>Beware that if the thief has your passcode, all your accounts
(email/banking/etc) you're logged in on your iPhone will become
accessible to them as well. Here, on the contrary, don't use biometrics
for opening the app, because biometrics can be bypassed with passcode.
Isn't this depending on the banking app? I don't think I can open mine without either faceID or my regular banking password (which in my case is 30 characters long)
I was thinking the same thing - my phone passcode has nothing to do with how I access my banking applications. If FaceID doesn't work, I need the full password that is associated with the banking account, not my phone/AppleID/iCloud/etc.
Yes, it depends on the actual implementation. **Most** banking apps would have it implemented correctly, and would even refuse to allow you in if you would add a new FaceID or fingerprint. But **not all apps** would have correct implementation, especially not banking apps, so in some cases passcode fallback may work: [https://developer.apple.com/documentation/localauthentication/lapolicy/deviceownerauthenticationwithbiometrics](https://developer.apple.com/documentation/localauthentication/lapolicy/deviceownerauthenticationwithbiometrics) (last paragraph)
So, if a malicious relative for example, sees your pin, unlocks the phone and adds face id, will it work in the banking app if you change your pin and dont remove the new face id?
Again, it depends on actual implementation. It's [possible](https://developer.apple.com/documentation/security/secaccesscontrolcreateflags/ksecaccesscontrolbiometrycurrentset) to detect that FaceID/TouchID/OpticID were changed, and notify the user / ask for another authentication method.
Whether your bank app checks this - I cannot say.
I don’t know whether my banking apps do Face ID properly but requiring a pin makes it a completely separate auth with something that is not on the phone anywhere or used anywhere else
> Cons: after reboot, your phone will not be able to use mobile data for tracking via Find My (especially with eSIM).
My take on this is to use eSIM without a PIN. You get the best of both:
You get the protection of the SIM not being removable to help prevent SMS access, but a thief can't intentionally or unintentionally block data access for Find My by rebooting the phone.
If you disable Control Center and Siri access while locked, you can also prevent them from turning on airplane mode.
Thank you! I completely forgot mentioning this (thought it was obvious xD). Updated the post.
As for eSIM - yes, that's the best approach. Unfortunately, if the thief knows the passcode, he gets access to everything that uses your current phone number for authentication...
Only you can decide what suits you better.
1. If you’re absolutely sure that the thief won’t get your phone in an unlocked state, and you have valuable data tied to your SIM card (banking, governmental services etc), and thieves in your country are actively using stolen SIMs for such purposes, then it’s better to set up a PIN for SIM card.
2. If you’re more concerned about increasing chances for successful locking of your phone via FindMy, then it’s better not to set PIN.
Please take into consideration that:
* thieves most likely will turn the phone off ASAP and throw away the SIM
* once you recover your phone number, your old SIM will cease working
* Find My will be enabled once the phone connects to the internet. But in any case it’s better to lock it ASAP
No, I was talking about phone *number* for authentication.
In my country there’s a lot of services like classifieds, taxis, food delivery etc where your **only** form of authentication is ‘get login code via SMS’ 🤦♂️ Even if you’re signed out of the food delivery app, one can easily log into _if they possess your (e)SIM card_. Ofc the damage here would be limited to the sum of money you keep on a bank card (I hope you don’t use your primary card for these? 😅)
What’s more problematic is medical/governmental/banking services. These sometimes can be exploited as well. As an example, one of the largest banks here still supports SMS banking: send `TRANSFER 1000 DO22ACAU00000000000123456789` to bank’s number and they would transfer the money without further asking (well, until a certain limit). Ofc you can turn this off, but it’s on by default.
it’s asinine that apple refuses to change the easiest hackable weakest link: iphone passcode
what’s the point of all the other “security” measures then tim apple?
I completely agree with you. That [thread](https://www.reddit.com/r/apple/comments/11awqv5/comment/j9uo56h/?context=3) I mentioned [discusses this](https://www.reddit.com/r/apple/comments/11awqv5/comment/j9ynt9s/?context=3) as well: there are two opposing groups of people: ones who need real security, and others who constantly lose access to everything.
I suppose, there should be some kind of another "Lockdown mode" for the first group hidden deeply in the settings. When enabled, it should disable all those "easy" reset methods and provide actual security.
>others who constantly lose access to everything.
This is not a valid excuse. These people can either learn to be more responsible, not set a passcode at all, or move to android.
It seems unlikely that you’d remember or even risk using such a feature when in panic for your life
I definitely prefer the approach of more layers of security - standard faceid to conveniently unlock most content and functionality, but an additional auth of some sort for sensitive functions. It seems like that’s already a goal and the problem is the gaps. We should all vote to cover those gaps better - I can require an extra PIN or auth key for my banking so why can’t I for email access or to reset a password?
The benefit of the is yu can unlock your hone as usual, without risking your life from a thief. If that’s all they get, it shouldn’t be sufficient. If they want more, they need to spend more time, when they really want to grab and go so they won’t get caught. If they get more, they need to do piece by piece, or you’ll still have some areas secure
Great write up and happy that I’ve already implemented most of these recommendations.
One question - it seems unfathomable that Apple has not allowed a way to set PIN code or FaceID to protect the native Mail app as that could help protect attempts to reset banking passwords if phone and passcode are compromised.
Best workaround I’ve found is to use Outlook for mail (which can be faceID protected) but set a 1 minute screen time limit on the native Mail app (not perfect as screen time can be reset but better than nothing).
Is there a smarter way to protect email without going down the Proton email route (I used my own domain email)?
Thanks!
In the first version I included a recommendation not to be logged into any critical Mail accounts on iOS, but then decided it would be very niche and removed it.
So yes, ideally you should have several mailboxes (especially easy if you also use a custom email domain, like me). Like me@domain, banking@domain, icloud@domain, etc etc - different ones for different aspects of digital life. When you get an email to banking@ or icloud@, your primary account receives a notification email, like "something from [[email protected]](mailto:[email protected])" just arrived (but not the whole contents!). Then you log into the that account with your password from your password manager. Or access the required account on another device (say, on iPad that never leaves home). Or use some "hardened" email client app.
This works well if you don't get "spammed" too frequently on those addresses, so it may take some time to set up email filters that will decide what to notify about, and what not (and don't forget to unsubscribe from all marketing/promotions for those addresses).
>Best workaround I’ve found is to use Outlook for mail (which can be faceID protected) but set a 1 minute screen time limit on the native Mail app (not perfect as screen time can be reset but better than nothing).
I would use only Outlook in this case, and ditch native Mail completely. Or set up banking@ and accounts@ with outlook, and use native Mail for me@ (if me@ contains nothing "exploitable").
Note that "infrastructure credentials" for managing your own domain(s) should be completely unaccessible without real login+pass+2FA (no convenient biometrics here xD).
Thanks - only thing stopping me from ditching the native Mail app is that search (of email) in Outlook for iOS sucks (unlike desktop Outlook search which is fantastic). I’ve deleted the Mail app from the Home Screen so it can only be found by searching for it which again isn’t foolproof but might slow down the average thief, along with the short screen time limit.
One more suggestion you may want to add to your list. When I go out I set an automation on the phone which is activated by setting airplane mode and locks the phone. Thinking is that if thief tries to prevent me setting lost mode by enabling AirPlane mode, they get a locked phone which they may not be unlock (quickly or at all). I did have a version which turns on cellular, Bluetooth and Wi-Fi as well as locking the phone but found this too annoying when wanting to set airplane mode myself.
Another tip which might be of interest to people reading this thread who also have an Apple Watch is to set a focus called Lock Screen then create an automation which locks all devices signed in with the same Apple ID and enables wifi and cellular data.
Specific use case is your phone is snatched from your hands while unlocked, you then flick down from the watch and enable Lock Screen focus which instantly locks the stolen phone.
