[edit: the below is now fixed with 16.4 and later.]
It doesn’t work though. If the thief knows the passcode and the Apple ID (discoverable in a few areas of the Settings app, or just by looking at the email accounts set up on the phone), they can change the Apple ID password, bypassing the screen time restriction, and then add a recovery key. I wish Joanna Stern would stop recommending that as a solution.
Is that true if you don’t make the Screen Time passcode recoverable with the Apple ID, though? If you have a separate Screen Time passcode that can’t be reset without knowing what it is, it should work for preventing access to the account settings.
OK, I have to recant what I just said, and I’ll go update the article. The Screen Time passcode is always vulnerable to being turned off by someone who knows the Apple ID password. I verified this by creating a Screen Time passcode and explicitly skipping the step that claims to provide Apple ID recovery.
Then I tapped Change Screen Time Passcode > Turn Off Screen Time Passcode. That asks for the passcode, which a thief wouldn’t know, but there’s a Forgot Passcode? link at the bottom of the screen. Tap that and you’re prompted for your Apple ID and password, and once you enter them, the Screen Time passcode is deleted.
I consider this a serious bug in Screen Time, not to mention overall iOS security.
Wait a second! I’ve gotten mixed up about the chronology of events here.
The thief has stolen the passcode and the iPhone, but when they attempt to change the Apple ID password, the Screen Time passcode will block them from accessing the account settings. And since they don’t know the Apple ID password, they can’t use it to turn off the Screen Time passcode.
So I’m recanting my recanting and restoring my original text in the article.
Augh! The plot continues to thicken. You’re a thief with a stolen iPhone and its passcode. But there’s a Screen Time passcode preventing you from changing the Apple ID password. I think, but I haven’t confirmed for sure, that there may still be a workaround.
What I wrote above about turning off the Screen Time passcode is still accurate, but if you don’t know the Apple ID password, Apple helpfully provides another Forgot Apple ID or Password link. Tap that and you get into the flow of resetting the Apple ID password, which I think you can do if you know the iPhone’s passcode as long as the user hasn’t set up a recovery key. I had done that, so at some point, I was asked for my recovery key, and there’s no way a thief would know that.
So the combination of a Screen Time passcode and a recovery key should be full protection. Back to the article! I hope you’re all enjoying watching this in real time.
As it turns out, Apple fixed this with 16.4, at least if you have a trusted phone number and more than one trusted device. It used to be you could do a certain set of actions that would allow you to change the password even with the screen time passcode block (I won’t list them.) But with 16.4 Apple now requires you to confirm a trusted phone number, and then requires you to use another trusted device to actually change the password.
Ok, as I said I’ve avoided typing out the actual steps, but that’s what they were. Prior to 16.4 16.4.1, if you went through that procedure, it didn’t ask for the recovery key (or a trusted phone number) - it just let you change the Apple ID password. At the time Joanna Stern published her original article, that vulnerability existed. It still does I suspect if you are on iOS older than 16.4 16.4.1.
Thanks, I’ll have to test this all the way through—I am running 16.4.1.
For me, even if setting up a Screen Time passcode isn’t an impregnable defense, doing so is a good idea becaue it could buy me enough time to wipe my phone before a thief figured out how to bypass the passcode.
Adam
Do I recall correctly that this problem would disappear if Apple required that you enter the current Apple ID password before you can change it?
Norbert
Quick correction: this change happened in 16.4.1. I have a device with 16.4 and verified that I could change the Apple ID password with a screen time passcode restriction on the account knowing only the Apple ID itself and the device passcode. So, this was an undocumented change in 16.4.1.
Precisely my logic with the additional thought that if it might be too much hassle for them, they may choose to just discard.
OK, I just spent a bunch of time testing this carefully, and while it may be better, it’s not fixed.
Let’s assuming the thief has your iPhone and your passcode, but you’ve turned on a Screen Time passcode and locked account changes but not set a recovery key. The thief can find your email address and phone number from email and Settings > Phone.
Then, if they work through the steps to turn off the Screen Time passcode, saying Forgot Passcode when prompted, entering your email address when prompted, and then tapping Forgot Apple ID or Password, they’ll be able to reset the Apple ID password using just the passcode and turn off the Screen Time password in the same step.
The confusion, I think, is that there’s a branch in the logic at one point, and if they follow the other branch, they’ll be prompted for your trusted phone number or recovery key. The problem occurs at the Screen Time Passcode Recovery screen:
If they enter your email address in the Apple ID field here, tap OK, and then get the password field, they can then tap Forgot Apple ID or Password and continue with the passcode to reset the password. In other words, the most obvious approach is the least secure.
If, instead of entering your email address right away, they tap Forgot Apple ID or Password first, and then enter the email address, they’ll go into the more secure password reset flow that tells them to continue on your other Apple devices. If they say they can’t get to them, they’ll be asked for your trusted phone number, which they can find out easily. But that doesn’t end up working out, at least in my testing.
When I entered that, I was prompted for the passcode again, but entering it threw me to the Don’t Know Your Passcode screen that was warning my account would be locked for several days. At that point, I bailed—who knows what would happen if I locked my account like this. But I very much got the sense that a thief wouldn’t be able to change the password that way.
I’m being a little waffly here because I only tested a few times—I was just too leery of locking my account or messing something else up entirely. But I’ll report this to Apple and see if anything comes back.
All that said, if you both turn on the Screen Time passcode and set a recovery key, you’re safe. There’s no way to turn off the Screen Time passcode without having access to the recovery key.
That seems incorrect in my case. I have both a recovery key set and a screen time passcode and I can still go through and change the Apple ID password with the procedure you listed. (I just, in fact, actually changed it - and very shortly afterward realized that this meant that my Sonos stopped playing music because I had to reauthorize my Apple Music account.)
Having a screen time passcode with account changes disallowed makes it harder to find the Apple ID address on the device, but not impossible.
Darn it, I think you’re right. That was my starting condition, and when I assumed it worked, it was before I discovered that there was a difference with when you enter the email address in the Screen Time Passcode Recovery screen. I have screenshots showing that the recovery key is required, but I’m pretty sure that’s in the branch where you enter the email address AFTER tapping Forgot Apple ID or Password.
I’ve set up to replicate now, and while I don’t actually want to change my Apple ID password again (it invalidates my app-specific passwords and causes all sorts of cascading alerts on different devices), I’m getting the screen to change the Apple ID password without being prompted for the recovery key first.
Any ideas about how to backup your iPhone photos if you don’t have a Mac?
I’m sure there will be other suggestions, but iMazing is cross-platform and gives you a lot of control over backing up and configuring iOS devices.
On a Windows PC, you are expected to install iTunes and use it for all of your iPhone backup/sync operations: Transfer photos and videos from your iPhone or iPad to your Mac or PC - Apple Support
To get iTunes, go to https://www.apple.com/itunes/ . If you’re on a Mac, that page presents you with a request to upgrade macOS, but there is a link to click on to get to the download page for the Windows version:
Windows users can also install it from the Microsoft Store.
