IMHO, the crazy part is that it is possible to create a new Recovery Key with just the iPhone passcode (and the iPhone). So basically, the iPhone passcode is mightier than the Recovery Key. The only purpose of the Recovery Key is to protect against SIM swapping attacks. I didn't know this.
So an attacker with the iPhone passcode can lock you out of your Apple account on all devices, even if they don't have your Apple ID password or your Recovery Key. Basically, the iPhone passcode is your only defense if you lose your iPhone. I had always assumed the Apple account password would be needed, and that the passcode is not as important as it is so common for it to be only four or six digits.
Under Screen Time, of all places, you can set an additional passcode, and under Screen Time privacy and content restrictions, at the very bottom, block changes to your passcode and to account changes for your apple id, which denies access to the whole icloud section in iOS settings.
Just don't forget you turned this in and then get confused why it's greyed out in settings when you go to change something in there.
For a non-techie like me this might as well be written in Urdu or Farsi. I'm so afraid of being locked out of my Apple account that I STILL refuse to use a password/passcode/FaceID/TouchID/2FA, much less a Recovery Key.
Right, even if you have already set up a recovery key, it will still allow it to be overriden (deleted and replaced) with just the phone passcode. This is completely stupid. Also using a Yubikey is not an option the way it is with enhanced iCloud security.
When I was robbed my attacker demanded my passcode at gunpoint, which he then used to unlock my phone and (as far as I could tell) to just watch Netflix. This was years ago, well before the passcode — and Find my iPhone, i.e. the ability to remotely brick your stolen phone — were standard security features. I imagine every thief these days will make every effort possible to get your passcode when they decide to take your phone.
At some point the computer science community needs to deal with, and fully embrace, the flaws, caveats and characteristics of the population it serves: the human beings.
It has: password managers, which both mobile operating system manufacturers have implemented, not to mention 3rd parties like 1Password. And then there is Login with Google/Microsoft/Apple/GitHub/Twitter/etc. And now also Passkey with Apple, Google, and Microsoft being on board.
I don't agree with much of what you're saying. Physical access is not game over, there should be additional layers of security (i.e. a passcode) to actually unlock the device. And even if you have unlocked one device, there should be additional barriers to escalate that privilege to other devices (i.e. by requiring the Apple ID password).
There's also a big difference in the passcode and Apple ID password. The passcode is required several times a day. Failing a FaceID unlock is very common. Having an alpha-numeric passcode is, honestly, a huge pain in the behind. The Apple ID password on the other hand is not required very often, and can easily be stored in a password manager. Storing the passcode in a password manager doesn't make much sense, as you'd then need to unlock a second device to open your password manager to read the passcode to unlock the first device.
I skipped that part because you're talking about guessable passwords, but the threat the artice is talking about is someone watching you type in your passcode and then stealing your iPhone. The point I'm trying to make is that I don't think that should be game over, there should be additional barriers to prevent escalation from single device access to Apple account/multi-device access.
Guessable passwords are of course not good, but to a human a six digit password is actually pretty hard to guess.
The auto-wipe feature introduces a new vulnerability where anyone with physical access to your phone for a minute can wipe it for you. This is a very high-risk threat scenario for people with toddlers in their home.
Remote-wiping the phone from the Apple website is fine, but from what I understand in the article, the thief has already taken control of your account by the time you're home/have access to a second device to do so.
However, it seems Apple actually does provide the tools to avoid the issue in the article, which is to use a second password for Screen Time and add some restrictions. So we can agree on that point :)
I just went to set up a screen time passcode after reading the article… you are limited to a four digit code. It does limit the number of attempts you can make, but I can’t believe a four digit code is all that’s standing in the way of total account ruin.
That seems like it should be enough protection. The goal of most thieves is to drain your bank account/Apple Pay. Changing your account password gives them more time to take advantage of your account, but most of them aren't interested in doing a deep dive in your personal life, or care that you're locked out of your Apple account.
A rate-limited 4-digit passcode gives you breathing room to login to your Apple account and report your phone as stolen.
Muggers in the UK are now demanding the phone passcode on threat of violence. Having to give up the phone passcode (which also unlocks FaceID-gated apps like banking!) shouldn’t make your entire life vulnerable.
