Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple Responds to Report About Thieves Spying on iPhone Passcodes to 'Steal Your Entire Digital Life'
- Thread starter MacRumors
- Start date
- Sort by reaction score
Because you need the password to unlock the hardware chip “Secure Enclave,” which hosts your faceId authentication key. When your device is restarted, the Secure Enclave is also restarted and needs to be unlocked again.
What drives me crazy is still having to enter a passcode at all… why isn’t face ID ALWAYS the way… I feel like i get forced to enter the passcode manually at random and it takes all the ease of use away. And i should never have to type out my Apple ID password when face ID exists
I think this points to the lack of compartmentalization with iPhone security.
By that I mean this definition; "the act or process of dividing something into separate and isolated categories, sections, areas, or compartments."
Most well secured plans separate any common method of accessing everything by some passcode. You use multiple passcodes to access different branches of what you are securing. This paragraph is enough said.
So irregardless how invulnerable people think Face ID, or Touch ID is if a knowledgeable party knows a method to overcome that, anyone should realize that putting all your eggs into one safe opened by one combo is stupid. Thats how must hardened security works. One barrier to get in, multiple barriers to each part of what being protected, not a keychain.
Fear mongering when Face ID comes out - Don't use faceID because we fooled it with a detailed facial scan and a $5000 custom printed mask!
Fear mongering when users now enter passcodes every 10 seconds in public - Don't use passcodes as people can look at them!
This is why biometric authentications are better - most thieves are opportunistic and most people aren't being targeted as state level actors. If you never enter your passcode, it can't be spied on.
Fear mongering when users now enter passcodes every 10 seconds in public - Don't use passcodes as people can look at them!
This is why biometric authentications are better - most thieves are opportunistic and most people aren't being targeted as state level actors. If you never enter your passcode, it can't be spied on.
If someone still has an iPhone that requires the use of a passcode, I think we can all agree that it's better the phone be stolen. That would mean the person has iPhone 5 or...... OLDER. Oh god. I'm feeling verklempt, talk amongst yourselves.
Apple needs to change the Password Reset security hole on the iPhone. It would be better if you needed your Device Passcode AND your current iCloud Password in order to change the password.
That would cut off a lot of exposure. Yes, ApplePay would still be an exposure, but at least you could save your iCloud account and find a way to remote wipe the device.
That would cut off a lot of exposure. Yes, ApplePay would still be an exposure, but at least you could save your iCloud account and find a way to remote wipe the device.
While you are absolutely correct, Apple should share some of the blames for allowing 4-digit passcode.
The use of certain features should mandate stronger passcode or password, such as Wallet, iCloud Keychain Password, and Health.
This is by far the most relevant comment here. It's not that the thief can read your mail and check your photos, but that they can remove your user from the phone and lock you out. This is not equivalent to just stealing your car, but with re-registering it in their name!
Changing the associated iCloud account should ALWAYS require its password. Just like when you change mostly any password, you first have to enter the old one, then the new -- so the system identifies that you are, well, you. Also, there's not even a usability trade-off here, I mean how often do you change the phone's account?
I’m shocked just how many people I know with iPhones who don’t bother with FaceID and who never bothered with TouchID either. So many people just use the passcode through habit.
Semi-related to the story.
I visited a tire shop last week to get my tires rotated. I'm standing in line waiting my turn; and the customer service person was assisting a woman who had purchased a set of tires, and she was checking out.
He totaled everything up, presented her with a itemized list, and she questioned each line of the list. Ok; no problem. She is just making sure of what she is purchasing.
He asked her if it was cash or credit; she told him credit. He instructed her to place her card in the reader. She declined, because she "didn't trust those readers". He offered to take the card from her and enter the digits manually, but she declined that option as well, because she insisted on just reading the numbers out loud, along with the security code and expiration date. As she is reading this off, he is typing it in.
I and another guy in line both looked at each other, then looked up at her reading off her credit card info in a very public (maybe 10 people in there) place. I still remember her security code (183) and her expiration date (05/27).
I'm guessing this person has had her card number stolen countless times, but it's always because of those damned credit card machines or employees swiping her number.
I visited a tire shop last week to get my tires rotated. I'm standing in line waiting my turn; and the customer service person was assisting a woman who had purchased a set of tires, and she was checking out.
He totaled everything up, presented her with a itemized list, and she questioned each line of the list. Ok; no problem. She is just making sure of what she is purchasing.
He asked her if it was cash or credit; she told him credit. He instructed her to place her card in the reader. She declined, because she "didn't trust those readers". He offered to take the card from her and enter the digits manually, but she declined that option as well, because she insisted on just reading the numbers out loud, along with the security code and expiration date. As she is reading this off, he is typing it in.
I and another guy in line both looked at each other, then looked up at her reading off her credit card info in a very public (maybe 10 people in there) place. I still remember her security code (183) and her expiration date (05/27).
I'm guessing this person has had her card number stolen countless times, but it's always because of those damned credit card machines or employees swiping her number.
Using Apple Pay is risky this way. I'm extremely careful about it. Supermarkets, everywhere.
This is a huge problem for me. Supermarkets and such, and people in line next to you have always been risky with the stupid pins on cards, but this is a whole other level of risk. I won't do it. They can steal my debit card and good luck with that, but no way I'm going there with this
This is a huge problem for me. Supermarkets and such, and people in line next to you have always been risky with the stupid pins on cards, but this is a whole other level of risk. I won't do it. They can steal my debit card and good luck with that, but no way I'm going there with this
Yes it always comes down to Dilbert's "Everything is so secure noone can do anything"
A lot of people are using extremely simple 4 digit pins. I've seen 1111, 1234, 0000, 9999, anything to make it quicker to input.
And a lot of people aren't using FaceID. I see it all the time in stores when people use Apple Pay, on phones with FaceID.
You can't fix stupid.
And a lot of people aren't using FaceID. I see it all the time in stores when people use Apple Pay, on phones with FaceID.
You can't fix stupid.
And that is an issue too. Anything that should be secure should only use biometrics or a separate credential that is not the device code.
Apple must remove 4 digit codes in future updates for the sake of security.
I was wrong about ALL apps will accept the device passcode as a backup to face-id. I just tested it on Bitwarden, and the only backup to face-id it will accept is the master passcode of the password database. But a lot of apps will accept your device passcode as a backup to face-id.
Most secure websites setup don't even allow that for accounts as a comparison.
Yea just the loud insistance on reading them would have everyone ready with notepad by the time she actually did.
No, they have to appeal to the lowest denominator.
The problem is not everybody wants or needs these extra security layers.
Maybe Apple should consider to request a second factor like the hardware tokens they support now for things like the change of passwords.