When Face ID Helps iPhone Security—And When to Turn It Off

Originally published at: When Face ID Helps iPhone Security—And When to Turn It Off - TidBITS

I’ve been thinking a lot more about physical iPhone security recently. For a long time, we’ve encouraged biometric authentication over manually entering iPhone passcodes because of the very real threat of someone seeing you enter your passcode, stealing your iPhone, and using the passcode to reset your Apple Account password, locking you out of your digital life and enabling both financial and identity theft (see our “iPhone Passcode Thefts” series).

Face ID as Asset and Liability

To block that, Apple introduced Stolen Device Protection, which leans more heavily on biometric authentication and adds an hour-long delay to certain actions, optionally only when you’re not in one of your regular locations (see “Turn On Stolen Device Protection in iOS 17.3,” 25 January 2024). Delay-triggering actions include changing your Apple Account password or signing out of your Apple Account, adding or removing a Face ID or Touch ID enrollment, changing your passcode, turning off Find My or Stolen Device Protection, and attempting to use Reset All Settings.

I’ve encountered the delay only once, when I considered changing my passcode so a friend could use my iPhone to time a race. The delay helped me remember that I’d already come up with a much better solution (see “Guided Access Turns Your iPhone or iPad into a Sharable Single-App Tool,” 11 October 2024).

Nonetheless, I generally recommend Stolen Device Protection. Apple appears poised to encourage its use more heavily. According to MacRumors, iOS 26.4 will add Stolen Device Protection to the setup assistant. That is not the same as making it the default—you can always tap Not Now to sidestep the suggestion—but it does make it far more likely that users will turn the feature on.

As much as I like and use Face ID, my faith in the security of biometric authentication has been shaken recently, not because of technical limitations, but legal ones. Although law enforcement cannot force someone to reveal a passcode or password, officers can compel a person to use Face ID or Touch ID to unlock a device. That distinction made national news earlier this year, and in a way that struck a nerve.

When the FBI raided Washington Post reporter Hannah Natanson’s home, their warrant explicitly gave agents permission to force her to unlock her devices with biometrics. Although Natanson claimed biometrics were not enabled on any of her devices, agents forced her to place her finger on her Washington Post-issued MacBook Pro’s Touch ID sensor, and it unlocked.

It’s unclear why the FBI didn’t try to make Natanson unlock her iPhone. She had put it into Lockdown Mode (an extreme security feature intended for people facing sophisticated threats), and the agents may not have realized that Face ID remains active in Lockdown Mode. Or perhaps she really had disabled Face ID on the iPhone. Regardless, Ars Technica noted that the government said in subsequent filings it was unable to retrieve any data from the iPhone due to Lockdown Mode’s protections. It’s nice to have public confirmation of Lockdown Mode’s security.

My brand of tech journalism is far from the beats Natanson covers and the sources she maintains, but it’s still chilling to read about the FBI raiding the home of a journalist as part of a leak investigation.

It goes beyond my profession. In the past, it felt like only special people had to think about the connection between the physical and digital security of their iPhones. But now, with protesters being arrested and international tourists being detained at the US border, concerns over digital security have spread to a wider swath of the population.

Until recently, I’ve never even considered turning off Face ID while traveling or out in public, but it seems more relevant today. I’ve attended some protests in Ithaca, many of my running friends are from other countries, ICE recently arrested people in a nearby town, and I’m planning to attend the ACES Conference in Minneapolis in May. Despite my generally privileged status as an older white guy, additional caution seems warranted.

Practical Protections

The Electronic Frontier Foundation and Consumer Reports have published guides for protecting your security and privacy in sensitive situations such as protests or when crossing borders. My expanded and annotated version of that advice includes the following items, all of which should be done before you leave home to avoid Stolen Device Protection delays and other problems. (Of course, you could also turn your iPhone off, but that prevents you from taking photos or videos.) I also strongly encourage you to practice using your iPhone with all these options off ahead of time, so you aren’t surprised by the many limitations. To increase security and privacy:

