It’s required once at boot to unlock the Secure Enclave where Face ID data is kept. Also if the phone has not been unlocked for a long time (> 48 hours) etc. There shouldn’t be too many other places where it’s needed?
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple Responds to Report About Thieves Spying on iPhone Passcodes to 'Steal Your Entire Digital Life'
- Thread starter MacRumors
- Start date
- Sort by reaction score
It’s required once at boot to unlock the Secure Enclave where Face ID data is kept. Also if the phone has not been unlocked for a long time (> 48 hours) etc. There shouldn’t be too many other places where it’s needed?
I miss TouchID, it was so effortless, just pick up the phone with my imprint finger on the button, done. The phone could be sitting on a table at a distance and you could still unlock it without picking it up. Laying in bed and need to check it? Just pick it up. 9 out of 10 times when I wake up and give it a quick glance, I have to put my passcode in.
Tell me you do not know how any of this works with a single post. Achievement unlocked!
Your biometric data is in the secure enclave, locked behind… your passcode. What you are suggesting is that the biometric data be removed from the SE. Not very secure.
Who said anyone is forced to use a 4 digit code. The user can choose a 6 digit code, a custom numeric code or a custom alphanumeric code. The user can chose which works best for them as opposed to being told what to do.
I’ve complained to Apple periodically that the UI lights up each key you press when entering your passcode. At least it doesn’t dictate them audibly…
Apple can certainly do more to better protect users, but I think the point of the article is mostly to make people more aware of the risk.
Apple can certainly do more to better protect users, but I think the point of the article is mostly to make people more aware of the risk.
I don’t know. But I want a guest user passcode that allows restricted access to the phone so you can actually let people get in without giving away a 6 digit code that literally gives someone the keys to your entire life.
I mean... I get it. I understand the potential threat.
But... the bad guys would have to follow me around hoping they see me type in my code *and* either wait for me to be careless by leaving my phone unattended or they have to pickpocket me.
The chances of *both* of those things happening to me are slim to none.
My phone is either in my hand or deep in my front pocket when I'm in public. I'm just some guy. Nobody is targeting me.
¯\_(ツ)_/¯
But... the bad guys would have to follow me around hoping they see me type in my code *and* either wait for me to be careless by leaving my phone unattended or they have to pickpocket me.
The chances of *both* of those things happening to me are slim to none.
My phone is either in my hand or deep in my front pocket when I'm in public. I'm just some guy. Nobody is targeting me.
¯\_(ツ)_/¯
Source of this claim? Actual, verifiable data, not anecdotes. K? Thanks.
Woah, I didn’t know that you can change you iCloud password by only providing your passcode. That’s super messed up and scary. Apple has to change that!
So one work-around that has been discussed elsewhere is to use Screen Time to disable access to changing the account and the passcode. You can protect Screen Time using a *different* 4 digit passcode. Just be sure to record that new passcode someplace else, off your iPhone in case you forget it. And *don't* use the option to recover the Screen Time passcode using your Apple ID otherwise the thief can just recover it and reset it.
The options are in Settings:
Settings -> Screen Time -> Use Screen Time Passcode
When it asks for Screen Time Passcode Recovery, hit the "cancel" button in the upper left corner, then press "Skip" when prompted, "Are you sure?"
Then disable access to the following:
Settings -> Screen Time -> Content & Privacy Restrictions
Passcode Changes: Don't Allow
Account Changes: Don't Allow
EDIT: More details about disabling Apple ID recovery - when you disable Screen Time Passcode Recovery from having an Apple ID, the difference is that you can *still* reset the Screen Time passcode, the only issue is that instead of only needing the Device passcode, you will be asked for your device's Apple ID password, which theoretically you are not typing in as often in front of strangers in public. So it *should* be more secure.
The options are in Settings:
Settings -> Screen Time -> Use Screen Time Passcode
When it asks for Screen Time Passcode Recovery, hit the "cancel" button in the upper left corner, then press "Skip" when prompted, "Are you sure?"
