Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Totally unrealistic for any but the dumbest people. Which certainly correlates to where these incidents happen.

Obviously you don’t use your passcode when around other people. You shouldn’t need to.
 
I never understood why FaceID is enough for some parts but for other parts you suddenly need the Passcode like why? Is Apple implying faceid is less secure than a 4 digits passcode?

Because you need the password to unlock the hardware chip “Secure Enclave,” which hosts your faceId authentication key. When your device is restarted, the Secure Enclave is also restarted and needs to be unlocked again.
 
A pretty straightforward fix for this would be to have a setting that, if the user wants, scrambles the numbers on the numpad passcode entry screen in a random order every time. So it's still your 6-digit passcode to get in, but the numpad is not always 1 2 3, 4 5 6, 7 8 9, 0. This way, someone spying from a distance can't just memorize the "pattern" of where you tap. E.g., pressing on the top right button does not necessary mean "3".

Some banks already do this.
 
What drives me crazy is still having to enter a passcode at all… why isn’t face ID ALWAYS the way… I feel like i get forced to enter the passcode manually at random and it takes all the ease of use away. And i should never have to type out my Apple ID password when face ID exists
 
  • Angry
  • Like
Reactions: NetMage and nycjdc
You just have to be careful when using your iPhone outside in public.
Apple needs to consider bringing back Touch-ID. Two Factor Authentication: Touch ID + Face ID simultaneously
I think this points to the lack of compartmentalization with iPhone security.

By that I mean this definition; "the act or process of dividing something into separate and isolated categories, sections, areas, or compartments."

Most well secured plans separate any common method of accessing everything by some passcode. You use multiple passcodes to access different branches of what you are securing. This paragraph is enough said.

To make matters worse, knowing an iPhone's passcode allows a thief to use Apple Pay, send Apple Cash, and access banking apps using passwords stored in iCloud Keychain. Even if Face ID or Touch ID is enabled on the iPhone, thieves can simply bypass these authentication methods and an option to input the device's passcode is presented. In some cases, the report claims that thieves even opened an Apple Card by finding the victim's last four digits of their Social Security number in photos stored in apps like Photos or Google Drive.

Access to other passwords stored in iCloud Keychain allows the thief to further wreak havoc, as it could give them access to email accounts and other sensitive information. All in all, the report says thieves can essentially "steal your entire digital life

So irregardless how invulnerable people think Face ID, or Touch ID is if a knowledgeable party knows a method to overcome that, anyone should realize that putting all your eggs into one safe opened by one combo is stupid. Thats how must hardened security works. One barrier to get in, multiple barriers to each part of what being protected, not a keychain.
 
Fear mongering when Face ID comes out - Don't use faceID because we fooled it with a detailed facial scan and a $5000 custom printed mask!

Fear mongering when users now enter passcodes every 10 seconds in public - Don't use passcodes as people can look at them!

This is why biometric authentications are better - most thieves are opportunistic and most people aren't being targeted as state level actors. If you never enter your passcode, it can't be spied on.
 
If someone still has an iPhone that requires the use of a passcode, I think we can all agree that it's better the phone be stolen. That would mean the person has iPhone 5 or...... OLDER. Oh god. I'm feeling verklempt, talk amongst yourselves.
 
Apple needs to change the Password Reset security hole on the iPhone. It would be better if you needed your Device Passcode AND your current iCloud Password in order to change the password.

That would cut off a lot of exposure. Yes, ApplePay would still be an exposure, but at least you could save your iCloud account and find a way to remote wipe the device.
 
In other words, don’t be an idiot.

You would have to be drunk beyond recognition for Face ID to not recognize your face and request a PIN. If you’re wearing a mask, just look down to unlock.

Why would anyone be entering their PIN in front of other strangers?
While you are absolutely correct, Apple should share some of the blames for allowing 4-digit passcode.

The use of certain features should mandate stronger passcode or password, such as Wallet, iCloud Keychain Password, and Health.
 
Actually, the issue is that with just iPhone passcode, which is far less secured than iCloud password, you can gain access to iPhone and able to reset iCloud password (without iPhone prompting asking for iCloud password again). This is a big deal and I would believe is a huge oversight from Apple. I'm forced to enter iCloud password to purchase free app on App Store, but not resetting iCloud password?

This is by far the most relevant comment here. It's not that the thief can read your mail and check your photos, but that they can remove your user from the phone and lock you out. This is not equivalent to just stealing your car, but with re-registering it in their name!