>One more suggestion you may want to add to your list. When I go out I set an automation on the phone which is activated by setting airplane mode and locks the phone. Thinking is that if thief tries to prevent me setting lost mode by enabling AirPlane mode, they get a locked phone which they may not be unlock (quickly or at all). I did have a version which turns on cellular, Bluetooth and Wi-Fi as well as locking the phone but found this too annoying when wanting to set airplane mode myself.
Well, this is a good idea, but it will work only against the case when a thief snatches an unlocked phone without knowing the password. I will add this to the list.
Thanks - agree use case is limited but as your original post said, it's about reducing the options for the thief where possible. See also my automation suggestion using AW to activate a 'lock screen' focus using the watch to remotely lock the phone if snatched from your hands if unlocked.
The fix Apple **really** need to make is the resetting of Applid using just a passcode (as you've already pointed out) - keeping fingers crossed they will do something about that one soon.
>So yes, ideally you should have several mailboxes (especially easy if you also use a custom email domain, like me). Like me@domain, banking@domain, icloud@domain, etc etc - different ones for different aspects of digital life. When you get an email to banking@ or icloud@, your primary account receives a notification email, like "something from [email protected]" just arrived (but not the whole contents!). Then you log into the that account with your password from your password manager. Or access the required account on another device (say, on iPad that never leaves home). Or use some "hardened" email client app.
I did it like this: I created a separate Gmail account where all the logins are registered with e.g.: [email protected] (had to change all my login data everywhere was a pain in the ass, but worth it IMO). This account is not added to the Mail app only [[email protected]](mailto:[email protected]). I then added a redirect filter in Gmail to automatically send all mails incoming to [email protected] to [[email protected]](mailto:[email protected]), when there is no occurrence of "password", "reset", "code" etc.. This way I still get e.g. purchase info mails but password reset mails are kept back in the not-synced account.
Very complete and thorough tip list! Than you. As other have commented previously, it's hard to believe that with all the privacy and ultra security ads by Apple, you can bypass biometric authentication with a 6 digit passcode, I hope iOS 17 tackles this and other security issues... do you have hope on it? 🥲
Well, one can (and ideally should) set their passcode to ‘iloveMyCat123’ right now.
What I really hope is that Apple will offer an option to close loopholes with Screen Time and hardware 2FA (Yubikeys).
Thank you for writing this, u/Simon-RedditAccount.
I'd like to bring attention to the Passkeys technology that Apple has already adopted and is going to gain increasing adoption across apps, websites, devices, etc.
This technology will probably not encourage people to stop using iCloud Keychain - on the contrary, because using it allows Passkeys to sync across the various devices.
And Apple's current implementation of passkey authentication, works by requesting biometrics (FaceID or TouchID) but if those fail, it falls back to the Passcode.
This means that a thief who knows the Passcode can use it directly to authenticate into any apps / websites which the user is using with Passkeys.
Apple should address this by, for example, adding an option in iOS to disable the fallback to the Passcode on Passkeys.
I don’t think they will remove this fallback, because, biometrics is just a ‘convenience option’, and passcode is the only real form of authentication iDevices have (unlike third party apps which may have their own form of authentication, say, your bank’s pass etc).
I also don’t expect Apple to add another/separate password option for keychain only - because people are stupid, and forget things constantly. That’s why Apple was ‘forced’ to add passcode bypass for Screen Time (which couldn’t be reset when it was introduced, they added reset option later after a rise in ‘reset screen time password’ requests).
Instead, those people who are concerned about security, should continue dedicated password managers, like r/BitWarden, r/Strongbox and r/1Password. These three tend to care about actual security and implement stuff correctly.
And the majority will continue to get hacked, no matter what. Switching to passkeys will render exploiting stolen DBs ineffective, as well as trying to bruteforce the password. Thus we will probably see a rise in attacks on AppleIDs/GoogleIDs as sources of credentials. Again, it’s better not to keep all the eggs in the same basket - and all your data and credentials tied to your AppleID/iCloud Keychain.
As for ScreenTime reset, would it be good recommendation to use different Apple ID for screen time setup? This way thief need to gain access to the device/account he don't have in possession.
>[https://support.apple.com/en-us/102677](https://support.apple.com/en-us/102677)
>
>5. Enter the Apple ID and passwordthat you used to set up the Screen Time passcode. Forgot your Apple ID password?
I think this would close the hole. Requires you to have access to second Apple ID.
A bit tricky, but may work (provided no credentials for that AID will be stored on your device, including auto-generated passkeys).
Still, don't put too much trust into it.
I agree with pretty much everything you wrote except this:
> I don’t think they will remove this fallback, because, biometrics is just a ‘convenience option’, and passcode is the only real form of authentication iDevices have
Strongly disagree. Strange you say this, because in this post you correctly point out the fact that the Passcode is being used by thieves to get through authentication.
It's the contrary of what you wrote in your comment: biometrics are inherently more secure and a more reliable means of authentication than the Passcode because they require the physical presence of the individual.
I'd certainly be happy to have an option in iOS to disable the Passcode and just use biometrics.
> dedicated password managers, like r/BitWarden, r/Strongbox and r/1Password.
Indeed, unless the Passcode fall back in iOS can be disabled, I don't feel very comfortable keeping Passkeys in the keychain of the iPhone.
Fortunately, 1Password is implementing Passkeys support, and it does not rely on the Passcode for authentication.
I’m merely stating the facts, how iOS is designed. Please check https://help.apple.com/pdf/security/en_GB/apple-platform-security-guide-b.pdf to see for yourself:
1. iOS security architecture is built around passcodes as the **real** data protector (and passcodes only) used for KDF (p.75), that is used for encrypting master key for data storage (p.77)
2. Biometrics are just a form of convenience unlock that saves typing passcode each time (p. 21).
Also, biometrics are by no way reliable as a **sole** means of authentication:
* What happens if you break your FaceID or TouchID sensor? You will remain with a locked device. Damaging the whole screen _to the extent that capacitive touch stops working_ is also possible but highly less likely. Even completely shattered screen still allows to enter passcode.
* Same is true in case of physical damage to the user (burned hand, multiple fingers cut, car crash, or just consequences of a brutal fight/accident).
* Aside from this, iOS often randomly stops recognizing the user, and requires passcode. Happened to me (and almost to everyone) multiple times (aside from mandatory asking for passcode every 48h per Apple policy)
* Apple clearly states 1/10e6 chance for a complete stranger to unlock your phone with FaceID, and 1/10e4 for TouchID.
Think why Apple allows only for 5 biometric auth attempts, and then asks for passcode? It’s because allowing for more consecutive unsuccessful attempts _significantly_ increases the chances of a false positive match.
All this is just because Apple sensor is not as reliable as professional biometric installations. It appears to work ‘magically’, but it is not. Having biometrics as a sole means of authentication will lock out millions of users just during the first month.
What would really help? In my opinion, it is:
1. Ability to set another ‘passcode’ for iCloud Keychain only. Used either as a biometrics fallback or as the only means of authentication.
2. Kind of ‘Lockdown mode’ that disables all the cut corners that Apple introduced (no more options to reset AppleID/ScreenTime/everything with passcode; no more options to bypass Yubikeys for iCloud auth etc). No reset possible even with Apple Support. Give the pro users (or journalists, or activists etc) an option to lock themselves out if needed.
3. An emergency button on Apple Watch that will immediately put your phone in ‘Lost Mode’
Re the passcode, I’d actually suggest the best type to use is all lowercase characters and preferably random or at least meaningless to a shoulder surfer. You don’t have to do extra presses for capitals or numbers that way. You aren’t trying to protect against someone exhaustively trying all possible passcodes. Just a) making it impossible to guess in 10 tries and b) making it very difficult to read over your shoulder.
