passcode) to actually unlock the device. And even if you have unlocked one device, there should be additional barriers to escalate that privilege to other devices (i.e. by requiring the Apple ID password).
There's also a big difference in the passcode and Apple ID password. The passcode is required several times a day. Failing a FaceID unlock is very common. Having an alpha-numeric passcode is, honestly, a huge pain in the behind. The Apple ID password on the other hand is not required very often, and can easily be stored in a password manager. Storing the passcode in a password manager doesn't make much sense, as you'd then need to unlock a second device to open your password manager to read the passcode to unlock the first device.
I skipped that part because you're talking about guessable passwords, but the threat the artice is talking about is someone watching you type in your passcode and then stealing your iPhone. The point I'm trying to make is that I don't think that should be game over, there should be additional barriers to prevent escalation from single device access to Apple account/multi-device access.
Guessable passwords are of course not good, but to a human a six digit password is actually pretty hard to guess.
The auto-wipe feature introduces a new vulnerability where anyone with physical access to your phone for a minute can wipe it for you. This is a very high-risk threat scenario for people with toddlers in their home.
Remote-wiping the phone from the Apple website is fine, but from what I understand in the article, the thief has already taken control of your account by the time you're home/have access to a second device to do so.
However, it seems Apple actually does provide the tools to avoid the issue in the article, which is to use a second password for Screen Time and add some restrictions. So we can agree on that point :)
I just went to set up a screen time passcode after reading the article… you are limited to a four digit code. It does limit the number of attempts you can make, but I can’t believe a four digit code is all that’s standing in the way of total account ruin.
That seems like it should be enough protection. The goal of most thieves is to drain your bank account/Apple Pay. Changing your account password gives them more time to take advantage of your account, but most of them aren't interested in doing a deep dive in your personal life, or care that you're locked out of your Apple account.
A rate-limited 4-digit passcode gives you breathing room to login to your Apple account and report your phone as stolen.
Muggers in the UK are now demanding the phone passcode on threat of violence. Having to give up the phone passcode (which also unlocks FaceID-gated apps like banking!) shouldn’t make your entire life vulnerable.
There are currently insufficient tools to deal with that situation
> There are currently insufficient tools to deal with that situation
It will never be possible to deal with that situation.
Its also why many governments have taken to locking people up until they give up their passwords.
Its a scenario that has been immortalised in the famous XKCD wrench conundrum: https://xkcd.com/538/
The only real way to deal with it is to get away from the situation and remote wipe (or hope they type in your password wrong N times so local wipe happens)
A street mugger don't have the same motivation and means as a government agency. He just want to make some quick and easy buck. He can hit me with the wrench as much as he want, if I don't have the recovery code memorized because it's stored safely in my computer at home, he won't get it. He can point a gun at me and demand that we go home to get the code, but that's a different crime, harder and riskier. Most criminals aren't willing to go to that route. The only thing he can get is the 6 digit code that I have memorized because I use it everyday to unlock the phone. That's why this code should have limited capabilities.
Defence in depth helps make the situation less catastrophic. Right now, with just an iPhone passcode, you can take complete control of the Apple ID [including wiping the user’s other devices], any apps protected by Face ID (even those with 2FA if it’s SMS-based), private photos, notes, passwords, the works.
Those consequences are design choices - convenience over security. There could be features (tighter Face ID, multiple passcodes, etc) that reduce the blast radius of a leaked iPhone passcode. But Apple hasn’t implemented them. It hasn’t given users the tools to protect themselves, if they value that more than convenience.
the issue is you don't have the luxury to type the passcode from the security of your home all the time.
You have to type it while outside, cameras and other ppl being around. Even if you have a alphanumeric password as passcode, it can't be too complex because you have to remember it and type it (password manager is behind this lock).
And as soon as someone can record you typing the password, they can now steal your phone and ruin everything.
> If someone has your iPhone AND you are stupid enough to set a guessable password,
Ever hear of telephoto lenses? Ever hear of coercion (and, yes, it IS possible to guard against coercion, for example by introducing delays or requiring a third party to be involved in some actions)? Ever hear of good old fashioned sneakiness? ANY password that's used on a regular basis is relatively easy to compromise.
Furthermore, a phone is a convenience device. It NEEDS to be simple to unlock your phone, or it is useless. A "strong unlock password" is a bad fit for actual use of the phone. Therefore, it's stupid to design a system that makes the mere ability to unlock your phone into something that can take over other devices or cloud services.
A phone should NOT be a "trusted device" in the sense that it can do anything major to anything other than itself. It also should not put especially high-stakes assets, on or off of the phone itself, at risk based on a mere unlock. Any system architecture that violates either of those is a shitty, lazy system architecture.
> then that's YOUR problem, not Apple's.