Then disable access to the following:
Settings -> Screen Time -> Content & Privacy Restrictions
Passcode Changes: Don't Allow
Account Changes: Don't Allow
EDIT: More details about disabling Apple ID recovery - when you disable Screen Time Passcode Recovery from having an Apple ID, the difference is that you can *still* reset the Screen Time passcode, the only issue is that instead of only needing the Device passcode, you will be asked for your device's Apple ID password, which theoretically you are not typing in as often in front of strangers in public. So it *should* be more secure.
Last edited:
Yes there's things better about each. Why can't they get both already on a device like Android has?
Then you do not understand how the SE operates and secures your biometric information. What exactly is your flex supposed to be here?
Both biometric methods have their pluses and minuses. It would be nice to have touch id as a fallback and maybe Apple will make it happen, but I wouldn't hold my breath.
In other words, you want Apple to spend it's resources writing a multiuser OS for the iPhone for the few people that want to let others use their phone. Meanwhile, all the MR users will complain that Apple is not giving enough resources to fix their bugs. I'm wondering just what does everyone expect of Apple?
If your passcode is going to be used to protect your encrypted iCloud data, apple should enforce a 6 digit minimum passcode. It’s crazy how much harder it is to just watch someone type in a 6 digit vs 4 and get it right
If you use FaceID and get yourself in a hairy situation, you can prevent the thief from using your face to unlock the phone easily. Just hold the buttons responsible for turning off the phone. On my phone it's either volume up + lock or lock x5. Once the "turn off" screen pops up, the phone requires a password to unlock. You can do that easily in your pocket.
Make sure to configure your phone to be findable when powered off and to cut off control center access when phone is locked (so that it's impossible to turn off data/wifi without unlocking).
Fun fact. This is also great in countries/states where biometrics is not considered covered by the fifth amendment (or an equivalent of it) and where the law does not require you to provide your password to the police. In some countries the cops would use your finger or face to unlock and search your phone (with or without a warrant) as technically these don't qualify as testifying against yourself (and providing a password would).
All that does not prevent bad actors from beating the password out of you with a stick.
Make sure to configure your phone to be findable when powered off and to cut off control center access when phone is locked (so that it's impossible to turn off data/wifi without unlocking).
Fun fact. This is also great in countries/states where biometrics is not considered covered by the fifth amendment (or an equivalent of it) and where the law does not require you to provide your password to the police. In some countries the cops would use your finger or face to unlock and search your phone (with or without a warrant) as technically these don't qualify as testifying against yourself (and providing a password would).
All that does not prevent bad actors from beating the password out of you with a stick.
A little bit of chicken and egg. Unless an actor shuts your phone off you do not have to enter a passcode. If you give your phone to someone to take a picture and they shut it off, you will have to enter your password. But hopefully as words of this scam spreads people will become more aware and make their passcode more complex.
This is not actually true.
Many apps allow authentication only with Face ID or your full account password. The passcode alone won't get you anywhere with most banking apps or with 3rd party password storage apps like 1Password, unless someone's able to retrieve your account password from the keychain, using your passcode. (So, don't put it there and you're safe.)
Dear lord that’s crazy that a freakin thief could have that much access with just a simple code, and the audacity of one grabbing it from your hands or intimidating you to give it up. I assume this could happen anywhere, probably less likely in carry states.
In a typical rush to criticize Apple some may have missed the boat: simple, you never enter your passcode in a public location. Make sure your phone is armed with face id and touch id operational.
That's not simple as the more difficult it is to authenticate the more issues that will crop up.
Agreed. The fact that the pin code code get into all the saved passwords is what raised my eyebrow. Makes me glad that I'm using a third party password manager.
The point I was making is that Face ID makes it more difficult to steal your passcode because you can unlock your phone without typing it in, unless there's too many unsuccessful attempts which is uncommon.
This article makes a stronger case against going to bars than it does about anything else. I’m not sure if that’s the point of the author though.
So if Face ID or Touch ID aren't working due to environmental issues then users are supposed to just go without using their phones?
Looking at your phone or putting your finger on a fingerprint sensor is difficult, for something done as infrequently as resetting one's iCloud password? You seem to argue just for the sake of arguing.