The article missed the part about people being robbed at gun point and having the same thing happen.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple Responds to Report About Thieves Spying on iPhone Passcodes to 'Steal Your Entire Digital Life'
- Thread starter MacRumors
- Start date
- Sort by reaction score
Bad design. letting apple off the hook for a single point of vulnerability to get EVERYTHING is weak.
Apple will fix this soon. It is shocking easy for Apple write code for a second factor authentication process to change the iCloud password or access your website passwords. They have it for any number or other things (approval from a different device you own to allow children to purchase something). It would be simple to require one of your other devices (like your Apple Watch, a physical key or text from a friend designated as a “recovery contact” if you only have one device) to reset your iCloud password or access your passwords. Even a delay of one hour without a second factor authorization to reset your Apple ID password or turn off “Find My” would stop 90% of this. Users could easily be asked if they wanted to toggle this protection on, and if they wanted to toggle it on for non biometric access.
I was brainstorming a bit and thought of an extra security feature Apple could add to reduce this risk-
If you have Face ID enabled and you try to unlock your phone by typing your passcode in, your iPhone has to scan your face to verify it's you. If a thief steals your iPhone and types in your passcode, tries scanning their face, and doesn't recognize them, they have to pass a second round of authentication. This could be by answering a security question, or sending a code to another Apple device or your email address.
In addition, there should be two factor authentication for force signing out trusted devices.
If you have Face ID enabled and you try to unlock your phone by typing your passcode in, your iPhone has to scan your face to verify it's you. If a thief steals your iPhone and types in your passcode, tries scanning their face, and doesn't recognize them, they have to pass a second round of authentication. This could be by answering a security question, or sending a code to another Apple device or your email address.
In addition, there should be two factor authentication for force signing out trusted devices.
Security is obviously reduced while entering passcode at public spaces. Only way to increase security is to atleast make it 6 digit passcode or alphanumeric. Don’t know how Apple can improve security here. TouchID can be useful.
If a thief forces you to give up you passcode and they run off with your phone unlocked, FACE ID should stay active during use. Within seconds it should lock out seeing a different face looking at the screen. Even if they have your code FACE ID should be set to authentic to constantly.
----
My mileage may be an exception, but I get asked for my passcode (1) once a week, to "enable Face ID," and (2) whenever rI try doing something wild and crazy like connecting via cable to my Mac, when the hive mind wants authentication multiple times in order to (a) back up the phone to my 'puter ('cause that's the way I roll, backup-wise) and (b) actually go ahead and install an iOS update. I also occasionally (3) get asked to authenticate via passcode when I want to use Apple Card via proximity for payment at a POS machine — while wearing a mask (so much for Face ID with a mask). Sometimes the old magic works, and sometimes it doesn't.
None of that would be much of an issue if I hadn'tupgraded my passcode from four digits to many characters, digits, and special characters.
Seems like concealed carrying a firearm might also be of assistance. Someone tries stealing my phone through strong-arm robbery/intimidation… they’re going to have a bad time.
I would be happy to enable touchid if my phone had it. I would also turn on Apple Watch unlock if I was able to do so without faceid.
Stil hate hate hate hate hate that authentication system.
Stil hate hate hate hate hate that authentication system.
It sounds to me like the report is only detailing incidents of thieves looking over the shoulders of victims while they punch in their code. I'm sure they are also video recording the PIN entry in some cases so I don't see how a long PIN will make a difference here. These are grab and run thefts, not brute forcing hacks.
A lot more people do that than you would imagine. And also in a dark bars and places with extreme lighting, Face ID sometimes fails and forces manual PIN entry.
Those people were never going to implement best cybersecurity practices anyway and they will always exist with or without Apple. They are mostly consumers that value convenience over security. Apple just got their money instead of some other company.
I prefer Touch ID, but Face ID is pretty seamless. I was worried about it working while I lay in bed, but unless my face is completely obscured by the pillow, it still works. My only grievance was when masking was still everywhere. Very inconvenient having to lower mask, and potentially expose myself.
The half-face Face ID measure was too little, too late. They should have implemented the power button Touch ID like what they use on some iPads. Plus it would allow us to have radically reduced the dreaded notch/dynamic island nonsense.
But remember, in my scenario, the thief would have to unlock the phone to access the email. If the phone doesn't recognize their face after typing on the passcode, they can't unlock it.
Statistically, 6 digit PINs and Face ID are about the same in terms of security. And while random or planned passcode requests might be inconvenient, they definitely keep things more secure. They also help remind users to value and guard their passcodes.
They’re really scrapping the bottom of the barrel here looking for something to post.
No. The lockscreen has not only a password but protects all your data. It's made strong enough that the FBI had trouble with it. Screen time is not designed like that at all.
As a temporary measure if you want to feel more safe and if you are at high risk of having your phone snatched from you, then sure, turn it on, but recognize it is a bandaid and not even fix, and provides marginal security only.
As I said, the problem is and can be solved by:
- People need to stop using crappy PIN codes and use alphanumeric passphrases
- Disallow iCloud password change without previous password
- Introduce a new feature to be able to lock certain apps from the OS level--this means you can lock your email app to require double authentication even if someone snatches your phone away from you when you're using it (unlocked).