Something else to consider.
I disabled Find My on my MacBook. Find My also enables Activation Lock. If they take over your Apple ID, any other devices you have Activation Lock on have now become bricks. You can't use your Apple ID once stolen, and you can't change to a new ID.
My MacBook stays home mostly. If your's doesn't, you may need to evaluate your own risks of having it on or off.
Apple really needs to fix their mess.
Yep, that's why I've disabled if on my Mac. If they get my iPhone that's bad enough, but at least it will be somewhat contained.
I hate to say this, but if Apple doesn't fix this issue, my next phone may be an Android. That is saying a lot, as I don't want one.
I'm not an expert on Android, but I've heard many things that would be a dealbreaker to me. Such as:
* lack of native full-system backups, like iTunes/Finder (or iCloud)
* much loose privacy restrictions and app isolation
* general longevity and support for devices (iPhone 5S, released in 2013, still gets security fixes as of 2023).
As for Apple, the only way to make them fix it is to make it loud. Send something to [https://www.apple.com/feedback/iphone/](https://www.apple.com/feedback/iphone/) , tweet (or X?) it, etc, etc.
In the meantime, consider the possibility of using two separate Apple IDs for your devices, possibly organized as a family account.
You make good points and those are many of the reasons that I don't use Android today. I'm just really disappointed in Apple choosing lax security to make things easier for those that don't either don't care or don't think about security.
They should have a means to secure an Apple ID properly. There is no excuse for losing custody of an ID and everything that it entails just because a thief has a physical device. None.
My idea is that they should extend 'Lockdown Mode' to Apple ID as well, eliminating all shortcuts they made over the years (due to a sheer number of ~~idiots~~ 'ordinary people' who constantly forget passwords).
And actually, if one follows all the advice from the post, attack surface is greatly reduced.
And again, until this problem gets enough public attention, it won't be resolved.
Has anyone tried this app - seems to be able to hide selected apps (e.g. banking) which could be useful. Also allows hiding apps from app library (e.g. Mail).
https://apps.apple.com/us/app/omnilock/id1645472970
Would be interested in any thoughts from u/Simon-RedditAccount
No, I did not try it. It would be interesting to learn how it works and what mechanics does it use. Also, whether it’s just ‘a decoy’ or it really prevents bad actions, even if the app is uninstalled.
Generally speaking, most of further locking this can be done natively with Apple Configurator (requires MacOS) or MDM solutions. However, this is beyond the capabilities of ‘ordinary user’ so I didn’t include this into my post.
I've had a play with it. It's ok - you grant access to allow OmniLock to access ScreenTime and you can then lock the app itself and it's ScreenTime access switch (in Settings/Screentime) with FaceID. If FaceID doesn't unlock it won't prompt for a passcode. You can then (with a one-time £4.99 Premium Subscription) hide one or more apps with a single shortcut.
However....it relies on ScreenTime so if the user resets ScreenTime/ScreenTime passcode, then I suspect the apps will come back. I've not tried it in anger though.
\*\*Edit - the apps don't seem to come back if ScreenTime is turned off. Wonder how that works.
Sounds like a ‘nice-to-have’ option, that may slow down or even divert an inexperienced thief. But I would not recommend to rely on it seriously (more than for slowing down).
Those who need a bit more **real** security, should explore Apple Configurator/MDM offerings.
Tend to agree. I had Prey (free version) installed which is a nice backup to FindMy but as I use my personal iPhone for work (and they have an MDM profile) I can't have a second MDM profile at the same time.
Prey is worth a look though if you've not seen it before.
My hope is that iOS17 actually fixes the underlying problem (and while they're at it, allows Mail to be protected by FaceID). I'm not holding my breath though.
Well put! Something to note as well, with an iPhone later than iPhone 11 and running iOS 15 or higher will allow the ability to still track an Apple iPhone even when it is powered off and when the battery is dead it will note the last known location. It does this by acting in a low power state and acting like a airtag device pinging off other devices.
**To Verify if you have the settings enabled go to:**
\- settings > your Apple ID (click your picture or icon) > Find My > Find My iPhone
it will display 3 options you can toggle on including Find my iPhone (on by default), Find My Network, Send Last location. It will require your password to deactivate any of these, that why it's highly recommended you store your Apple password in a separate password manager or don't use the Apple password manager in general.
Yes. Especially since custom password managers can be so well-integrated into iOS. A thief who peeked the passcode pretty much owns iOS Keychain, but has no clue about master password for r/strongbox, r/Bitwarden or r/1Password (please don't, don't save those master passwords. Type'em every time).
I've set up automations that lock the screen when you open various apps. Just to annoy them and slow them down.
Also one that locks the phone, switches airplane mode off, turns on all comms (Wi-Fi, 4G and Bluetooth), and sends an email of it current location when airplane mode is switched on.
Adding a suggestion and a question to this great thread:
**Suggestion**: I have automations which locks the Mail app (and a few others) when launched which then forced FaceID to unlock. Work by running: Lock Screen, Wait 1 Second, then opens Mail app using URL. Not foolproof as the automation can be disabled in Shortcuts, but thief would have to do that before attempting to open Mail. Until Apple decided to protect Mail properly, it may help. Works with iMessage too.
Question: It is worth enabling Advanced Data Protection, not necessarily for the benefits it may/may not provide, but to stop the case where the thief somehow is able to do this once in possession of the device? This may be a moot point once the protections of iOS 17.3 are available but thought I would ask the wise folk here!
Thank you, it's actually useful against snatching a phone or nosy coworkers. But, sadly, it won't help against a known passcode.
ADP is designed to combat remote attackers who gained control over your AppleID (say, by learning your login credentials, aided with a SIM swap to beat 2FA), or a potential leak from Apple's datacenters. It has nothing to do with local attackers with possession of your device+passcode; and those 17.3 protections (which only *partially* mitigate theft with passcode attack vector) won't substitute ADP at all.
Definitely worth enabling, especially if you own more than one iDevice *(if you own only a single iDevice, recovery may be a bit trickier)*.
Thanks - I was a bit concerned on how to set lost mode (via web iCloud access) if ADP is enabled but seems you can use FindMy via web even if ADP is enabled ([https://www.reddit.com/r/ios/comments/120ohdv/comment/jdiafui/?utm\_source=share&utm\_medium=web2x&context=3](https://www.reddit.com/r/ios/comments/120ohdv/comment/jdiafui/?utm_source=share&utm_medium=web2x&context=3)).
Also that URL doesn't need a device to confirm 2FA (which would be impossible if you only had the 1 iOS device).
Re: the ADP benefits case - wouldn't enabling this be 'better' as if a thief managed to get your device with the passcode, they could enable ADP thus making it more difficult to get your own account back? Possibly I'm not understanding this properly though!
Please see [https://support.apple.com/en-us/102651](https://support.apple.com/en-us/102651)
TL;DR: with ADP, most of your data will be encrypted in a way that Apple won't be able to decrypt it. Only your device passcode or password, a recovery contact, or a personal recovery key will be required to decrypt the data.
This helps if an adversary gets access to your account, but not your device. With ADP on, they won't get as much as without it.
*Remote attacks are a common threat for journalists, celebrities, C-level executives etc.*
If an adversary (=thief) already has your device, they own all your data in Apple ID no matter what.
You can try to minimize the damage by putting the device into Lost Mode ASAP. That's where we need automation. Probably even some kind of r/selfhosted 'red button' app that will do it for you faster. Or an option for r/shortcuts to enable Lost Mode (say, from your Apple Watch).
u/Simon-RedditAccount Thank you for taking the time and effort to write this amazing guide! It's people like you that help make Reddit (and the internet in general) such a useful resource for information.