• Make backups: Ensure that you have a current backup, as your iPhone could be damaged or confiscated. Of course, you should always have a current backup anyway, but double-check. You might also consider writing down—on paper!—phone numbers for people you’d want to call in an emergency if your iPhone is unavailable, including a lawyer or legal aid organization.
• Disable biometrics temporarily: Go to Settings > Face ID & Passcode, and toggle off Face ID for iPhone Unlock. Use a strong, preferably alphanumeric passcode instead (in other words, not 111111 or 123456). Remember, you can be compelled to use your face, but not to reveal a password. If you forget to do this ahead of time, press and hold the side button and a volume button for 2 seconds (or press the side button five times quickly) to bring up the Emergency SOS screen, which temporarily disables biometrics, then press the side button again or tap Cancel. Once you enter your passcode again, Face ID will automatically be enabled again, so you’ll want to turn it off for real or keep toggling it temporarily.
• Prevent your iPhone location from being tracked: With sufficient resources, an iPhone can be tracked in many ways. To prevent that in a sensitive situation, download maps and plan meeting spots ahead, then do the following:
  • Location services: In Settings > Privacy & Security > Location Services, turn off the main switch. It’s also worth taking some time to audit the location sharing permissions for each of your apps (see “Protect Yourself Against Location Tracking Abuses,” 27 October 2024). Protecting your location from surveillance advertising is especially important now that government agencies are using online ad tech to track phones. iOS says it will re-enable location services for apps if you use Find My iPhone to enable Lost Mode.
  • Turn off Wi-Fi and Bluetooth: Although Apple has improved the rotation of MAC addresses and Bluetooth identifiers to prevent them from being used to track you, it’s still possible that they could contribute to short-term device identifiability. Turn them off in Settings > Wi-Fi and Settings > Bluetooth.
  • Enable Lockdown Mode to disable 2G and 3G: In addition to everything else it does, Lockdown Mode disables 2G and 3G cellular connections. Those older cellular technologies can be exploited by IMSI catchers—devices that intercept mobile phone traffic and track location data. Such devices have reportedly been used at protests.
  • Turn on Airplane mode: Although IMSI catchers can’t track phones using 4G or 5G, connecting to cellular towers reveals location data to the carriers, who may be forced to turn it over to the government. Airplane mode cuts off all remaining cellular connectivity, so you might do this only if it feels essential.
• Use Signal or iMessage for messaging: It’s important to restrict your communications to end-to-end encrypted channels. Signal is the go-to platform for secure messaging, particularly among groups. You could use iMessage for additional communication, of course, but only with other iPhone users because you don’t want to fall back on insecure SMS or RCS. (RCS is end-to-end encrypted between Android phones using Google Messages, but not yet between iPhones and Android phones. Soon, perhaps, since the iOS 26.4 beta release notes encourage cross-platform testing while explicitly saying that end-to-end encryption won’t ship in iOS 26.4.)
• Consider Advanced Data Protection: If you’re concerned about saying something in Messages that could be used against you, turn on Advanced Data Protection so messages in your iCloud backups are also encrypted (see “Apple’s Advanced Data Protection Gives You More Keys to iCloud Data,” 8 December 2022). Advanced Data Protection also protects other potentially sensitive Apple data stores, such as Photos, Notes, and Reminders. You’ll find the switch in Settings > Your Name > iCloud > Advanced Data Protection. Remember that Advanced Data Protection prevents Apple from helping you recover your account if you forget your Apple Account password. So don’t do that.
• Take photos and videos from the Lock Screen: One of the core uses of an iPhone is to document what’s happening around you. Once you’ve turned off Face ID, it’s best to keep the iPhone locked whenever possible, and luckily, you can take photos and videos even when it’s locked. On a newer iPhone, open the Camera app with the Camera Control button; on one that lacks the Camera Control, use the Camera widget on the Lock Screen. A bonus of turning off location services is that any photos you take won’t include geolocation metadata.
• Think about Medical ID: The iPhone’s Health app lets you create a Medical ID, which includes information such as name, age, medications, allergies, conditions, height, and weight. A switch makes that information accessible from the Lock Screen, which could help emergency responders treat you. It’s probably worthwhile keeping that information available, but you can also enter emergency contacts and their phone numbers. Consider whether allowing the government to see that contact information could be harmful to those people.

If you’re stopped at a protest or detained at a border, you may be asked to unlock your iPhone. You can decline to provide your passcode, but declining may prolong your detention, and border agents have broader authority than domestic law enforcement; they can seize your device and hold it for examination. For additional advice, refer to the ACLU’s excellent Know Your Rights collection of documents about your rights at the border, at protests, when filming or recording in public, and if you’re stopped by police. The EFF publishes an even more detailed guide to your rights at the border.

Once you’re in a safe location, you’ll want to reverse most of these changes. Re-enable Face ID, turn Location Services back on, re-enable Wi-Fi and Bluetooth, turn off Airplane mode if you enabled it, and disable Lockdown Mode if you don’t normally use it.

I realize that some of this may sound as though it’s verging on paranoia, and I would have thought so in the past as well. Today, if you choose to put yourself in certain situations, it just feels prudent.

From the iPhone 8 forward, you can also activate the Emergency SOS screen by simultaneously pressing and holding the side button and one of the volume buttons for 2 seconds.

