Stolen Device Protection to thwart iPhone thieves with passcodes with time delay

Posted:
in iPhone edited December 2023

If a thief can steal an iPhone and passcode, they can lock the user out of their Apple ID and wreak havoc within seconds, but Apple's Stolen Device Protection feature coming in iOS 17.3 will stop that from happening.

Stolen Device Protection
Stolen Device Protection



A February report revealed that iPhone users were being targeted by thieves that would use sneaky tactics to learn a device passcode, then steal the device. As the thief gets away, they can use the passcode to change the Apple ID password, kick the user out of signed-in devices, and have complete control of the account within seconds.

Apple will solve this issue by implementing an optional security delay to alter critical information in a future iOS update. The feature is called Stolen Device Protection and will activate when outside of trusted locations like home or work.



With Stolen Device Protection active, users won't be able to change critical portions of their Apple ID or device settings without waiting an hour and authenticating biometrics twice. Theoretically, a theft victim would notice their device has gone missing within the hour window, allowing them to set the iPhone to Lost Mode and stopping device access or account changes from being possible.

Since users won't be able to rely on the passcode fallback option, biometrics will be required for various actions with Stolen Device Protection enabled.

Biometrics are required when:


  • Using passwords or passkeys saved in Apple Passwords

  • Applying for a new Apple Card

  • Viewing the Apple Card virtual card

  • Turning off Lost Mode

  • Erasing all content and settings

  • Take certain Apple Cash and Savings actions in Wallet

  • Using payment methods saved in Safari

  • Using your iPhone to set up a new device



The above actions will prompt the user for biometrics like Face ID or Touch ID to continue. A thief will likely not be able to fake biometric authentication.

Certain operations will still fall back to a passcode, like when authenticating Apple Pay. In that instance, users will be able to use their bank's fraud protection to get funds back if a thief makes an unauthorized transaction.

The security delay will appear when attempting to change critical settings like the Apple ID password. If the thief tries to access the following settings, they must authenticate biometrics, agree to a one hour delay, then authenticate biometrics again after the hour to complete the action.

Security delay occurs when:


  • Changing your Apple ID password

  • Updating Apple ID account security settings, like removing a trusted device, trusted phone number, Recovery Key, or Recovery Contact

  • Changing your iPhone passcode

  • Adding or removing Face ID or Touch ID

  • Turning off Find My

  • Turning off Stolen Device Protection



Trusted locations learned by the system, like home or work, remove the security delay. The security delay applies even with biometrics present, so it may be inconvenient to wait an hour every time one of the above settings needs to be altered, so trusted locations alleviate that.

Stolen Device Protection should give victims enough time to discover their device is missing, log into their Apple ID, and then activate Lost Mode. Once the device is in Lost Mode, the thief can no longer access the device, alter settings, or do anything without biometrics.

Thanks to that one hour delay, if thieves somehow steal a device, unlock it with a known passcode, navigate to the Settings page to initiate a change, then trick the victim into verifying biometrics for that first scan, the theif would still need to wait another hour to complete the change. It is incredibly unlikely that the thief will stick around or have access to the victim twice in that hour, eliminating the ability for things like Apple ID passwords to be changed by theives altogether.

An Apple representative explained that Stolen Device Protection is available in beta as a toggle in Face ID & Passcode settings. A later iOS release, likely the full release of iOS 17.3, will present the feature to users during onboarding.

Read on AppleInsider

dewme
«13

Comments

  • Reply 1 of 55
    I’m not sure why this is necessary if you have two factor authentication set up.  Even if they get into the phone they would need the code sent to a trusted device.  No?  


    williamlondon
  • Reply 2 of 55
    Too little too late, already been victimised several times. Why should Apple even GaF any more? They’re selling phones like hotcakes as it is already, and on 14th of Dec, Google is forcing mandatory 2FA on all accounts, even the useless ones.
    williamlondon
  • Reply 3 of 55
    jas99jas99 Posts: 156member
    I think this is excellent. Thank you, Apple. 
    daviatorwilliamlondonbyronlAnilu_777dave marshStrangeDayskillroyeightzerodewmewatto_cobra
  • Reply 4 of 55
    Isn’t this solved already by using ScreenTime with a different Code and disable changing accounts?
    mac_dog
  • Reply 5 of 55
    AppleZuluAppleZulu Posts: 2,048member
    BirderGuy said:
    I’m not sure why this is necessary if you have two factor authentication set up.  Even if they get into the phone they would need the code sent to a trusted device.  No?  



    This appears to be an opt-in measure, so if you feel it's unnecessary, then you can skip it.
    Too little too late, already been victimised several times. Why should Apple even GaF any more? They’re selling phones like hotcakes as it is already, and on 14th of Dec, Google is forcing mandatory 2FA on all accounts, even the useless ones.
    Not sure what Google's 2FA has to do with it.

    Also, if you've been victimized several times, it would seem you would welcome the measure. 

    Also älso, Apple has introduced a number of security features over the years that make stealing their portable devices less likely to be profitable for the thief, so it seems they've already buttered their bread on the side of profiting from selling devices specifically made to be less likely to be stolen, rather than profiting from volume sales of devices that are frequently stolen.
    mrluis63daviatorwilliamlondonbyronlmike1Anilu_777StrangeDayskillroydewmeJFC_PA
  • Reply 6 of 55
    Big question for Apple 🍎 how much ? This is going to cost the American people. I know is not going to be free. Or is it?????????
    williamlondon
  • Reply 7 of 55
    JFC_PAJFC_PA Posts: 934member
    Sounds useful, and restricting the blocked actions to the theft targets is clever. 