Yes, by being stupid enough to use an Apple device, and thereby subjecting myself to Apple's brain-dead design, I would indeed create a problem for myself. Good thing I have the luxury of not doing that. I mean, I'm also not dumb enough to store my only copies of anything important in any cloud service. But that doesn't make it not Apple's problem if Apple's own cloud service is insecure.
> The point is that with the Secure Enclave, Apple are able to rely on the iPhone being a "Trusted Device" to enable you to reset the Recovery Key. It is up to YOU to respect the "Trusted Device" status and (a) secure the device accordingly and (b) remove said device from your Apple account as soon as it is no longer in your possession.
If a device is to be "trusted", then it needs to be TRUSTWORTHY, which means that it needs to not cause havoc without reasonable authentication. By locking you out of your cloud account without anything more than a screen unlock PIN, the phone is abusing the trust placed in it.
It is also stupid to put unlimited trust in anything anyway, especially complicated, bug-prone things like "Secure Enclaves" and phone operating systems.
Does Apple warn you when you're setting up that pin that it is the most powerful way to access your account?
I would bet if I walked outside and asked 100 people if they thought the pin was for convenience or if it was the last resort to accessing their account, literally all 100 would think it's for convenience, and a birthday would be sufficient.
I recently reevaluated my approach to identity & recovery across all the services I rely on and it’s a mess.
Apple and Google both provide sensible security settings but you can only guess how recovery might work if you are locked out of your account from their docs.
Even with their advanced security programs (requiring a hardware token) I’m not entirely sure that I’m not defeating the whole purpose of these measures by putting a mobile number in my account that can be sim swapped.
On the other hand I’m also not entirely sure if I could recover access from what I think I’d need to provide to prove my identity (recovery codes, trusted contacts, …)
I get why they might not want to lay out the whole process and every heuristic they use, but it’s not really reassuring.
It's a good callout and I think these things should be documented just so security researchers can expose flaws in the process publicly. Basically, these companies have unlock keys for our accounts and we don't know enough about their internal processes to know how secure we are from social engineering attacks or internal threats.
Google recovery is a disaster. I lost an account that had a recovery email. I got locked out of the account, and it said the recovery email wasn't enough! WTF!? That's exactly what it is for.
So, you can lose your google account, even with recovery set up.
Dear Apple, to avoid passcode leakage to human observers and cameras, can we please have an option to disable keypress highlights and transient display of passcode characters? This lock screen behavior could be dropped when "Lockdown" mode has been enabled.
> This transient display lasts 3 seconds to avoid too big a security problem. But this is still largely sufficient for anyone behind you to read it really easily. Moreover this transient display can be easily captured by any camera
The WSJ wrote an article on this two months ago as well, discussed at [0], seems like they've run out of new topics so they're just rehashing content they've already released. You can protect yourself against this type of attack by using Screen Time restrictions [1].
Thanks, the Screen Time tip is very useful. Bit annoying that it can't prompt to let you use the Apple ID settings (they're now just unavailable until you go to Screen Time settings again) but better safe than sorry.
I’d say they’re going back to the well. But it seems they’re defecating what was already consumed back into the well, hauling it up, and calling it new.
All this for a security “flaw” that isn’t really a flaw. It’s functionality that is consistent with industry standards —(Google/Android) works the same way.
Your cellphone might as well be an extension of your brain. Secure it with a strong password, and try to be mindful of shoulder surfers.
Using phones as all-powerful fallbacks is great when you're at home or the office, and wondering if your computer or online accounts are being compromised. Not when the phone itself could be compromised (physically). This sounds stupid to say because it is - stupid-ly obvious.
Major phone OS makers (all, what, 2 of them?) need to allow you to have at least 2 authentication paths - one when you are in a physically secure location, and one when your phone could be snooped or stolen. It's a fundamental need for phones.
To mitigate the problem of muggers demanding both codes, they should also allow location-based locking, where you could tell the phone to only allow the trusted functions to be accessed at certain GPS coordinates.
>This sounds stupid to say because it is - stupid-ly obvious.
But since it is also stupidly profitable, it's a problem without any solution.
In the US, phone numbers are now as important as social security numbers, in that you need one to access a bunch of online services. That so much else is attached to that phone number and that the phone is its own weakness is unforgivable. I worry, however, that the mitigation will come in the form of tying identity into the phone to an even greater degree.
We've had a misunderstanding here. I think there is a clear improvement: a set of phone credentials that you use in public situations where you might be snooped or robbed. Those credentials can only let you do limited things, and most certainly would not be allowed to modify device or account security.
Your original comment was unclear on what the differing credentials would be used for, and it's not a bad idea. It does depend on people being conscientious in public and using the passcodes appropriately, but programming can't mitigate that much.