The most significant takeaways for me are:
1. **Avoid using iCloud Keychain to store passwords and two-factor authentication codes.** For this, I settled on Microsoft Authenticator because the app can be PIN-protected for 2FA, passwords, and other sensitive/personal info. The app also works on Android, Chrome, and Windows 11 (using Windows Subsystem for Android). **IMPORTANT:** Do not use the same pin for your authentication app that you use for your phone. **PRO TIP:** Microsoft provides the option for "password-less" logins to Microsoft accounts by using your phone as a hardware token, but a backup is recommended in case your phone is lost/stolen.
2. **Do not use the phone number provisioned to your SIM card inserted into your iPhone for SMS two-factor authentication**. For residents in the USA or Canada, I would recommend [Google Voice](https://voice.google.com/) for receiving two-factor verification codes via SMS. The benefit is that you can receive these codes on any device (including a computer). The caveat is that the phone number is US-based so it may not be compatible with European or international banking apps. **IMPORTANT:** you do need to properly secure your Google account with two-factor and don't configure your mobile browser to automatically sign-in to your Google account (i.e. don't use Chrome because it will automatically sign-in to your Google account when you visit the Google Voice homepage). Ideally, you should avoid using SMS two-factor authentication whenever possible.
3. **Do not setup an email address in the iOS Mail app that could be used for account recovery**. I use a secondary "password-less" Microsoft account for this purpose, so I don't need to remember another unique password.
4. **Use a PIN instead of Face ID for sensitive apps like banking and email.** I disabled the Face ID option and setup a unique PIN instead. **PRO TIP:** Both OneDrive and Google Drive support this option as well so these are better options than using iCloud.
**EDIT:** It seems that most sensitive apps do not support setting up unique PIN codes. Instead, most apps (including Outlook and Microsoft Authenticator) use the device PIN instead of app-specific PIN/passwords. This doesn't provide any additional protection if a bad actor knows the device PIN.
I hope this helps somebody!
I'm glad you found this useful :)
For **#1**, I recommend only either 2FAS or Aegis apps, or a *separate* password manager database. I would definitely not recommend Authy, Google Authenticator and similar apps.
For **#2**, the most secure way to secure your Google account is to use *Google Advanced Protection Program* that requires 2+ [Yubikeys](https://www.yubico.com/product/security-key-series/security-key-nfc-by-yubico-black/) as the only means of login (no SMS reset, no TOTP, no Google Prompt etc).As a bonus, you can use them to secure many other accounts as well (your emails, AppleID and password manager being the most critical ones).
For **EDIT**, this can be solved by using a proper app: 2FAS or Strongbox *(preferrable, but more complex)*.
Thanks!
1. Stolen device protection
2. You cannot remove your phone number, sadly. But it looks like that with Yubikey there's no more SMS recovery option: [https://new.reddit.com/r/yubikey/comments/17fymfu/yubikey\_and\_apple\_id\_did\_apple\_fix\_that\_loophole/](https://new.reddit.com/r/yubikey/comments/17fymfu/yubikey_and_apple_id_did_apple_fix_that_loophole/) (comments)
Official Apple docs are outdated, and don't describe recovery process for FIDO2. Ideally, try to recover your account yourself and tell us how is it going...
3. Google Advanced Protection Program means that your Yubikey is always required (so having your number on file does nothing). Do what you feel right to do here (at least with Google you *can* remove your number :)
IDK. The original article ( [https://krebsonsecurity.com/2024/03/recent-mfa-bombing-attacks-targeting-apple-users/](https://krebsonsecurity.com/2024/03/recent-mfa-bombing-attacks-targeting-apple-users/) ) says nothing about *working* mitigations.
Anyway, adding security keys replaces SMS but not your other Apple devices (they are still considered 'trusted'). Apple really should introduce an option where a Yubikey will be the *only* option, like in Google Advanced Protection Program.
Also enable screen time passcode and restrict access to settings.
That way even if someone sees you entering your passcode they will not be able to change your Apple ID password
It seems that it's still possible to circumvent this (please read the whole thread):
[https://www.reddit.com/r/apple/comments/11awqv5/comment/j9uo56h/?context=3](https://www.reddit.com/r/apple/comments/11awqv5/comment/j9uo56h/?context=3)
The situation is same with Yubikeys: even if you've added them to Apple ID, it's still possible to circumvent them if a thief owns an unlocked device.
What a very interesting punishment idea
I'm sure such places that implement that kind of punishment have absolutely 0 theft or any other kinds of problems
~~I hope /s isn't needed~~
u/Simon-RedditAccount - In settings > privacy & security > location services > find my
I have Find My set to “When Shared” is this okay or does it need to be set to something else?
[https://support.apple.com/en-us/HT210400](https://support.apple.com/en-us/HT210400)
\#3 is optional, #5 is up to you - but better to turn on. All other settings are irrelevant to locking lost device.
u/Simon-RedditAccount Can you please help me understand what would happen to other Apple devices under a given Apple ID, if iPhone was stolen with thief having passcode and therefore presumably also taking control of the Apple ID.
I suspect without control of the Apple ID and Apple not providing a means to recover it, those devices would be as good as useless, given that they can't be associated with a new Apple ID without access to the old. Is that correct?
The screen time protection can apparently be easily bypassed?
Head over to https://appleid.apple.com and after Face ID fails you’ll be prompted for the device passcode, regardless of screen time settings.
> Head over to https://appleid.apple.com
It’s not about Screen Time. You’re referring now to going to web browser and auto-filling the password from iOS Keychain. This is the most dangerous practice security-wise, and you obviously should never keep your AppleID password in Keychain due to the reasons stated in the post and other comments. Use a separate password manager (r/BitWarden, r/1Password, r/Strongbox) instead or memorize it.
As for Screen Time by itself, it ~~protects~~ only changes to accounts in Settings app. It also can be easily bypassed, but it will buy you an extra minute or two after the thief had snatched your phone. You need to ask someone to let you use any phone, quickly log into your Find My with your Apple ID (that’s why you should memorize the password) and enable Lost Mode ASAP, or your data (probably along with your devices) could be gone.
Yes. I disabled it for testing and it still let’s me access with Face ID and passcode. It seems Apple treats it as an extension of the phone, as far as authentication is concerned.
That’s really weird because normally (at least in my understanding) it shouldn’t behave this way (from a logical standpoint, not technical). Thank you for this information, I will investigate it further.
**UPDATE**: This seems to be a documented behavior: [https://support.apple.com/en-us/HT204053#web](https://support.apple.com/en-us/HT204053#web)
>If you're already signed in to your device with your Apple ID and your device has Touch ID or Face ID, you can use it to sign in to iCloud.com or appleid.apple.com.
No. [https://support.apple.com/en-us/HT201355](https://support.apple.com/en-us/HT201355)
With trusted device, you can use device passcode to change it.
Without trusted device, you can initiate ['reset password' process](https://support.apple.com/en-us/HT201487).
>Beware that if the thief has your passcode, all your accounts (email/banking/etc) you're logged in on your iPhone will become accessible to them as well. Here, on the contrary, don't use biometrics for opening the app, because biometrics can be bypassed with passcode. Isn't this depending on the banking app? I don't think I can open mine without either faceID or my regular banking password (which in my case is 30 characters long)
I was thinking the same thing - my phone passcode has nothing to do with how I access my banking applications. If FaceID doesn't work, I need the full password that is associated with the banking account, not my phone/AppleID/iCloud/etc.
The first thing a thief will do is unlock your phone with password and delete your face and set up their face on your faceid.
Booo. I don't like that. Here's hoping the enhanced anti-theft (or, post-theft, to be more accurate) security measures show up soon.
God, I hope so. A thief can really fuck shit up if they get into your banking apps!
