When you try to make an apple account for an under 12 it forces an @me account which I knew my kids could never changed so I put a wrong DoB in to let me use their real emails then added them to the family and changed it to their real DoB which requested me the parent to approve working around the issue.
I guess it depends when you made your account, I had an iTunes account before I had an apple device so their was no @me option and everyone else I know uses their own address.
Literally this, if the accounts DoB is < 12 on creation you cant use your own email and have to use a @me account email which cant be changed unless you do as I listed above which means my kids wont have that problem.
This surprises me.
My thinking is that given the ease with which a thief can access and take over an iPhone-linked-iCloud account its best to minimise the amount of sensitive/valuable content stored in that account. So not only avoid using Apple Keychain for passwords but also avoid using iCloud as email provider (at least for certain types of email).
Some might even want to go further and use something other than iCloud Drive for document sync and something other than Apple Photos, although I appreciate these two changes would mean giving up too much functionality for many Apple device users.
Is this because you use have an account recovery contact? I don’t have anything like this. So if someone stole my phone and phone password, my understanding is I’d need to get to one of my other trusted devices before I’m able to take any action. If I’m on a night out that probably means at least an hour before I can do anything.
This might be useful if someone is trying to obtain your passcode by force (although I think in a pressure situation many will probably will have trouble remembering something they don’t use often). But it won’t help prevent people obtaining passcode by shoulder surfing.
Also think it would probably lead to a lot of people accidently wiping their iPhones.
I suppose I’m not so worried about the prospect of never getting back into my apple or google account (following iPhone and Android theft respectively). It’s more the damage that can be done by a thief having unrestricted access to my primary email (and to a lesser extent my cloud drive) for a few days that worries me. In that time they could take over all sorts of additional accounts by requesting forgotten password links be sent to my primary email.
Even if a petty thief isn’t interested in doing this themselves I’d be surprised if there isn’t a criminal market for unlocked phones with unprotected email access, with the buyers being other criminals with the knowledge to rapidly exploit this type of access.
Again Spark (and probably other email apps) lets you have faceID with a fallback to a separate pin. It’s also a decent email app (although the free version isn’t as good as it used to be)
Is Spark an email provider or just a client app?
If it’s just a client app, it doesn’t really help if your email provider is iPhone-linked-iCloud account (or Android-linked-Google account). A thief with device passcode could access those email accounts regardess of what client you have installed on the device.
You really need to decouple email account from IPhone/Android account if you want to prevent possibility of someone with access to device and device passcode from getting access to your email.
I went through all my financial apps over the weekend. Monzo seems to be the only one I have that uses device pin/password as a method for unlocking a locked app. I wonder if they will reconsider and give use the ability to set an app pin. I know some have been calling for this for a while.
I think Monzo will say what they’ve been saying since Monzo was built:
I’m so lax with my security, reading this thread the lengths people go to, really makes me consider what I do and what I should change.
But… I’m lazy. I don’t want lots of steps too get in the way day-to-day.
I think my first step needs to be to change my BitWarden password. There is zero point the password for my Fantasy League team being 50x92zkejyQ!1!le029 when the password to open BitWarden is Password123.
The good news is, now you’ve posted them on a public forum both are equally secure 
Not sure why that’s a defence
If someone takes my phone by force and makes me give up my pin. They might try it to check I’m not lying to them. If they open my phone, open Monzo and see I’m a millionaire, they’re probably going to run away at this point. We’re rich. We’ve robbed someone rich.
Add in a Monzo pin, and then they might wait for that pin too. And with that pin, they can empty my account.
Of course there are going to be people that know that you need a pin to do anything with my money but these things are so rare, it’s not really worth the concern.
What was your password again?
An app pin isn’t going to help if someone is using threat of violence to get into your bank apps. The only thing that would really help in this scenario is a pre-emptive choice to limit the number of finance apps you install on your phone (i.e. don’t install the ones with access to very large sums of money). But that doesn’t mean an app pin wouldn’t be helpful for other scenarios.
I don’t know about the “like almost everyone else” bit. Monzo is the only finance app I have that falls back to device passcode as an unlock method. The others must have had in mind that having an layer of protection beyond device passcode is desirable.
How is that separate pin reset on other banks if forgotten?
Generally I’m with Monzo here, more pins means people forgetting things more, more fiddly resets, and just more annoyance. I’d rather have the barrier just to making transactions.
Curious to know how you’re doing this?
I’m imaging myself stood on pavement with no watch, no phone, no wallet… probably wondering how i’m gonna get home, or how i might call the police. With nothing on you, how are you locking your phone within 30 seconds?
Always go out with five phones, each with a unique complex 30 character passcode.
With reference to the thief changing important details on your iphone to lock you out, remote wipe etc, isn’t the answer to that simply adding parental lock to settings with a different pin?
Some of them use the internet banking password as the fallback if biometrics isn’t working. If you forget this I guess you need to go through full recovery of internet banking.
But some use user-defined app-specific passcode which is unconnected to internet banking credentials. I guess if you forget this you just reinstall the app and go through whatever authentication was needed when first setting up the app.
Its not even compulsory to turn on app-lock in Monzo. So use of an app passcode (instead of falling back to device passcode when biometrics fail) wouldn’t even impact those who don’t use app lock.
I love that you go to this level and that you actually tested it as a process.