with FaceID, they key is to setup an Alternative Appearance. There’s only 1 additional slot. Fill it up with another scan of yourself. Then the only way a new FaceID can be added is to completely reset it, which will force every app to have to resubscribe and login again.
when setting up the screen time passcode, you can skip the AppleID recovery option which resolves this flaw. Of course, don’t forget your screen time passcode!
I just tried setting up screen time without providing my Apple ID. But after setting it up that way, I was still able to do the flaw I described.
The difference is if you skip the recovery in the initial setup, you will have to provide your AppleID password to recover, not just your passcode.
Not if you select “forgot password” when it asks for Apple ID password. It will then accept the device passcode to reset your Apple ID password. Like I described earlier.
This is the common sense solution.
Not at all. It’s more to point out a flaw in which someone can reset a person’s entire Apple ID by just knowing said passcode. Of course people should use better than 4-digit passcodes in the first place but it is ludicrous that that can be done.
Yeah. I think this is the biggest point the WSJ story is making. This is flying over many of the drive-by commenters heads here. They read a headline and just commented without reading more.
Actually it is a sign of rapidly increasing moral decay and the exploding sense of entitlement of those who would rather steal then earn.
I haven’t had a 4 digit passcode in years.
It’s Apple’s fault when they allow your Apple ID to be reset simply by providing your device passcode. You don’t have to be drunk for someone to watch you enter your device passcode and then steal it. Sure 8+ digits will make it a little harder to snoop, but not impossible. It’s foolish that Apple allows an Apple ID to be reset by just the device passcode.
The biggest point is if you don’t secure your iPhone properly, which was never said people can get into your phone by social engineering.
I already described how both screen time password and the Apple ID password can still be reset by the device passcode.
Sadly true. They should re-vamp the whole AppleID security, as 2 factor is also useless once you have device access. It just appears on screen / gets sent via sms, to the iPhone.
I’m already stuck using two Apple IDs (my iTunes ID for media and purchases predates my iCloud ID which does the heaving lifting for banking, medical, 2FA, etc.) so I’m brainstorming the outcome from removing my iCloud ID from my iPhone and Watch going forward (and promoting the iTunes ID to primary role on iPhone). [Edit: it was better for me to create a third ID for the iPhone and use the iTunes ID the same way as before, as the secondary ID for media and purchases.]
How is this glance / duress proof?
I don’t know what you did or not, but until you have an authoritative citation it can’t be done. Unless you have some specialized hardware you can’t take over an Apple ID without knowing the passcode or wiping the phone.
Wrong! Read my earlier post (#302) on how to do it. I tested it on my own phone. Big time Apple security flaw!!
You need proof of this claim. I don’t know what you did or didn’t. With one billion devices someone else should have already done this.
LOL!! I don't need to prove to you. You can simply try it yourself on your own phone. Also check Reddit, many others have been talking about this flaw. It's a fact.
Can confirm. *If* you know the device passcode (glanced), the device and AppleID are compromised.
