iOS 17 Locks Your Safari Private Browsing Behind Face ID

[RamGuy]

I use private browsing 100% of the time. I personally don’t need history, so the only thing history does for me is increase my risk factor. Remember a few years ago there was a bug in Safari that allowed any website to view your full browsing history. No thanks.

If this can’t be toggled, my life is going to become extremely painful. I really, really, really don’t want to have to authenticate every time Safari opens.

It can be toggled. I just tested this on iOS 17 Dev BETA1. And it will require you to unlock it if you go outside of Safari for some time etc. So if you live in private browsing mode, you will still have to unlock it. It doesn't even unlock automatically, and you have to tap unlock for it to do it. That might change of course.

Luckily for you, the entire feature can be disabled in the Safari settings on iOS.

 

[Smartass]

Finally, my porn history is safe!

 

[LuisNeto]

Using seatbelts evidently increases safety with almost no downside to the seatbelt user.

What is the impact of using different passcodes for different functionality on your device?

@mrochester :

• Scenario 1: A thief has your iPhone, knows your Passcode and in iOS it's possible to change the Apple ID password just by using the Passcode. The thief can lock you out of your Apple account forever.
• Scenario 2: A thief has your iPhone, knows your Passcode but fortunately in iOS it's not possible to change your Apple ID password just by using the Passcode. The actions the thief can do are limited and he can't lock you out of your Apple account.

Scenario 1 is how things work nowadays.
Isn't it obvious that scenario 2 is better?

@marvin_h: 100% agree with your points. This is a very important issue that needs addressing.

@marvin_h & @mrochester : I had created a thread last week specific for this issue, where I asked if this had been addressed in iOS 17.
You might want to check it out (link).

I even suggested different ways to address it here.

 

[mrochester]

@mrochester :

• Scenario 1: A thief has your iPhone, knows your Passcode and in iOS it's possible to change the Apple ID password just by using the Passcode. The thief can lock you out of your Apple account forever.
• Scenario 2: A thief has your iPhone, knows your Passcode but fortunately in iOS it's not possible to change your Apple ID password just by using the Passcode. The actions the thief can do are limited and he can't lock you out of your Apple account.

Scenario 1 is how things work nowadays.
Isn't it obvious that scenario 2 is better?

@marvin_h: 100% agree with your points. This is a very important issue that needs addressing.

@marvin_h & @mrochester : I had created a thread last week specific for this issue, where I asked if this had been addressed in iOS 17.
You might want to check it out (link).

I even suggested different ways to address it here.

Contrast that with:

Scenario 1: you’ve forgotten your Apple ID password and need to reset it. You know your device passcode because you use it all the time, so you can reset the password.

Scenario 2: you’ve forgotten your Apple ID password and need to reset it. You know your device passcode but you can’t use this as a means to authenticate that it’s you, so you are locked out of your account.

Apple won’t address this, as it’s the way this type of security is designed to work (they are called passkeys). You Need to make sure no one learns what your passcode is.

With passkeys, the security on the device the passkey is associated with effectively becomes the password for that account. So because your iPhone is a trusted device for your Apple ID, the device passcode becomes a master password for your Apple ID. The same way that if your iPhone is a trusted device for your Google account, your device passcode effectively becomes the master password for your Google account.

There’s nothing here for Apple to fix per se, as it is working as expected.

 

[LuisNeto]

Scenario 2: you’ve forgotten your Apple ID password and need to reset it. You know your device passcode but you can’t use this as a means to authenticate that it’s you, so you are locked out of your account.

You should not lose your Apple ID password.
That's what password managers are for.
Don't use a password manager? Keep the password written somewhere. It could even a piece of paper at home.

If you do none of this and one day you find yourself in a situation where you don't know your password, that's your fault.

Apple should not implement the security of their devices to make life easy for people who are not responsible in managing their password.

Plus, what I suggested in my other thread is that Apple could still enable a setting to allow people to reset the Apple ID password by using another Apple device they own.