I'm more concerned about how much a phone is expected in the first place, for more and more things. Last year I went on a trip with some friends, and half of the places we went required apps for tickets or even parking, and even a hotel we stayed at was strongly pushing an app. If I'm flying somewhere, I still get a printed boarding pass because I don't want my phone to be the single point of failure that prevents me from flying if a freak accident happens between check-in and the gate.
Sort of related: about once a week when I'm watching TV using Apple TV, when I try to use ESPN or Live TV apps, instead of just coming on they display a QR code for me to scan with the option of going to some website to log in. Since I do not keep my phone with me when I settle in to watch TV, this requires me to get up and go get the phone or use my computer to proceed. Very, very annoying. Why should I have to have a second device at hand to watch TV?
> Major phone OS makers (all, what, 2 of them?) need to allow you to have at least 2 authentication paths - one when you are in a physically secure location, and one when your phone could be snooped or stolen. It's a fundamental need for phones.
I feel like this is being done with the hierarchy of how biometric unlocks work on the phones. Your most common logins can be biometric and are generally considered things that cannot be snooped or stolen though they may be coerced.
At least on iOS, it is generally easily possible to make sure that you only ever use biometric unlocks in public spaces and spaces you are worried about being snooped (spaces outside of your home).
It's also possible to be afraid of coercion and temporarily disable biometrics with a quick button press.
Presuming of course that you trust the biometric unlocks in the first place. But if you trust them, then that definitely gives you two authentication paths, one of which is harder to snoop/steal than the other.
> After months of calls to Apple customer support and letters to the company (...), he said he finally reached a representative who was willing to do more. Once Mr. Allen answered additional verification questions, Apple disabled the recovery key, he said. (...). Mr. Allen said he uses some Apple business services, which might explain why he was able to recover his account.
As someone whose brother lost years of his children's videos when thieves locked him out of his iCloud account [1] this part confirms two things. First, it gives me hope that we might one day recover the account, seeing as the data is not cryptographically locked. And second, it confirms that the reason we couldn't get the access back is not because Apple can't do it, but rather because they don't care.
To avoid future data lose, you can backup all your icloud photos locally. Checkout icloud_photos_downloader[1], they have a docker container that is drop-dead simple to use. I run this[3] about once a month, I could probably automate it, but that feel like it'll take more time than it'll save[2].
> seeing as the data is not cryptographically locked.
I assume your account dates from the days before Advanced Data Protection[1]. Nowadays, you can configure it so that the majority of iCloud data is now encrypted with a key that only you control.
Yeah it's maybe not a concern for everyone, but where I live every once in a while someone gets held at knifepoint and forced to unlock their phone. I set up a screen time password just in case.
I can't confirm bc the article is paywalled but if this trick works with any unlocked iPhone then I am very interested. Plenty of cases where it is snatched from your hands on the street and accessed while unlocked, and then it's a race of whether you can wipe it first. Don't have another device at hand... unlucky.
> if this trick works with any unlocked iPhone then I am very interested
No it doesn't. For any security sensitive stuff, you'll be asked to reconfirm your device password (and potentially also the password of another device on your account).
> In February, we reported that thieves, often in and around bars at night, watch iPhone owners tap in their passcodes, then steal the targets’ phones. With this short four- or six-digit string, criminals can change the Apple account password and rack up thousands of dollars in charges using Apple Pay and financial apps.
[…]
> Apple introduced the optional recovery key in 2020 to protect users from online hackers.
[…]
> iPhone thieves with your passcode can flip on the recovery key and lock you out. And if you already have the recovery key enabled, they can easily generate a new one, which also locks you out.
[…]
> So long as you can access your iPhone, you can add or reset a recovery key without any extra credentials. Apple says this is a convenience measure. However, it also gives thieves easier access.
Uff! Security vs convenience is a difficult problem, but only protecting against remote/online hacking is a massive oversight! One shouldn’t underestimate the incentives for thiefs stealing your passcode and device in real life.
For some reason Face ID frequently will fail and the phone will demand the passcode.
This happened to me twice in the span of an hour while the phone was face up on my desk at work. I can only guess Face ID is being triggered repeatedly by some feature and is failing so it is disabled.
Perversely this means I’m not as willing to use a very long complex passcode because I don’t want to have to type all that if I’m in a rush and Face ID stops working suddenly.
Personally I would prefer they bring back Touch ID.
It's an expensive option because it relies on the Apple Watch, but Watch unlock can be handy as a backup to Face ID. The Watch notifications for Watch unlock might also help you get a sense of what seems to be trying to unlock your phone.
It's probably the notifications on your lock screen triggering a Face ID check in case you want to read what they say. You could reduce the number of notifications that you receive, or use a Focus Mode while at work, or keep the phone in a pocket or face down/in a dark place.