There are currently insufficient tools to deal with that situation
> There are currently insufficient tools to deal with that situation
It will never be possible to deal with that situation.
Its also why many governments have taken to locking people up until they give up their passwords.
Its a scenario that has been immortalised in the famous XKCD wrench conundrum: https://xkcd.com/538/
The only real way to deal with it is to get away from the situation and remote wipe (or hope they type in your password wrong N times so local wipe happens)
A street mugger don't have the same motivation and means as a government agency. He just want to make some quick and easy buck. He can hit me with the wrench as much as he want, if I don't have the recovery code memorized because it's stored safely in my computer at home, he won't get it. He can point a gun at me and demand that we go home to get the code, but that's a different crime, harder and riskier. Most criminals aren't willing to go to that route. The only thing he can get is the 6 digit code that I have memorized because I use it everyday to unlock the phone. That's why this code should have limited capabilities.
Defence in depth helps make the situation less catastrophic. Right now, with just an iPhone passcode, you can take complete control of the Apple ID [including wiping the user’s other devices], any apps protected by Face ID (even those with 2FA if it’s SMS-based), private photos, notes, passwords, the works.
Those consequences are design choices - convenience over security. There could be features (tighter Face ID, multiple passcodes, etc) that reduce the blast radius of a leaked iPhone passcode. But Apple hasn’t implemented them. It hasn’t given users the tools to protect themselves, if they value that more than convenience.
the issue is you don't have the luxury to type the passcode from the security of your home all the time.
You have to type it while outside, cameras and other ppl being around. Even if you have a alphanumeric password as passcode, it can't be too complex because you have to remember it and type it (password manager is behind this lock).
And as soon as someone can record you typing the password, they can now steal your phone and ruin everything.
> If someone has your iPhone AND you are stupid enough to set a guessable password,
Ever hear of telephoto lenses? Ever hear of coercion (and, yes, it IS possible to guard against coercion, for example by introducing delays or requiring a third party to be involved in some actions)? Ever hear of good old fashioned sneakiness? ANY password that's used on a regular basis is relatively easy to compromise.
Furthermore, a phone is a convenience device. It NEEDS to be simple to unlock your phone, or it is useless. A "strong unlock password" is a bad fit for actual use of the phone. Therefore, it's stupid to design a system that makes the mere ability to unlock your phone into something that can take over other devices or cloud services.
A phone should NOT be a "trusted device" in the sense that it can do anything major to anything other than itself. It also should not put especially high-stakes assets, on or off of the phone itself, at risk based on a mere unlock. Any system architecture that violates either of those is a shitty, lazy system architecture.
> then that's YOUR problem, not Apple's.
Yes, by being stupid enough to use an Apple device, and thereby subjecting myself to Apple's brain-dead design, I would indeed create a problem for myself. Good thing I have the luxury of not doing that. I mean, I'm also not dumb enough to store my only copies of anything important in any cloud service. But that doesn't make it not Apple's problem if Apple's own cloud service is insecure.
> The point is that with the Secure Enclave, Apple are able to rely on the iPhone being a "Trusted Device" to enable you to reset the Recovery Key. It is up to YOU to respect the "Trusted Device" status and (a) secure the device accordingly and (b) remove said device from your Apple account as soon as it is no longer in your possession.
If a device is to be "trusted", then it needs to be TRUSTWORTHY, which means that it needs to not cause havoc without reasonable authentication. By locking you out of your cloud account without anything more than a screen unlock PIN, the phone is abusing the trust placed in it.
It is also stupid to put unlimited trust in anything anyway, especially complicated, bug-prone things like "Secure Enclaves" and phone operating systems.
Does Apple warn you when you're setting up that pin that it is the most powerful way to access your account?
I would bet if I walked outside and asked 100 people if they thought the pin was for convenience or if it was the last resort to accessing their account, literally all 100 would think it's for convenience, and a birthday would be sufficient.
So an attacker with the iPhone passcode can lock you out of your Apple account on all devices, even if they don't have your Apple ID password or your Recovery Key. Basically, the iPhone passcode is your only defense if you lose your iPhone. I had always assumed the Apple account password would be needed, and that the passcode is not as important as it is so common for it to be only four or six digits.
I'm going to go setup a stronger passcode now.