Apple Responds to Report About Thieves Permanently Locking Out iPhone Users
- Thread starter MacRumors
- Start date
- Sort by reaction score
Phnwhowhen
macrumors newbie
Unfortunately, the device pass code is basically one of your master keys for everything, the way it's setup. If that's compromised there's not a whole lot you can do in the hierarchy of trust for Apple devices. Probably need a secondary device and remote wipe ASAP.
So how would you suggest the user be able to.. reset the password.
Don't suggest 2fa because welp the phone was stolen so 2fa right there.
Recovery keys.. because welp no one really keeps those around except those competent enough to do it.
Security key devices.... Ya like the average user will remeber their security device, where they put it, or the code to the security device if its one with a code. Also the phone can be the security key now as well.... So....
Security Questions because people re use them and thats how the yahoo hacks etc ended up with hundreds of thousands of compromised accounts and access being granted to others.
Email backup. Read the above.
There is no good option. The reality of the device passcode is a majority of users need the code often enough that most remember it. Its the one good consistent thing to actually remember.
Everything else above has been tried and there has been major pitfalls.
The only alternative if the user forgot their own password would be to not let them reset it at all.
Eveyone complains about the security features used to access or reset an account but forget that if your here and commenting you are likely not the average person that makes up 90+% of users where any advanced combination likely would not be helpful.
There is a certain point where the issue falls on the user of the device.
The user can use a complex passcode as well where its harder to catch since the keyboard comes up and its smaller letters and can be more things than 10 numbers for each 4 or 6 digit code.
This doesn't really work. It is easily workaroundable. If you go through the forgot screentime passcode user journey you can remove it even as a bad actor who has access to the phone.
They have a gun to your head....what software change would make a difference? They can also ask for bank codes, appleIDs, etc. This is not a useful scenario.
sdf
macrumors 6502a
No, more "we don't know how to fix this. Yet."
Give them some time. A previous knee jerk reaction is how they got into this situation. (And yes, this was predictable. Even predicted by people outside Apple, I think. Probably predicted by people inside Apple, too, they just decided it was important and bulldozed through the warnings.)
I hope on next iOS apple allows us to set unique password per app and a unique password to access the keychain. Theses days you have to create safeguards for scenarios where a stranger get access to your unlocked phone. It shouldn't be so open. A bad person can basically ruin your life if they see your 6 digit pin... Every operating system allows granular security levels, mobile phones should do better and smarter.
When I'm outside my house my phone should be more strict, anything other than biometric auth should offer a very basic access to apps and block every setting and banking apps until your provide a second stronger password or FaceID
When I'm outside my house my phone should be more strict, anything other than biometric auth should offer a very basic access to apps and block every setting and banking apps until your provide a second stronger password or FaceID
CharlesShaw
macrumors 68020
I was keeping all my receipts for Apple devices in iCloud (irony), so back when this all came up before, I printed out my receipts and put them in the boxes (yeah, I save the boxes for current Apple gear) like I used to do in the pre-iCloud days.
edit: I also turned off FindMy (Activation lock) for anything that doesn’t leave the house, so I can’t get bricked out.
Last edited:
addamas
macrumors 65816
Holy s… it’s damn easy to erase iCloud password using workaround when forgot Screen Time password.
Edited: removed all steps I wrote I have followed to reset iCloud password knowing only numeric password used to unlock this device I use as “stolen” dummy
Really I am scared now
Last edited:
Once I heard about this article, I used the Screen Time, Content & Privacy Restrictions, and disabled any changes to Passcode and Account (near the bottom). I saw this in an article and tried it, and it seems to be pretty good. However, the thieves can still access your financial apps though. I think only FaceID and two factor can protect against those?
Mr. Heckles
macrumors 68000
How once the password to your Apple ID is changed?
It’s your Apple ID. A person doesn’t need to use iCloud, and this would still be an issue. A cloud service has nothing to do with this issue.
I think the whole point of being able to change your Apple ID password this way is in case you for get your current one.
Last edited:
addamas
macrumors 65816
It’s no longer works.
Try reset your Screen Time password and perform actions that’s you don’t know your iCloud account…
I have just filled feedback ticket to Apple giving all steps to erase iCloud password knowing only:
> iPhone unlock password
> First Name (from greyed out top of Settings app)
> Last Name (from greyed out top of Settings app)
> email address linked with iCloud which will be 99% times already in Email App on this iPhone without any security
> phone number allocated with probably the same iPhone you have from first part of this list (just call someone number to know it)
This is not Apple specific.
It can happen on Windows/Android/ATM/your numeric house lock. Basically anything with a passcode can be stolen if one is not careful. Like the ATM has the signs posted "Be aware of your surroundings and enter your key when no one is watching.......", every user has to use this caution at all times.
It can happen on Windows/Android/ATM/your numeric house lock. Basically anything with a passcode can be stolen if one is not careful. Like the ATM has the signs posted "Be aware of your surroundings and enter your key when no one is watching.......", every user has to use this caution at all times.
dk001
macrumors demi-god
Apple convenience in this case is the fault.
Something as simple as having the device access code is only for device access.
Changing anything requires a second unique passcode/password. Even if you use keychain, this secondary code should be required to view.
I am sure there are other solutions.
threesixty360
macrumors 6502a
Maybe they should have a 24hr master keycode as well as your main one. A code that can only be used once an overrides / restores control back to you. Should mean any legitimate sale of your phone is ok, but if someone did learn you're key code and changed your Apple ID credentials you have the master key to get it back to normal.
And if you can only use that master key code once then no one is ever going to see you entering it anywhere etc.
Seems like a simple solution that can't really be abused.
And if you can only use that master key code once then no one is ever going to see you entering it anywhere etc.
Seems like a simple solution that can't really be abused.
Mr. Dee
macrumors 603
Since this came out I have been very cautious about when and where I use my passcode. I go to Karaoke every week and the place I got to is so small and dark, you are packed like a sardine in there. Anyone could easily see your pass code if you need to enter it. What I do now is if prompted, I just cancel it and don't bother or try again in a few minutes and Face ID then works.
Last edited:
Chaos215bar2
macrumors regular
And if you try to reset your Apple ID password before doing any of those things, what are you prompted for?
Put a timer on it (a day maybe, where the change actually goes through a day after you do it.) to give enough time to the original user to get to another device and FindMy, and wipe the stolen device and disable it. That's actually pretty easy as a concept and it keeps the original user from losing everything.
centauratlas
macrumors 68000
And if you don’t have that, require faceid or touchid or a code that was printed out or approval from another device that you are logged in to.
Maybe even require those in addition.
At least give people the option for this. Some people may not want it, some might.
DataChris
macrumors regular
iPhone/iPad would be much more secure if... 1) The on-screen passcode was obscured (not displayed) when entering a passcode... 2) Sudden Device Motion (like when a thief snatches your phone out of your hand) would auto-lock the device. 3) An (optional) security feature that would prevent login with a correct passcode if the device's FaceID (TouchID) doesn't also match the face logging in. That way if an iPhone was stolen (or secretly snooped into), the attacker couldn't actually access the device (despite knowing/stealing the passcode). From there, a Recovery Contact, or multi factor authorization would be required to unlock the iCloud account/device.
@Mr. Heckles what on earth are you talking about? That is how every other service works, and on Apples own Mac devices. If you forget your password there are methods to handle that.
elvisimprsntr
macrumors 65816
Then don’t put yourself or your valuables in a situation where you will be taken advantage of, or worse, if you let your guard down.