My wife got an iPhone recently, based on her experience users tap in the passcodes almost constantly because FaceID doesn't f**king work, and no fingerprint reader is present on the device.
Most of the time she still reaches for her old Android because it unlocks instantly (and properly, not to a stupid lock screen!) with a fingerprint.
In 2023 faceid works flawlessly for me, even when wearing a mask and glasses. I only use the passcode to unlock after a reboot. If your wife is having this much trouble she probably should try retraining it on her face.
She's tried retraining it about 6 times, at my insistence. It's just crap. I've since paid more attention to other iPhone users I know, and they seem to be doing a lot of passcode entry too.
Does she look at the camera while unlocking? It optionally requires your visual attention to successfully unlock. Otherwise your experiences are completely at odds with our experiences. I’m family tech support for nearly 15 iOS users and none have this experience.
How is this possible, unless you're shilling? I just got a new iPhone 11 in the box and FaceID doesn't work: if you're too close, too far, have a face mask on, in the dark, next to someone, randomly fails, whatever.
My Samsung on the other hand always opens flawlessly with a fingerprint scanner.
What is Apple trying to avoid here by not including one?
> While there are mixed opinions from privacy experts on which is more secure, Apple claims that Face ID is 20 times more secure than Touch ID. While the chances of someone unlocking your iPhone using a spoofed fingerprint is one in 50,000, this number grows exponentially to a false positive of one in a million when it comes to Face ID.
Why would I bother shilling? How did you get a new 11? The current generation is 14. The oldest I can see they sell is 12. The X and 11 didn’t have particularly great Face ID support for lack of quality enough hardware.
The dark makes no sense. It’s not using visible spectrum, it uses IR laser dots and flood illuminator coupled with an IR camera to map and photograph your face in 3d.
Mask Auth only works afaik with iPhone 12 and greater.
Apple used to include Touch ID. Some devices still have it (iPads etc). They are trying to avoid something though - there’s no physical space on the devices for finger print scanner. The iPad integrates it into the on/off button which is large and exposed. But most phones have very small physical buttons that are typically covered by cases. The rest of the screen (sans notch) is edge to edge touch screen.
On my iPhone 14 the Face ID is basically flawless and very fast. I would suspect your “new” device that’s second gen Face ID is simply not as capable as the fifth gen on market today.
I think they want to save a couple of dollars on manufacturing. Maybe they also don't want to "copy" the sensible locations of fingerprint scanners from non-Apple devices.
> But why do the iPhone users tap in their passcodes in the first place when there is faceID and touchID available?
1. If you reboot your phone, you have to enter your passcode.
2. Some people prefer to use a passcode for legal reasons. Essentially the police can compel you to unlock your phone via faceID and touchID, but not passcode.
3. Some people might just like it and/or be used to it.
2 can be mitigated by squeezing the top two buttons of the phone until it vibrates. Any attempt to go to the emergency contact/power off screen disables Face ID/Touch ID until after the next passcode use. (You don't have to entirely reboot.)
But sometimes you don't have the time. From what I recall, the police were able to apprehend Ross Ulbricht (of Silk Road fame) before he could log out of his computer.
This would not be OS related but hardware related. I've never had a Samsung that couldn't read my finger prints. In fact I have a Samsung tablet from 2014 that uses facial recognition and it generally always works the first time, if not the second.
that's a bad idea. When face id unlock fails, which it will, you then gave to type it out in front of nearby people, which is what this attack is about. secondly, it's a pita to type in a properly secure password every time you want to get into your phone.
Indeed. But as a technical guy I wonder which kind of "shared secret" one could provide to a (call center) service-agent to prove the legitimate ownership of an account without doubt?
Companies circumvent this complexity by simply asking you to login before you can request anything. If someone has full access to your account, all information accessible should be considered as insufficient to validate you...
In the end such a GDPR-request without login would probably again be a case-by-case topic which needs to cross the desk of some legal department to approve the action. But yeah, at least there are strict guidelines for response-times and other obligations for the company.
As per usual process of Google, Amazon, Apple et al, the process for this GDPR Request is done online AFTER you've logged in with your ID.
In case of Apple this is done in the "Manage your Apple Account" area of your account settings, for which you need to be able to login first.
I'm not sure these companies have a process in place to provide you this data without you having access to your own account. Filing a GDPR Request like that might turn into a topic requiring support from a lawyer / consumer protection agency...
So an attacker with the iPhone passcode can lock you out of your Apple account on all devices, even if they don't have your Apple ID password or your Recovery Key. Basically, the iPhone passcode is your only defense if you lose your iPhone. I had always assumed the Apple account password would be needed, and that the passcode is not as important as it is so common for it to be only four or six digits.
I'm going to go setup a stronger passcode now.