Imho people who use 4-digit codes, especially stuff like 1111, 1234, 0000 etc deserve it. Idk how people can be so careless just for commodity
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple Responds to Report About Thieves Spying on iPhone Passcodes to 'Steal Your Entire Digital Life'
- Thread starter MacRumors
- Start date
- Sort by reaction score
I have 2FA on - iPhone 13PM, iPad Pro 11, MBP.
I was able to change it on my iphone with just my passcode.
I only have had it a must on another device for a new device setup.
Are all your devices trusted devices?
What is different in your setup?
True. And I’m thinking there are some parents reading about this and wondering if their clever kids already know their passcodes and whether or not they should be concerned about their Apple ID’s.
Just a simple “Enter Current Password” as part of the reset process would fix a lot.
Being held against your will is a much different situation. Maybe in that circumstance the iPhone can recognize when another person is holding the iPhone as your face is scanned.
In this situation people are looking over shoulders to watch iPhone users enter the code on the number pad and then wait for an opportunity to five-finger-discount the device.
If you’re at a bar use the Watch to pay. It’s 2 button presses and ‘ping-ping’.
Long story short:
A simple PIN should be for unlocking your phone. (with FaceID/TouchID for convenience)
But any account-level changes should be locked behind multiple doors requiring your actual iCloud password.
It shouldn't be easy for anyone other than yourself to change these things.
A bad guy should not be able to reset passwords, turn off Find My, access your money, or gain access to any other vital services if they see you type in a simple PIN and steal your phone.
A simple PIN should be for unlocking your phone. (with FaceID/TouchID for convenience)
But any account-level changes should be locked behind multiple doors requiring your actual iCloud password.
It shouldn't be easy for anyone other than yourself to change these things.
A bad guy should not be able to reset passwords, turn off Find My, access your money, or gain access to any other vital services if they see you type in a simple PIN and steal your phone.
And dealing with forgotten passwords by users without recovery methods is probably what led to this in the first place.
I’m going to learn about the recovery contact option, since that sounds like a good one once things get locked down more.
But you have options via the browser for this as an example.
But…. You can also find this password in Settings > Password.
They also need another method for most instead of having your password in Settings > Password under AppleID.apple.com or idmsa.apple.com.
Yeah, bet Apple does some changes soon.
Not if you get your phone ripped from your hand after someone sees you type in your password. The allegation is you can reset your password with your phone passcode and no other 2fa needed.
In your country maybe. In mine, we don’t have a gun problem. We don’t just shoot everyone that we feel ‘needs a lesson’ and the police don’t either. Hence, violent crime in the manner you’re talking (whip out a gun to solve your problems), doesn’t particularly exist. So consequently, people generally don’t get murdered by civilians or by the police for what is essentially petty crime.
Last edited:
I agree. I hope apple is able to figure out under the screen TouchID or move it to the power button. I wouldn't want them to bring back the home button in order to have TouchID.
Please help as I fail to see the problem here. A pal & I have been emailing back and forth about this "vulnerability".
He writes this:
I log into my wife's iPhone using only her four-digit passcode all the time. It doesn't recognize my face so it gives me the option to inter her four-digit passcode; I do that, and I'm in, and then I can do as I like. So of course I've emptied her bank account, numerous times, etc., but thank heaven she's a forgiving soul.
I respond with this:
This is very interesting and it leads me to conclude that there must be some security setting somewhere that you have not turned on yet because I cannot replicate what you did on your iPhone on my iPhone
I...
• logged into my wife’s iPhone X using her 4-digit passcode,
• went to iCloud.com which required I input a password to enter,
• tapped on the blank where the email or userid is required,
• at the bottom of the screen I get [Log into Apple.com using a password from iCloud Keychain] and when I tap there I get [Face not recognized. Try again/Cancel] and I cannot get into her iCloud account.
So...where's the vulnerability?
He writes this:
I log into my wife's iPhone using only her four-digit passcode all the time. It doesn't recognize my face so it gives me the option to inter her four-digit passcode; I do that, and I'm in, and then I can do as I like. So of course I've emptied her bank account, numerous times, etc., but thank heaven she's a forgiving soul.
I respond with this:
This is very interesting and it leads me to conclude that there must be some security setting somewhere that you have not turned on yet because I cannot replicate what you did on your iPhone on my iPhone
I...
• logged into my wife’s iPhone X using her 4-digit passcode,
• went to iCloud.com which required I input a password to enter,
• tapped on the blank where the email or userid is required,
• at the bottom of the screen I get [Log into Apple.com using a password from iCloud Keychain] and when I tap there I get [Face not recognized. Try again/Cancel] and I cannot get into her iCloud account.
So...where's the vulnerability?
Agree 100%
I'm very careful with my iPhone and don't use my PIN in public. However, following this discussion thread, I have activated Screen Time and set it so that nobody with the device PIN could access my Apple ID or alter the password (also turned off so they couldn't stop me doing a remote wipe via Find my iPhone).
I also went through all my App settings turning them to the max, so - for example - the app to access my email account requires Face ID and requires it again immediately. Finance apps (i.e. online banking) are accessed by Face ID and I do not use Keychain for passwords related to finance accounts.
And I do think Apple need to change it so you need the OLD password to change your iCloud password.
Something like, confirm this on another logged in device (except the watch that is on your wrist) would be helpful too.
I'd also like the ability to sign my phone out of iCloud from my watch - or lock it so that it could only be unlocked with the password AND confirmation from a different Apple device.
My MBP is a trusted device. I see what you mean now. When I tried to change my PW, apple wanted to know my iCloud password. Once I put that in, then the passcode came up. Too easy.
sorry, i thought u intend that once face id is enabled, code is disabled. however, using touch id or face id in a disco, can be difficult. i think those factors are well considered by thiefs and this article is intended for phones with face/touch id enabled. meaning that people uses code even if "IDs" are enabled for various reasons
Your premise and not what I was answering to. I may have misunderstood you. I was just looking at other ways to reset your password if you forget it.
My life and my possessions are mine. Muggers choose their destiny. I’ll choose mine. If their destiny includes imperiling my life, my family’s life or trying to steal from me I will take necessary steps to defend the aforementioned. They forfeit the right to exist if they threaten my right to do the same.
It's become common practice where I live to setup screen time local passcode and app limit every important app to 1 min. Then you have an extra security layer over Face ID. Also, with this scheme, you can prevent easy change of your Apple ID password.
It's very common to be robbed by bicycle or from the car window (heavy traffic), with the iPhone unlocked. The thieves manage to change our Apple ID while cycling full speed. Amazing. With Screentime, it's way more difficult.
It's very common to be robbed by bicycle or from the car window (heavy traffic), with the iPhone unlocked. The thieves manage to change our Apple ID while cycling full speed. Amazing. With Screentime, it's way more difficult.
And I believe 3+ billion Android users are doing this today.
In many societies it's learned at an early age. Greenlanders learn their kids this even before they learn any of their 58 words for snow.