I think the key weakness is allowing the AppleID password to be reset just using the device PIN, which is fairly easily discoverable via shoulder surfing. When you can lock someone out of their Apple ID in less than a minute, pretty much all other security measures become useless. You’ll be locked out of find my iPhone etc.
Nope, you can still reset the AppleID and the AppleID password is the fallback to reset the screen time password.
There’s nothing you can really do about this as far as I know, apart from making it harder to learn your passcode (although there’s no way to make it impossible, or even overly difficult).
You can at least set double blind passwords on things like your email accounts so they can’t lock you out of those. And I don’t keep main savings account on my phone at all. You can create a double blind password for Starling or other banks too, but sadly not Monzo.
I just tested it and I cant access my AppleID at the top of the settings page to change the password?
Is there another way to do it?
I mean you can also lock out passcode changes as well in there to stop them changing the pin and faceid.
I know the AppleID password can reset the forgot restriction pin but I thought you didnt have to enable that, you can skip. Although I think you may be able to reset the password if you turn on that option as I see it has a reset appleid password but I am not sure if it works.
There will be a vector through the website if your dense enough to save your icloud password in passwords which to be honest should be blocked if its not already.
I don’t believe Apple has publicly commented on making any changes, only that iOS is a secure platform and it is important to protect your passcode from snooping.
John Gruber suggested on his podcast this week that this is a known vulnerability within Apple, and has been for some time, but that it is somewhat intentional. People forgetting their iCloud passwords and needing a way to reset them with a second factor is more common that this type of crime. That is until it was published everywhere and now your amateur iPhone thief is now going to attempt to snoop the passcode.
That said, iOS could surely be strengthened so it doesn’t default back to passcode when biometrics fail.
Device passcode as a fallback for failed face / touch ID is fine. But allowing reset of apple account password with only device passcode is the issue. Could do with more protection here. Perhaps there needs to be some kind of time delay on the change if you are trying to reset a ‘forgotten’ password without approval on a second device.
This is certainly not the default on Android. I ran through this flow with a friend on Monday, the only difference to the iOS flow was that Google required the old account password, which was stored in the passwords app.
I don’t have the answers, but making people’s security setup more complicated is only going to lock more people out of their phones and accounts.
the article maybe over complicates it. I just add a single special character to some of my saved passwords that I want to keep particularly secure (as in, if someone had my phone and the passcode). Same character for every password that uses it (which isn’t many). It’s not particularly onerous, and it serves a purpose but it could definitely be said to be over cautious anyway.
I’ve had a scroll through this thread, and although the article in question isn’t posted in here, it has been discussed and I’m sure shared in another thread elsewhere.
So to pre-empt the inevitable @revels treatment, because I’m sure there’s a more appropriate thread where the Apple ID stuff was discussed in more detail, as much as I’ve tried, I can’t find it.
The article in question is this:
And whilst some folks were hopeful it’s a vulnerability they’d see patched in one of the iOS 16 betas, it never was. I was dubious we’d even see anything by iOS 17, and indeed it wasn’t addressed there either.
… and I’ve just found the actual thread so will copy/paste this to a new reply over there, and link it here in banking and security. Just saved you a job Revels! …
Craig Federighi has now publicly addressed this issue for the first time. The TL;DR is it was designed this way on purpose, but they’re aware of the problem and are actively working to address it.
The relevant section starts at 1:51:40.
The shortcuts community have been up to something recently as well, that some folks might be interested in. It doesn’t prevent this sort of attack, but it’s still a pretty cool automation nonetheless, for keeping your device secure.