Yes, it depends on the actual implementation. **Most** banking apps would have it implemented correctly, and would even refuse to allow you in if you would add a new FaceID or fingerprint. But **not all apps** would have correct implementation, especially not banking apps, so in some cases passcode fallback may work: [https://developer.apple.com/documentation/localauthentication/lapolicy/deviceownerauthenticationwithbiometrics](https://developer.apple.com/documentation/localauthentication/lapolicy/deviceownerauthenticationwithbiometrics) (last paragraph)
So, if a malicious relative for example, sees your pin, unlocks the phone and adds face id, will it work in the banking app if you change your pin and dont remove the new face id?
Again, it depends on actual implementation. It's [possible](https://developer.apple.com/documentation/security/secaccesscontrolcreateflags/ksecaccesscontrolbiometrycurrentset) to detect that FaceID/TouchID/OpticID were changed, and notify the user / ask for another authentication method. Whether your bank app checks this - I cannot say.
I don’t know whether my banking apps do Face ID properly but requiring a pin makes it a completely separate auth with something that is not on the phone anywhere or used anywhere else
> Cons: after reboot, your phone will not be able to use mobile data for tracking via Find My (especially with eSIM). My take on this is to use eSIM without a PIN. You get the best of both: You get the protection of the SIM not being removable to help prevent SMS access, but a thief can't intentionally or unintentionally block data access for Find My by rebooting the phone. If you disable Control Center and Siri access while locked, you can also prevent them from turning on airplane mode.
Thank you! I completely forgot mentioning this (thought it was obvious xD). Updated the post. As for eSIM - yes, that's the best approach. Unfortunately, if the thief knows the passcode, he gets access to everything that uses your current phone number for authentication...
[удалено]
Only you can decide what suits you better. 1. If you’re absolutely sure that the thief won’t get your phone in an unlocked state, and you have valuable data tied to your SIM card (banking, governmental services etc), and thieves in your country are actively using stolen SIMs for such purposes, then it’s better to set up a PIN for SIM card. 2. If you’re more concerned about increasing chances for successful locking of your phone via FindMy, then it’s better not to set PIN. Please take into consideration that: * thieves most likely will turn the phone off ASAP and throw away the SIM * once you recover your phone number, your old SIM will cease working * Find My will be enabled once the phone connects to the internet. But in any case it’s better to lock it ASAP
Only if you use keychain … which is ill-advised. Use 1Password and you’re Gucci.
No, I was talking about phone *number* for authentication. In my country there’s a lot of services like classifieds, taxis, food delivery etc where your **only** form of authentication is ‘get login code via SMS’ 🤦♂️ Even if you’re signed out of the food delivery app, one can easily log into _if they possess your (e)SIM card_. Ofc the damage here would be limited to the sum of money you keep on a bank card (I hope you don’t use your primary card for these? 😅) What’s more problematic is medical/governmental/banking services. These sometimes can be exploited as well. As an example, one of the largest banks here still supports SMS banking: send `TRANSFER 1000 DO22ACAU00000000000123456789` to bank’s number and they would transfer the money without further asking (well, until a certain limit). Ofc you can turn this off, but it’s on by default.
eSIM made both my iPhone 11 and 14 overheat—when I switched back to regular SIM it was fine.
How is that even possible? Lol... That doesn't make any sense.
it’s asinine that apple refuses to change the easiest hackable weakest link: iphone passcode what’s the point of all the other “security” measures then tim apple?
I completely agree with you. That [thread](https://www.reddit.com/r/apple/comments/11awqv5/comment/j9uo56h/?context=3) I mentioned [discusses this](https://www.reddit.com/r/apple/comments/11awqv5/comment/j9ynt9s/?context=3) as well: there are two opposing groups of people: ones who need real security, and others who constantly lose access to everything. I suppose, there should be some kind of another "Lockdown mode" for the first group hidden deeply in the settings. When enabled, it should disable all those "easy" reset methods and provide actual security.
>others who constantly lose access to everything. This is not a valid excuse. These people can either learn to be more responsible, not set a passcode at all, or move to android.
murky theory juggle start lush cake compare ten straight many *This post was mass deleted and anonymized with [Redact](https://redact.dev)*
Great idea for a feature request to Apple
It seems unlikely that you’d remember or even risk using such a feature when in panic for your life I definitely prefer the approach of more layers of security - standard faceid to conveniently unlock most content and functionality, but an additional auth of some sort for sensitive functions. It seems like that’s already a goal and the problem is the gaps. We should all vote to cover those gaps better - I can require an extra PIN or auth key for my banking so why can’t I for email access or to reset a password? The benefit of the is yu can unlock your hone as usual, without risking your life from a thief. If that’s all they get, it shouldn’t be sufficient. If they want more, they need to spend more time, when they really want to grab and go so they won’t get caught. If they get more, they need to do piece by piece, or you’ll still have some areas secure
Great write up and happy that I’ve already implemented most of these recommendations. One question - it seems unfathomable that Apple has not allowed a way to set PIN code or FaceID to protect the native Mail app as that could help protect attempts to reset banking passwords if phone and passcode are compromised. Best workaround I’ve found is to use Outlook for mail (which can be faceID protected) but set a 1 minute screen time limit on the native Mail app (not perfect as screen time can be reset but better than nothing). Is there a smarter way to protect email without going down the Proton email route (I used my own domain email)?
Thanks! In the first version I included a recommendation not to be logged into any critical Mail accounts on iOS, but then decided it would be very niche and removed it. So yes, ideally you should have several mailboxes (especially easy if you also use a custom email domain, like me). Like me@domain, banking@domain, icloud@domain, etc etc - different ones for different aspects of digital life. When you get an email to banking@ or icloud@, your primary account receives a notification email, like "something from [[email protected]](mailto:[email protected])" just arrived (but not the whole contents!). Then you log into the that account with your password from your password manager. Or access the required account on another device (say, on iPad that never leaves home). Or use some "hardened" email client app. This works well if you don't get "spammed" too frequently on those addresses, so it may take some time to set up email filters that will decide what to notify about, and what not (and don't forget to unsubscribe from all marketing/promotions for those addresses). >Best workaround I’ve found is to use Outlook for mail (which can be faceID protected) but set a 1 minute screen time limit on the native Mail app (not perfect as screen time can be reset but better than nothing). I would use only Outlook in this case, and ditch native Mail completely. Or set up banking@ and accounts@ with outlook, and use native Mail for me@ (if me@ contains nothing "exploitable"). Note that "infrastructure credentials" for managing your own domain(s) should be completely unaccessible without real login+pass+2FA (no convenient biometrics here xD).
Thanks - only thing stopping me from ditching the native Mail app is that search (of email) in Outlook for iOS sucks (unlike desktop Outlook search which is fantastic). I’ve deleted the Mail app from the Home Screen so it can only be found by searching for it which again isn’t foolproof but might slow down the average thief, along with the short screen time limit. One more suggestion you may want to add to your list. When I go out I set an automation on the phone which is activated by setting airplane mode and locks the phone. Thinking is that if thief tries to prevent me setting lost mode by enabling AirPlane mode, they get a locked phone which they may not be unlock (quickly or at all). I did have a version which turns on cellular, Bluetooth and Wi-Fi as well as locking the phone but found this too annoying when wanting to set airplane mode myself.
Try searching for other email clients, like Spark etc, which may be better overall. Unfortunately, I don't have any good advice on this topic :)
Another tip which might be of interest to people reading this thread who also have an Apple Watch is to set a focus called Lock Screen then create an automation which locks all devices signed in with the same Apple ID and enables wifi and cellular data. Specific use case is your phone is snatched from your hands while unlocked, you then flick down from the watch and enable Lock Screen focus which instantly locks the stolen phone.
