At the risk of reiterating the issues this brought up, what you missed is that somebody with your phone can reset the Apple ID passphrase and set a recovery key that you won’t have with only the iPhone’s passphrase. This will effectively lock you out of your Apple ID permanently, and, so far, very few people have convinced Apple to give them access back. You’ll lose any apps you’ve purchased, subscriptions you’ve been paying for (and I’d say it’ll be hard to stop recurring charges until you cancel the credit card), iCloud backups of your device; if you use Messages in iCloud, all of your message history. If you have an Apple Watch, all of your Health information. Obviously, the more you use iCloud, the more you stand to lose.
I’ve verified what @mikebhm reported - that iOS 17 has made it even more difficult to reset the Apple ID passphrase if you’ve set a recovery key. In fact, it adds a step that requires another device linked to your iCloud account (if you have one) to approve the change to the Apple ID passphrase when you set a screen time restriction on account changes - a big improvement from iOS 16.
Thanks Doug, I don’t remember the ability to reset the Account Recovery Key coming up before but you are correct. So presumably the thief now has to do this extra step before he can turn off Screen Time lock and thus changed Apple ID password.
Is that why you say iOS17 has made it more difficult than iOS16?
The thief does not have access to either the Recovery Key reset or “FaceTime and passcode” setting while Screen Time Code is set. And he can’t turn off Screen Time Code without the Recovery Key.
So I am back to believing what I wrote in my previous post that iOS 17 has fixed this issue…
And it appears this indeed the crucial issue for those of us who use iCloud Keychain.
I’m no fan of 1Password and all those apps, especially not those that somehow require a subscription. But I’m afraid this loophole (which apparently is by design, not just a bug) is a strong argument against relying on iCloud Keychain and in favor of instead getting a 3rd party password manager that is secured with a different and unique master password.
I don’t want to switch away from iCloud Keychain. I really wish Apple would change this design. Or at least give us an option to trade off last resort recovery vs. securing this potential weakness.
What I wrote was shorthand. Previously, up to at least iOS 16.4 (I never tested much after that version), anybody with your phone’s passphrase could reset the Apple ID password, even with a screen time passphrase and account change restriction set, so long as they also knew the actual Apple ID address (which is discoverable from other areas in the Settings app, from just looking at your email accounts, etc.)
Once the thief changed the Apple ID password, they could then remove a recovery key that you set from the Apple ID settings webpage, and create a new recovery key that only they knew, to prevent you from regaining access to your Apple ID (they could also remove any trusted devices from your Apple ID settings, so you wouldn’t be able to quickly go back to a Mac or iPad that uses the same Apple ID to regain access.)
As you detailed in your post above, if you have set a recovery key yourself, a thief would need to enter the recovery key before they would be allowed to reset the Apple ID password. At least so far this suggests that this loophole is now closed.
As you detailed in your post above, if you have set a recovery key yourself, a thief would need to enter the recovery key before they would be allowed to reset the Apple ID password. At least so far this suggests that this loophole is now closed.
At the risk of reiterating the issues this brought up, what you missed is that somebody with your phone can reset the Apple ID passphrase and set a recovery key that you won’t have with only the iPhone’s passphrase. This will effectively lock you out of your Apple ID permanently, and, so far, very few people have convinced Apple to give them access back.
The second Wall Street Journal article covered this. However, this is still contingent upon someone getting access to your iPhone, knowing your passcode, and unlocking it. Using TouchID and FaceID on a regular basis will make it easier to keep your passcode safe.
The problem seems to be in bars. A group of several thieves work in concert, targeting people who are using passcodes to open their phones. One thief start getting friendly with the person. Meanwhile, another one gets in position to read the passcode while another one gets in position to grab the phone at the right opportunity. It looks like the phone is grabbed when placed onto the bar.
One software change could be to require the Apple ID password to change the passcode, to open the iCloud settings, or when the m user doesn’t want to use FaceID or TouchID to do certain functions such as ApplePay. Maybe Mail and Messaging should require TouchID or FaceID too.
Then again, the sheer number of people who can’t remember their iCloud password is astounding. And you could be just getting someone to shoulder surf your Apple password too. Or that constantly using FaceID and TouchID makes the phone clumsy to use.
Doug, I have been shot down in another forum. In iOS 17 it still possible to change Apple ID password with just the phone passcode. Details in this post.
So is the idea that in that 1-hr delay window you have time to register the device as stolen? But does that help if the thief also has the passcode? Can Find My’s Mark as Lost not be overridden on device with the device passcode? Or would that indeed require the iCloud password thus allowing you to block your iPhone even in the event the thief also has the passcode?
In the past, using biometric ID has always been optional; when it didn’t work, you fell back to using a password or passcode. However, with Stolen Device Protection on, biometric ID will be required for many operations if you are not in a ‘safe place.’ For critical operations, you must biometricly authenticate twice, with the authentications separated by at least 1 hour.
However, if you are in a ‘safe place,’ everything works as before. The safe place option is there because biometrics have been known to fail.
I think having safe locations as the only way to get around Stolen Device Protection’s restrictions might be too restrictive and not restrictive enough. A place where your identity might be compromised might be within the perimeter of a safe location (a bar downstairs from your apartment?). If you are traveling and not stopping in any location for more than a day or two (e.g., a performer on tour), you might have vital functions disabled for an extended period.
I agree with that. For some this could be too restrictive, for others (or for other situations) not enough.
I like to see an option where you’re required to authenticate on another AppleID-connected device. What are the chances the thief copies down my passcode, steals my iPhone and then also snatches my Mac? Not to mention he’d need the Mac’s password too (which obviously isn’t the same as the iPhone’s).