I strongly suggest you have a read at my other thread, if you'd like to continue the conversation.
Let's not change the topic of this one.

 

[marvin_h]

Scenario 2: you’ve forgotten your Apple ID password and need to reset it. You know your device passcode but you can’t use this as a means to authenticate that it’s you, so you are locked out of your account.

Apple, Google and just about every other large organization has a help line that can do a slightly more thorough check that you are who you say you are than simply whether you have the screen lock code to a device, before re-setting your (in this case) Apple ID. Is that inconvenient? A little. Should that be mandatory? Doesn't have to be. Could it be an OPTION? Heck yeah.

In fact, Google has made it an option. Funny day when Google has better security options than Apple. But here we are.

 

[marvin_h]

Using seatbelts evidently increases safety with almost no downside to the seatbelt user.

What is the impact of using different passcodes for different functionality on your device?

Allowing a user to separate the screen lock code from a code that accesses my entire digital kingdom (iCloud, KeyChain, email, etc) would double the security of the device, with a tiny amount of "opt in" inconvenience, if I choose it.

 

[_Spinn_]

Surprised it took this long to get this.

 

[mrochester]

You should not lose your Apple ID password.
That's what password managers are for.
Don't use a password manager? Keep the password written somewhere. It could even a piece of paper at home.

If you do none of this and one day you find yourself in a situation where you don't know your password, that's your fault.

Apple should not implement the security of their devices to make life easy for people who are not responsible in managing their password.

Plus, what I suggested in my other thread is that Apple could still enable a setting to allow people to reset the Apple ID password by using another Apple device they own.

I strongly suggest you have a read at my other thread, if you'd like to continue the conversation.
Let's not change the topic of this one.

And in the real world, people forget their passwords all the time, and don’t write them down and don’t use password managers, especially Apple ID since people rarely ever have to type it.

 

[LuisNeto]

And in the real world, people forget their passwords all the time, and don’t write them down and don’t use password managers, especially Apple ID since people rarely ever have to type it.

Those people should be more responsible.

Defending that the way it works nowadays (being possible to change the Apple ID password just by using the Passcode) is perfectly fine, just because there are people in the world that don't manage a password properly, does not make sense.
Responsible people who value security don't have to pay for those who are irresponsible.

However, in the other thread I suggested that Apple can still cater for them by having configurable settings, where each person chooses how they want to balance security VS convenience.

 

[mrochester]

Those people should be more responsible.

Defending that the way it works nowadays (being possible to change the Apple ID password just by using the Passcode) is perfectly fine, just because there are people in the world that don't manage a password properly, does not make sense.
Responsible people who value security don't have to pay for those who are irresponsible.

However, in the other thread I suggested that Apple can still cater for them by having configurable settings, where each person chooses how they want to balance security VS convenience.

Can Apple do that? Is Apple’s security and authentication a proprietary system or is it adhering to the passkey standard?

 

[DeepIn2U]

Edge for iOS had this feature first - but safari will be privacy oriented.

Microsoft Edge already does this. Noticing a significant trend while looking at the new features Apple has with 17. A lot of hardware/software companies are already doing it & some have done it for a long time.

Not that this is bad. What’s bad is Apple not able to feature the gimmick properly until 8 months after public release.

Edge doesn't seem to do this for the 2yrs I've had it on iOS 14-to current iOS 16.x
definitely not on by default and does not engage a password nor FaceID on iOS.

 

[I7guy]

Edge doesn't seem to do this for the 2yrs I've had it on iOS 14-to current iOS 16.x
definitely not on by default and does not engage a password nor FaceID on iOS.

An inprivate session in Edge with the latest of updates allows you to turn face id on to access the tab.

 

[kitKAC]

Responsible people who value security don't have to pay for those who are irresponsible.

Responsible people protect their passcode so they don't have to worry if their iPhone is stolen.