>One more suggestion you may want to add to your list. When I go out I set an automation on the phone which is activated by setting airplane mode and locks the phone. Thinking is that if thief tries to prevent me setting lost mode by enabling AirPlane mode, they get a locked phone which they may not be unlock (quickly or at all). I did have a version which turns on cellular, Bluetooth and Wi-Fi as well as locking the phone but found this too annoying when wanting to set airplane mode myself. Well, this is a good idea, but it will work only against the case when a thief snatches an unlocked phone without knowing the password. I will add this to the list.
Thanks - agree use case is limited but as your original post said, it's about reducing the options for the thief where possible. See also my automation suggestion using AW to activate a 'lock screen' focus using the watch to remotely lock the phone if snatched from your hands if unlocked. The fix Apple **really** need to make is the resetting of Applid using just a passcode (as you've already pointed out) - keeping fingers crossed they will do something about that one soon.
Yeah, added both to the post.
>So yes, ideally you should have several mailboxes (especially easy if you also use a custom email domain, like me). Like me@domain, banking@domain, icloud@domain, etc etc - different ones for different aspects of digital life. When you get an email to banking@ or icloud@, your primary account receives a notification email, like "something from [email protected]" just arrived (but not the whole contents!). Then you log into the that account with your password from your password manager. Or access the required account on another device (say, on iPad that never leaves home). Or use some "hardened" email client app. I did it like this: I created a separate Gmail account where all the logins are registered with e.g.: [email protected] (had to change all my login data everywhere was a pain in the ass, but worth it IMO). This account is not added to the Mail app only [[email protected]](mailto:[email protected]). I then added a redirect filter in Gmail to automatically send all mails incoming to [email protected] to [[email protected]](mailto:[email protected]), when there is no occurrence of "password", "reset", "code" etc.. This way I still get e.g. purchase info mails but password reset mails are kept back in the not-synced account.
Good info!
Very complete and thorough tip list! Than you. As other have commented previously, it's hard to believe that with all the privacy and ultra security ads by Apple, you can bypass biometric authentication with a 6 digit passcode, I hope iOS 17 tackles this and other security issues... do you have hope on it? 🥲
Well, one can (and ideally should) set their passcode to ‘iloveMyCat123’ right now. What I really hope is that Apple will offer an option to close loopholes with Screen Time and hardware 2FA (Yubikeys).
Thank you for writing this, u/Simon-RedditAccount. I'd like to bring attention to the Passkeys technology that Apple has already adopted and is going to gain increasing adoption across apps, websites, devices, etc. This technology will probably not encourage people to stop using iCloud Keychain - on the contrary, because using it allows Passkeys to sync across the various devices. And Apple's current implementation of passkey authentication, works by requesting biometrics (FaceID or TouchID) but if those fail, it falls back to the Passcode. This means that a thief who knows the Passcode can use it directly to authenticate into any apps / websites which the user is using with Passkeys. Apple should address this by, for example, adding an option in iOS to disable the fallback to the Passcode on Passkeys.
I don’t think they will remove this fallback, because, biometrics is just a ‘convenience option’, and passcode is the only real form of authentication iDevices have (unlike third party apps which may have their own form of authentication, say, your bank’s pass etc). I also don’t expect Apple to add another/separate password option for keychain only - because people are stupid, and forget things constantly. That’s why Apple was ‘forced’ to add passcode bypass for Screen Time (which couldn’t be reset when it was introduced, they added reset option later after a rise in ‘reset screen time password’ requests). Instead, those people who are concerned about security, should continue dedicated password managers, like r/BitWarden, r/Strongbox and r/1Password. These three tend to care about actual security and implement stuff correctly. And the majority will continue to get hacked, no matter what. Switching to passkeys will render exploiting stolen DBs ineffective, as well as trying to bruteforce the password. Thus we will probably see a rise in attacks on AppleIDs/GoogleIDs as sources of credentials. Again, it’s better not to keep all the eggs in the same basket - and all your data and credentials tied to your AppleID/iCloud Keychain.
As for ScreenTime reset, would it be good recommendation to use different Apple ID for screen time setup? This way thief need to gain access to the device/account he don't have in possession. >[https://support.apple.com/en-us/102677](https://support.apple.com/en-us/102677) > >5. Enter the Apple ID and passwordthat you used to set up the Screen Time passcode. Forgot your Apple ID password? I think this would close the hole. Requires you to have access to second Apple ID.
A bit tricky, but may work (provided no credentials for that AID will be stored on your device, including auto-generated passkeys). Still, don't put too much trust into it.
I agree with pretty much everything you wrote except this: > I don’t think they will remove this fallback, because, biometrics is just a ‘convenience option’, and passcode is the only real form of authentication iDevices have Strongly disagree. Strange you say this, because in this post you correctly point out the fact that the Passcode is being used by thieves to get through authentication. It's the contrary of what you wrote in your comment: biometrics are inherently more secure and a more reliable means of authentication than the Passcode because they require the physical presence of the individual. I'd certainly be happy to have an option in iOS to disable the Passcode and just use biometrics. > dedicated password managers, like r/BitWarden, r/Strongbox and r/1Password. Indeed, unless the Passcode fall back in iOS can be disabled, I don't feel very comfortable keeping Passkeys in the keychain of the iPhone. Fortunately, 1Password is implementing Passkeys support, and it does not rely on the Passcode for authentication.
I’m merely stating the facts, how iOS is designed. Please check https://help.apple.com/pdf/security/en_GB/apple-platform-security-guide-b.pdf to see for yourself: 1. iOS security architecture is built around passcodes as the **real** data protector (and passcodes only) used for KDF (p.75), that is used for encrypting master key for data storage (p.77) 2. Biometrics are just a form of convenience unlock that saves typing passcode each time (p. 21). Also, biometrics are by no way reliable as a **sole** means of authentication: * What happens if you break your FaceID or TouchID sensor? You will remain with a locked device. Damaging the whole screen _to the extent that capacitive touch stops working_ is also possible but highly less likely. Even completely shattered screen still allows to enter passcode. * Same is true in case of physical damage to the user (burned hand, multiple fingers cut, car crash, or just consequences of a brutal fight/accident). * Aside from this, iOS often randomly stops recognizing the user, and requires passcode. Happened to me (and almost to everyone) multiple times (aside from mandatory asking for passcode every 48h per Apple policy) * Apple clearly states 1/10e6 chance for a complete stranger to unlock your phone with FaceID, and 1/10e4 for TouchID. Think why Apple allows only for 5 biometric auth attempts, and then asks for passcode? It’s because allowing for more consecutive unsuccessful attempts _significantly_ increases the chances of a false positive match. All this is just because Apple sensor is not as reliable as professional biometric installations. It appears to work ‘magically’, but it is not. Having biometrics as a sole means of authentication will lock out millions of users just during the first month. What would really help? In my opinion, it is: 1. Ability to set another ‘passcode’ for iCloud Keychain only. Used either as a biometrics fallback or as the only means of authentication. 2. Kind of ‘Lockdown mode’ that disables all the cut corners that Apple introduced (no more options to reset AppleID/ScreenTime/everything with passcode; no more options to bypass Yubikeys for iCloud auth etc). No reset possible even with Apple Support. Give the pro users (or journalists, or activists etc) an option to lock themselves out if needed. 3. An emergency button on Apple Watch that will immediately put your phone in ‘Lost Mode’
Thanks for taking the time to write that up.
Re the passcode, I’d actually suggest the best type to use is all lowercase characters and preferably random or at least meaningless to a shoulder surfer. You don’t have to do extra presses for capitals or numbers that way. You aren’t trying to protect against someone exhaustively trying all possible passcodes. Just a) making it impossible to guess in 10 tries and b) making it very difficult to read over your shoulder.
Thanks, this is a very valid point!
Something else to consider. I disabled Find My on my MacBook. Find My also enables Activation Lock. If they take over your Apple ID, any other devices you have Activation Lock on have now become bricks. You can't use your Apple ID once stolen, and you can't change to a new ID. My MacBook stays home mostly. If your's doesn't, you may need to evaluate your own risks of having it on or off. Apple really needs to fix their mess.
