The discussion is implicitly invoking the “Swiss Cheese” model of security, where there are multiple layers of protection, each with its own holes, but if the holes don’t line up, then one layer will protect against an attack that another layer will let through. The danger is if the holes all line up (as they do with the way Apple uses the passcode).
But it also occurs to me that some layers are more important than others, at least in terms of threat & inconvenience. The first layer is to protect against the phone getting stolen at all. If it doesn’t get stolen, then none of the other risks materialize. That makes it the most important layer to worry about. The second layer, unlocking the phone, is the second most important. If the thief can’t unlock the phone, then all the owner has lost is the phone itself.
I’d rather have Apple (and people) focus on hardening those first two layers than get obsessed with the ones further down. There are ways to do it: have the screen reduce brightness and contrast when you’re entering the passcode to make it harder for people to see from a distance; have the numbers on the screen be randomly scrambled so people can’t “read” your motions when you type them in. Etc.
For people, being aware of using the phone in public is critical. Don’t use it in such a way that you’re vulnerable to having it snatched. Don’t store it in an obvious place that is accessible when you’re not paying attention. Etc. etc.
I know you’re not suggesting these are actually implemented. But I want to point out to anyone who thinks they’re a good idea that either of these would make the phone unusable for a sizeable portion of the population. The most likely effect would be for many people to disable a passcode altogether. What looks like a security improvement might turn out to be the opposite on a population level.
Very good point – as always, Apple would have to balance security vs. usability (and not just general usability, but usability for specific communities).
These could be non-default options for people who might want better security. Advanced Data Protection is an option, and Apple makes it clear when you turn that on that they cannot help you recover the account if you forget the password and lose the recovery keys; why not add an option to prevent resetting the Apple ID from a device with just the passcode from that device? There is, in fact, an option on MacOS to allow or prevent using the Apple ID password to reset the user account password. Why not this level of control on iOS in the Apple ID settings?
Yes, I know that sometimes there seem to be too many options, but after the WSJ article detailing this vulnerability (to losing control of your Apple ID just by a thief knowing the device passphrase), it seems like a worthwhile option to me.
I think because the people who would take advantage of the options are already keeping things extra secure. I’d prefer a simple universal solution that ups the security level for everyone (it even helps those extra secure people because if thieves know that every iPhone is pretty darn secure, it reduces the incentive to steal any iPhone).
Agreed! Another idea I like is trying to avoid asking for the passcode unless the iPhone is in a known location, like Home or Work. Obviously, that won’t work all the time, but anything Apple can do to reduce the likelihood that a passcode is typed in public, the better.