Changing the associated iCloud account should ALWAYS require its password. Just like when you change mostly any password, you first have to enter the old one, then the new -- so the system identifies that you are, well, you. Also, there's not even a usability trade-off here, I mean how often do you change the phone's account?
 
Semi-related to the story.

I visited a tire shop last week to get my tires rotated. I'm standing in line waiting my turn; and the customer service person was assisting a woman who had purchased a set of tires, and she was checking out.

He totaled everything up, presented her with a itemized list, and she questioned each line of the list. Ok; no problem. She is just making sure of what she is purchasing.

He asked her if it was cash or credit; she told him credit. He instructed her to place her card in the reader. She declined, because she "didn't trust those readers". He offered to take the card from her and enter the digits manually, but she declined that option as well, because she insisted on just reading the numbers out loud, along with the security code and expiration date. As she is reading this off, he is typing it in.

I and another guy in line both looked at each other, then looked up at her reading off her credit card info in a very public (maybe 10 people in there) place. I still remember her security code (183) and her expiration date (05/27).

I'm guessing this person has had her card number stolen countless times, but it's always because of those damned credit card machines or employees swiping her number.
 
Using Apple Pay is risky this way. I'm extremely careful about it. Supermarkets, everywhere.
All of my major financial apps require either face id or a password for that financial institution. Apple pay is problematic in that if you know the passcode you can effect a transaction, maybe there should be a secondary password on Apple pay.

This is a huge problem for me. Supermarkets and such, and people in line next to you have always been risky with the stupid pins on cards, but this is a whole other level of risk. I won't do it. They can steal my debit card and good luck with that, but no way I'm going there with this
 
  • Haha
Reactions: NetMage
Pretty soon Apple will make it so secure that it is useless to use. For example, in the US military there was a program called Guardian Edge to encrypt files. It needed a password or 20+ characters (letters, numbers, and special characters), needed at least 5 special characters, no sequential letters or numbers, no characters that could form words of with more that 2 letters, had to be changed every 30 days, and can't use a previous 20 passwords. So secure, someone couldn't even get back into it.
Yes it always comes down to Dilbert's "Everything is so secure noone can do anything"
 
A lot of people are using extremely simple 4 digit pins. I've seen 1111, 1234, 0000, 9999, anything to make it quicker to input.

And a lot of people aren't using FaceID. I see it all the time in stores when people use Apple Pay, on phones with FaceID.

You can't fix stupid.
 
  • Like
Reactions: centauratlas
The article is wrong about it being safer if you use a password manager such as 1Password on your phone. All apps on the iPhone (including 1Password) that is setup to use face-id, will accept your device passcode as a backup for face-id.
And that is an issue too. Anything that should be secure should only use biometrics or a separate credential that is not the device code.
 
And that is an issue too. Anything that should be secure should only use biometrics or a separate credential that is not the device code.
I was wrong about ALL apps will accept the device passcode as a backup to face-id. I just tested it on Bitwarden, and the only backup to face-id it will accept is the master passcode of the password database. But a lot of apps will accept your device passcode as a backup to face-id.
 
Semi-related to the story.

I visited a tire shop last week to get my tires rotated. I'm standing in line waiting my turn; and the customer service person was assisting a woman who had purchased a set of tires, and she was checking out.

He totaled everything up, presented her with a itemized list, and she questioned each line of the list. Ok; no problem. She is just making sure of what she is purchasing.

He asked her if it was cash or credit; she told him credit. He instructed her to place her card in the reader. She declined, because she "didn't trust those readers". He offered to take the card from her and enter the digits manually, but she declined that option as well, because she insisted on just reading the numbers out loud, along with the security code and expiration date. As she is reading this off, he is typing it in.

I and another guy in line both looked at each other, then looked up at her reading off her credit card info in a very public (maybe 10 people in there) place. I still remember her security code (183) and her expiration date (05/27).

I'm guessing this person has had her card number stolen countless times, but it's always because of those damned credit card machines or employees swiping her number.
Yea just the loud insistance on reading them would have everyone ready with notepad by the time she actually did.
 
While you are absolutely correct, Apple should share some of the blames for allowing 4-digit passcode.
No, they have to appeal to the lowest denominator.
The use of certain features should mandate stronger passcode or password, such as Wallet, iCloud Keychain Password, and Health.
The problem is not everybody wants or needs these extra security layers.
 
Maybe Apple should consider to request a second factor like the hardware tokens they support now for things like the change of passwords.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.