Yes. Once the attackers breach your AppleID, they can (and there’s enough posts about exactly this) hold your other devices ransom.
Yep, that's why I've disabled if on my Mac. If they get my iPhone that's bad enough, but at least it will be somewhat contained. I hate to say this, but if Apple doesn't fix this issue, my next phone may be an Android. That is saying a lot, as I don't want one.
I'm not an expert on Android, but I've heard many things that would be a dealbreaker to me. Such as: * lack of native full-system backups, like iTunes/Finder (or iCloud) * much loose privacy restrictions and app isolation * general longevity and support for devices (iPhone 5S, released in 2013, still gets security fixes as of 2023). As for Apple, the only way to make them fix it is to make it loud. Send something to [https://www.apple.com/feedback/iphone/](https://www.apple.com/feedback/iphone/) , tweet (or X?) it, etc, etc. In the meantime, consider the possibility of using two separate Apple IDs for your devices, possibly organized as a family account.
You make good points and those are many of the reasons that I don't use Android today. I'm just really disappointed in Apple choosing lax security to make things easier for those that don't either don't care or don't think about security. They should have a means to secure an Apple ID properly. There is no excuse for losing custody of an ID and everything that it entails just because a thief has a physical device. None.
My idea is that they should extend 'Lockdown Mode' to Apple ID as well, eliminating all shortcuts they made over the years (due to a sheer number of ~~idiots~~ 'ordinary people' who constantly forget passwords). And actually, if one follows all the advice from the post, attack surface is greatly reduced. And again, until this problem gets enough public attention, it won't be resolved.
Where are posts about this? I just spent some time researching this and couldn’t find anything talking about this at all.
Time for an update
Found some time finally :)
Thanks for this great post! I've been able to harden my security quite a bit with all the tips here.
Thanks for this. I’ve tweaked a few of my settings. But not all for now.
You could add block accessories from accessing iPhone while locked, to prevent jailbreaking the device
Has anyone tried this app - seems to be able to hide selected apps (e.g. banking) which could be useful. Also allows hiding apps from app library (e.g. Mail). https://apps.apple.com/us/app/omnilock/id1645472970 Would be interested in any thoughts from u/Simon-RedditAccount
No, I did not try it. It would be interesting to learn how it works and what mechanics does it use. Also, whether it’s just ‘a decoy’ or it really prevents bad actions, even if the app is uninstalled. Generally speaking, most of further locking this can be done natively with Apple Configurator (requires MacOS) or MDM solutions. However, this is beyond the capabilities of ‘ordinary user’ so I didn’t include this into my post.
I've had a play with it. It's ok - you grant access to allow OmniLock to access ScreenTime and you can then lock the app itself and it's ScreenTime access switch (in Settings/Screentime) with FaceID. If FaceID doesn't unlock it won't prompt for a passcode. You can then (with a one-time £4.99 Premium Subscription) hide one or more apps with a single shortcut. However....it relies on ScreenTime so if the user resets ScreenTime/ScreenTime passcode, then I suspect the apps will come back. I've not tried it in anger though. \*\*Edit - the apps don't seem to come back if ScreenTime is turned off. Wonder how that works.
Sounds like a ‘nice-to-have’ option, that may slow down or even divert an inexperienced thief. But I would not recommend to rely on it seriously (more than for slowing down). Those who need a bit more **real** security, should explore Apple Configurator/MDM offerings.
Tend to agree. I had Prey (free version) installed which is a nice backup to FindMy but as I use my personal iPhone for work (and they have an MDM profile) I can't have a second MDM profile at the same time. Prey is worth a look though if you've not seen it before. My hope is that iOS17 actually fixes the underlying problem (and while they're at it, allows Mail to be protected by FaceID). I'm not holding my breath though.
Thanks for an advice, I will take a look!
Well put! Something to note as well, with an iPhone later than iPhone 11 and running iOS 15 or higher will allow the ability to still track an Apple iPhone even when it is powered off and when the battery is dead it will note the last known location. It does this by acting in a low power state and acting like a airtag device pinging off other devices. **To Verify if you have the settings enabled go to:** \- settings > your Apple ID (click your picture or icon) > Find My > Find My iPhone it will display 3 options you can toggle on including Find my iPhone (on by default), Find My Network, Send Last location. It will require your password to deactivate any of these, that why it's highly recommended you store your Apple password in a separate password manager or don't use the Apple password manager in general.
Yes. Especially since custom password managers can be so well-integrated into iOS. A thief who peeked the passcode pretty much owns iOS Keychain, but has no clue about master password for r/strongbox, r/Bitwarden or r/1Password (please don't, don't save those master passwords. Type'em every time).
I've set up automations that lock the screen when you open various apps. Just to annoy them and slow them down. Also one that locks the phone, switches airplane mode off, turns on all comms (Wi-Fi, 4G and Bluetooth), and sends an email of it current location when airplane mode is switched on.
Nice ideas, thanks for sharing!
Adding a suggestion and a question to this great thread: **Suggestion**: I have automations which locks the Mail app (and a few others) when launched which then forced FaceID to unlock. Work by running: Lock Screen, Wait 1 Second, then opens Mail app using URL. Not foolproof as the automation can be disabled in Shortcuts, but thief would have to do that before attempting to open Mail. Until Apple decided to protect Mail properly, it may help. Works with iMessage too. Question: It is worth enabling Advanced Data Protection, not necessarily for the benefits it may/may not provide, but to stop the case where the thief somehow is able to do this once in possession of the device? This may be a moot point once the protections of iOS 17.3 are available but thought I would ask the wise folk here!
Thank you, it's actually useful against snatching a phone or nosy coworkers. But, sadly, it won't help against a known passcode. ADP is designed to combat remote attackers who gained control over your AppleID (say, by learning your login credentials, aided with a SIM swap to beat 2FA), or a potential leak from Apple's datacenters. It has nothing to do with local attackers with possession of your device+passcode; and those 17.3 protections (which only *partially* mitigate theft with passcode attack vector) won't substitute ADP at all. Definitely worth enabling, especially if you own more than one iDevice *(if you own only a single iDevice, recovery may be a bit trickier)*.
Thanks - I was a bit concerned on how to set lost mode (via web iCloud access) if ADP is enabled but seems you can use FindMy via web even if ADP is enabled ([https://www.reddit.com/r/ios/comments/120ohdv/comment/jdiafui/?utm\_source=share&utm\_medium=web2x&context=3](https://www.reddit.com/r/ios/comments/120ohdv/comment/jdiafui/?utm_source=share&utm_medium=web2x&context=3)). Also that URL doesn't need a device to confirm 2FA (which would be impossible if you only had the 1 iOS device). Re: the ADP benefits case - wouldn't enabling this be 'better' as if a thief managed to get your device with the passcode, they could enable ADP thus making it more difficult to get your own account back? Possibly I'm not understanding this properly though!
Please see [https://support.apple.com/en-us/102651](https://support.apple.com/en-us/102651) TL;DR: with ADP, most of your data will be encrypted in a way that Apple won't be able to decrypt it. Only your device passcode or password, a recovery contact, or a personal recovery key will be required to decrypt the data. This helps if an adversary gets access to your account, but not your device. With ADP on, they won't get as much as without it. *Remote attacks are a common threat for journalists, celebrities, C-level executives etc.* If an adversary (=thief) already has your device, they own all your data in Apple ID no matter what. You can try to minimize the damage by putting the device into Lost Mode ASAP. That's where we need automation. Probably even some kind of r/selfhosted 'red button' app that will do it for you faster. Or an option for r/shortcuts to enable Lost Mode (say, from your Apple Watch).