Just want to add a quick shortcut for some of the steps above: power down your iPhone, iPad, and/or Mac prior to crossing a border or entering a checkpoint. Biometrics aren’t accepted by Apple devices immediately after a boot.

I wanted to give this article three reactions (good + agree + thanks) but could only add one!

Thanks @ace for the technical and thoughtful article. I look forward to learning more about various protections and strategies on this subject in the flow of comments, and admire your willingness to put toes in the water of paranoia, it’s good for anyone’s balance to explore unfamiliar territory now and then, imho.

I’d encourage readers to look at Apple’s own list of what Lockdown Mode does and decide for themselves if those things are really ‘extreme’ for them.

Good advice. Also, don’t use Instagram or any Meta app for messaging.

I think you have some unnecessary words in there.

I’ve added a section about Medical ID, which I’d forgotten to include initially. Your Medical ID information is accessible from the Lock Screen without authentication so emergency responders can access it, but since it can include emergency contact names and phone numbers, I could see some people wanting to edit that information.

The claim that Lockdown Mode blocked FBI access doesn’t make sense. I questioned it on my site Lockdown Mode — Password Manager Help

It would be handy if Apple added a “border-crossing” switch like flight-mode to automatically do all these complicated steps. I am assuming an app developer would not have access to some of these settings in order to automate them.

Yes, as long as it didn’t trigger more demands for OS and cloud backdoors from government agencies…which, sadly, I think is likely.

For example (and note that the demand was leaked, not disclosed):

I think that you are forgetting that lockdown mode prevents features like the messaging app automatically parsing “safe” attachments (without actually viewing the sent message) that could leverage unpatched exploits in iOS. Assuming the FBI has collected a number of these exploits, they would know if the device was in lockdown mode if a message sent with such an attachment did not allow gathering evidence from the phone after it was sent.

Thanks Adam !! for the timely, much needed, much appreciated advice !

Figuring out that lockdown mode was enabled is just a minor point I made about the situation. As far as we know the FBI access tools are done over USB so the major discrepancy between what Apple says are the capabilities of lockdown mode and the FBI claiming that lockdown mode stopped their access doesn’t add up.

You make good points. Since both the FBI and Apple have various agendas in play surrounding their public statements and could easily be withholding additional information, it’s difficult to know who or what to believe.

A very timely article. It’s a disgrace we have let it come to this. The USA used to be the land of the free where personal liberties stood paramount. The idea that people can be compelled against their will to authenticate as a work-around to 4th Amendment protections is disgusting.

I love these side button press shortcuts that can be invoked anywhere anytime. It would be nice if there were a Mac equivalent. I know I can turn off my Mac to temporarily disable TouchID, but shutting down takes time. Now I could just force shutdown my Mac (and in a bind that’s probably what I’d end up doing), but that’s not exactly gentle. It would be great if there were some kind of other shortcut to temporarily turn off TouchID and lock my Mac. How about ctrl-alt-del?

I work to advise human rights defenders, and the baseline information security guidelines that i offer to them include a number of things that were not mentioned in this article.

1. Ensure that your device’s operating system and apps are up-to-date. Configure automatic updates if possible.
2. Shrink your attack surface by minimizing the number of apps and other software that are installed. Delete unnecessary or unused apps. Offload infrequently-used apps.
3. Configure the operating system and each installed app to have no more than the minimum privileges needed to provide the functionality that you need. This includes access to location, contacts, calendars, reminders, photos as well as the device’s hardware features (microphone, camera, local network, bluetooth).
4. Disable background app refresh of apps that do not need it.
5. Configure notifications so as to minimize the display of sensitive information on the lock screen.
6. Understand that iCloud’s Advanced Data Protection does not provide end-to-end encryption of email, contacts, calendars or document metadata, nor of third-party apps that use iCloud but do not support end-to-end encryption. Consider not using iCloud Mail, and do not sync contacts and calendars to iCloud.
7. In addition to enabling Lockdown Mode and Stolen Device Protection, configure your device to wipe itself after ten failed login attempts. (This feature exposes you to a possible denial-of-service situation, but presumably you are making regular backups that you could restore your device from.)
8. If there is a risk that your device will be confiscated, turn the device off, to enable encryption at rest. (Doing so also disables biometric authentication until after your passcode has been entered successfully.)
9. Device encryption depends on a strong passcode. I recommend 10 (minimum) unique, random numeric digits. (“Unique” means that the same passcode is not used elsewhere.)
10. Configure the screen lock timing to the shortest period that you can work with.

Great suggestions, @davidk, and I agree with all of them for anyone who feels they are a target.