Apple is addressing a low tech security vulnerability – shoulder surfing – that has allowed snooping iPhone thieves obtained and used device’s passcode to break into accounts. A new iOS setting called Stolen Device Protection is designed to defend against shoulder surfers. It is rolling out to beta testers starting Tuesday.
Mark Gurman for Bloomberg News:
The enhancement will require Face ID or Touch ID — with no option to use a passcode — when accessing stored passwords, changing Apple ID settings, looking at payment information and disabling Find My iPhone.
By requiring Face ID or Touch ID for accessing critical parts of the iPhone, a thief wouldn’t be able to cause as much damage. In particular, it would be harder to wipe the device and resell it. Apple didn’t say when the new feature will roll out to all customers, but the company is planning to release iOS 17.3 publicly early next year.
The enhancement will add a one-hour delay and require a second Face ID or Touch ID scan for the most sensitive tasks, including changing an Apple ID password, turning off the Stolen Device Protection feature, creating a new passcode, and disabling Touch ID or Face ID. There will be no delay, however, if users are at a known location — like their home or work.
MacDailyNews Take: When released, Apple plans to prompt users to turn on Stolen Device Protection. The setting will be located under Face ID & Passcode in the Settings app.
Please help support MacDailyNews. Click or tap here to support our independent tech blog. Thank you!
Support MacDailyNews at no extra cost to you by using this link to shop at Amazon.
Apple is NOT safe and does NOT protect your AppleID well enough…they give you a false sense of security.
The fact that you can change your AppleID credentials, especially the password, simply by knowing the iPhone passcode is terrible. Heck, you do not even need that. All you need is to swipe an Apple device that is already logged in (via passcode, fingerprint, FaceID, etc) and you can change the password to the AppleID WITHOUT EVER being verified, thereby locking out the original owner.
The right way to handle this is to require you to ALWAYS be authenticated when you are making changes to your AppleID, no matter what.
Apple does offer an extra layer of protection if you use Screen Time and add another password to the Account changes. This can provide added protection. BUT Screen Time is full of bugs, including this protection. I know because it has failed me SEVERAL TIMES, where the protection was not active, even though it was enabled.
I know this because my daughter was successful more than once to access her device with the account protection turned on in Screen Time. And it can be impossible to recover if you are not properly set up, which is the default case. Eventually, I got her to relent, and got control again (after MANY WEEKS). I cannot prevent it from happening BUT NOW I can more easily recover control, because I added extra layers of protection (by registering multiple devices to the same AppleID, that and create a Recovery Key…. those are THE ONLY ways. But most people will not be set up this way).
iPhones are NOT so secure, ESPECIALLY the AppleID. I have brought this to their attention by filing a report and they downplayed it completely!
(BTW, Android has made the same move….)
So for the sake of convenience of not having to enter credentials if the phone is already logged in, your AppleID, and EVERYTHING tied to it (WALLET, App Store, Music, etc) are VERY VULNERABLE!
CAVEAT EMPTOR!
This may help in this issue but it’s a bad idea. If your passed out, someone could get into your phone by placing your finger on the screen.
There’s no other way to resolve this?