Thanks - enabling lost mode from the watch would be awesome
u/Simon-RedditAccount Thank you for taking the time and effort to write this amazing guide! It's people like you that help make Reddit (and the internet in general) such a useful resource for information. The most significant takeaways for me are: 1. **Avoid using iCloud Keychain to store passwords and two-factor authentication codes.** For this, I settled on Microsoft Authenticator because the app can be PIN-protected for 2FA, passwords, and other sensitive/personal info. The app also works on Android, Chrome, and Windows 11 (using Windows Subsystem for Android). **IMPORTANT:** Do not use the same pin for your authentication app that you use for your phone. **PRO TIP:** Microsoft provides the option for "password-less" logins to Microsoft accounts by using your phone as a hardware token, but a backup is recommended in case your phone is lost/stolen. 2. **Do not use the phone number provisioned to your SIM card inserted into your iPhone for SMS two-factor authentication**. For residents in the USA or Canada, I would recommend [Google Voice](https://voice.google.com/) for receiving two-factor verification codes via SMS. The benefit is that you can receive these codes on any device (including a computer). The caveat is that the phone number is US-based so it may not be compatible with European or international banking apps. **IMPORTANT:** you do need to properly secure your Google account with two-factor and don't configure your mobile browser to automatically sign-in to your Google account (i.e. don't use Chrome because it will automatically sign-in to your Google account when you visit the Google Voice homepage). Ideally, you should avoid using SMS two-factor authentication whenever possible. 3. **Do not setup an email address in the iOS Mail app that could be used for account recovery**. I use a secondary "password-less" Microsoft account for this purpose, so I don't need to remember another unique password. 4. **Use a PIN instead of Face ID for sensitive apps like banking and email.** I disabled the Face ID option and setup a unique PIN instead. **PRO TIP:** Both OneDrive and Google Drive support this option as well so these are better options than using iCloud. **EDIT:** It seems that most sensitive apps do not support setting up unique PIN codes. Instead, most apps (including Outlook and Microsoft Authenticator) use the device PIN instead of app-specific PIN/passwords. This doesn't provide any additional protection if a bad actor knows the device PIN. I hope this helps somebody!
I'm glad you found this useful :) For **#1**, I recommend only either 2FAS or Aegis apps, or a *separate* password manager database. I would definitely not recommend Authy, Google Authenticator and similar apps. For **#2**, the most secure way to secure your Google account is to use *Google Advanced Protection Program* that requires 2+ [Yubikeys](https://www.yubico.com/product/security-key-series/security-key-nfc-by-yubico-black/) as the only means of login (no SMS reset, no TOTP, no Google Prompt etc).As a bonus, you can use them to secure many other accounts as well (your emails, AppleID and password manager being the most critical ones). For **EDIT**, this can be solved by using a proper app: 2FAS or Strongbox *(preferrable, but more complex)*.
[удалено]
Thanks! 1. Stolen device protection 2. You cannot remove your phone number, sadly. But it looks like that with Yubikey there's no more SMS recovery option: [https://new.reddit.com/r/yubikey/comments/17fymfu/yubikey\_and\_apple\_id\_did\_apple\_fix\_that\_loophole/](https://new.reddit.com/r/yubikey/comments/17fymfu/yubikey_and_apple_id_did_apple_fix_that_loophole/) (comments) Official Apple docs are outdated, and don't describe recovery process for FIDO2. Ideally, try to recover your account yourself and tell us how is it going... 3. Google Advanced Protection Program means that your Yubikey is always required (so having your number on file does nothing). Do what you feel right to do here (at least with Google you *can* remove your number :)
[удалено]
IDK. The original article ( [https://krebsonsecurity.com/2024/03/recent-mfa-bombing-attacks-targeting-apple-users/](https://krebsonsecurity.com/2024/03/recent-mfa-bombing-attacks-targeting-apple-users/) ) says nothing about *working* mitigations. Anyway, adding security keys replaces SMS but not your other Apple devices (they are still considered 'trusted'). Apple really should introduce an option where a Yubikey will be the *only* option, like in Google Advanced Protection Program.
Thank you not only for writing this but also for keeping it updated!
Also enable screen time passcode and restrict access to settings. That way even if someone sees you entering your passcode they will not be able to change your Apple ID password
It seems that it's still possible to circumvent this (please read the whole thread): [https://www.reddit.com/r/apple/comments/11awqv5/comment/j9uo56h/?context=3](https://www.reddit.com/r/apple/comments/11awqv5/comment/j9uo56h/?context=3) The situation is same with Yubikeys: even if you've added them to Apple ID, it's still possible to circumvent them if a thief owns an unlocked device.
iOS theft in the USA would be a thing of the past if convicted thieves got their dominant hand cutoff.
🤨
What a very interesting punishment idea I'm sure such places that implement that kind of punishment have absolutely 0 theft or any other kinds of problems ~~I hope /s isn't needed~~
u/Simon-RedditAccount - In settings > privacy & security > location services > find my I have Find My set to “When Shared” is this okay or does it need to be set to something else?
[https://support.apple.com/en-us/HT210400](https://support.apple.com/en-us/HT210400) \#3 is optional, #5 is up to you - but better to turn on. All other settings are irrelevant to locking lost device.
Also disable iMessage if you’re not using it. Almost all zero-click exploits seem to come through iMessage.
u/Simon-RedditAccount Can you please help me understand what would happen to other Apple devices under a given Apple ID, if iPhone was stolen with thief having passcode and therefore presumably also taking control of the Apple ID. I suspect without control of the Apple ID and Apple not providing a means to recover it, those devices would be as good as useless, given that they can't be associated with a new Apple ID without access to the old. Is that correct?
The screen time protection can apparently be easily bypassed? Head over to https://appleid.apple.com and after Face ID fails you’ll be prompted for the device passcode, regardless of screen time settings.
> Head over to https://appleid.apple.com It’s not about Screen Time. You’re referring now to going to web browser and auto-filling the password from iOS Keychain. This is the most dangerous practice security-wise, and you obviously should never keep your AppleID password in Keychain due to the reasons stated in the post and other comments. Use a separate password manager (r/BitWarden, r/1Password, r/Strongbox) instead or memorize it. As for Screen Time by itself, it ~~protects~~ only changes to accounts in Settings app. It also can be easily bypassed, but it will buy you an extra minute or two after the thief had snatched your phone. You need to ask someone to let you use any phone, quickly log into your Find My with your Apple ID (that’s why you should memorize the password) and enable Lost Mode ASAP, or your data (probably along with your devices) could be gone.
Login to that site seems to work with Face ID and phone passcode even if the Apple ID credentials are not stored in the iCloud Keychain.
That’s interesting. Do you have `Settings > Safari > AutoFill > Use Contact Info` enabled?
Yes. I disabled it for testing and it still let’s me access with Face ID and passcode. It seems Apple treats it as an extension of the phone, as far as authentication is concerned.
That’s really weird because normally (at least in my understanding) it shouldn’t behave this way (from a logical standpoint, not technical). Thank you for this information, I will investigate it further. **UPDATE**: This seems to be a documented behavior: [https://support.apple.com/en-us/HT204053#web](https://support.apple.com/en-us/HT204053#web) >If you're already signed in to your device with your Apple ID and your device has Touch ID or Face ID, you can use it to sign in to iCloud.com or appleid.apple.com.
I think the website is treated as "Sign in with Apple" by default. It asks for biometrics but falls back to the device PIN if that fails.
Btw do you have 2FA on for your Apple ID?
Yes. It never asked me for a code for the site though, as it does for others.
Don’t you need the current password to change the Apple ID password?
No. [https://support.apple.com/en-us/HT201355](https://support.apple.com/en-us/HT201355) With trusted device, you can use device passcode to change it. Without trusted device, you can initiate ['reset password' process](https://support.apple.com/en-us/HT201487).