    For multiple incident victims I’d suggest adding a privacy screen protector ? You’re clearly not doing enough to block shoulder peepers. 
    byronlwatto_cobra
  • Reply 8 of 55
    mrluis63 said:
    Big question for Apple 🍎 how much ? This is going to cost the American people. I know is not going to be free. Or is it?????????
    Of course it’s free, it’s just part of an iOS update. Apple does not have any history of charging for new features. What’s your agenda here?
    byronlwilliamlondonroundaboutnowAnilu_777dave marshcoolfactorStrangeDayskillroyAfarstarkiltedgreen
  • Reply 9 of 55
    dk49dk49 Posts: 267member
    Why don't they allow to prevent switching off the device without unlocking the iPhone? If the user has esim, then the thief cannot switch off the device, and then it can easily be tracked by logging into Apple account.
    williamlondonjasonfjwatto_cobra
  • Reply 10 of 55
    byronlbyronl Posts: 366member
    dk49 said:
    Why don't they allow to prevent switching off the device without unlocking the iPhone? If the user has esim, then the thief cannot switch off the device, and then it can easily be tracked by logging into Apple account.
    Maybe because I think when it's switched off Cellebrite and similar tools don't work. 
    watto_cobra
  • Reply 11 of 55
    XedXed Posts: 2,627member
    BirderGuy said:
    I’m not sure why this is necessary if you have two factor authentication set up.  Even if they get into the phone they would need the code sent to a trusted device.  No?  
    Didn't the trusted device just get stolen in the scenario they're trying to prevent?
    Anilu_777williamlondonmacsince1988cpsrowatto_cobra
  • Reply 12 of 55
    BirderGuy said:
    I’m not sure why this is necessary if you have two factor authentication set up.  Even if they get into the phone they would need the code sent to a trusted device.  No?  


    My understanding is one such trusted device is the phone itself, which the thief would be holding?  Plus, on a typical phone, if he had the passcode, he could then see all your emails and texts.
    williamlondonmacsince1988killroyForumPostwatto_cobra
  • Reply 13 of 55
    XedXed Posts: 2,627member
    dk49 said:
    Why don't they allow to prevent switching off the device without unlocking the iPhone? If the user has esim, then the thief cannot switch off the device, and then it can easily be tracked by logging into Apple account.
    There are four security features I've wanted for nearly as long as the iPhone has been out.

    1) Password protect Settings and let me make it a different passcode or PIN than my device login.

    2) Password protect network settings, even in Control Panel, and let me make it a different passcode or PIN than my device login. They allow you the option to password protect networks changes in macOS.

    3) Back in the Touch ID days, allow for a "poison finger" that would lock the device thereby requiring the passcode or PIN if the wrong finger was used. Not possible with Face ID but it is nice that you can hold down the Side and a Volume button to call the screen to turn off the device or make an emergency call, which then disables Face ID until the passcode or PIN has been entered.

    4) Your idea to prevent the device from turning off when you're not in a trusted area without being properly authenticated. I'd like it to simply allow a restart because issues with an OS can occur. Thieves could also use a Faraday bag and then take it to a location with a Faraday cage, but that kind of effort take some start up capital and more planning so it would work has a deterrent.

    PS: I recommend to not use a PIN. Use a complex passcode. You have those long-press characters on the iOS and Mac keyboards, too, which means you can make a simple 4-character passcode that has over 3 billion possible combinations by using one of those characters. It also makes it a lot more difficult for something to see what you're typing in over a regular keyboard or a number pad.
    edited December 2023 Anilu_777dewmeh4y3sAlex1Nwatto_cobra
  • Reply 14 of 55
    nofeernofeer Posts: 2,427member
    I have 2FA also recent security articles say to use screen time passcode to prevent this

    doesnt screen time passcode work
    or do we need more ?? 
     
    watto_cobra
  • Reply 15 of 55
    mrluis63 said:
    Big question for Apple ߍow much ? This is going to cost the American people. I know is not going to be free. Or is it?????????
    Of course it’s going to be free and part of the OS. Do you normally go on sites and troll them?
    edited December 2023 dave marshwilliamlondoncoolfactorStrangeDayskillroyAfarstarJFC_PAAlex1Nwatto_cobra
  • Reply 16 of 55
    mrluis63 said:
    Big question for Apple 🍎 how much ? This is going to cost the American people. I know is not going to be free. Or is it?????????

    Why the specificity of "American" people? Ah... I see.

    StrangeDayskillroyAfarstarwilliamlondondewmekiltedgreenJFC_PAAlex1Nwatto_cobra
  • Reply 17 of 55

    Isn’t this solved already by using ScreenTime with a different Code and disable changing accounts?

    I'm not familiar with using ScreenTime's security features. Does it allow you to set a _different_ passcode from your device passcode? Is that to what you are referring?

    I think this Stolen Device Protection is another good step forward, as it considers location proximity into the equation. Our Smartphones are getting smarter.
    Alex1Nwatto_cobra
  • Reply 18 of 55
    mrluis63 said:
    Big question for Apple 🍎 how much ? This is going to cost the American people. I know is not going to be free. Or is it?????????
    Bad bot
    killroyAfarstarwilliamlondonJFC_PAAlex1Nwatto_cobra
  • Reply 19 of 55
    MarvinMarvin Posts: 15,362moderator

    If a thief can steal an iPhone and passcode, they can lock the user out of their Apple ID and wreak havoc within seconds, but Apple's Stolen Device Protection feature coming in iOS 17.3 will stop that from happening.

    Stolen Device Protection


    With Stolen Device Protection active, users won't be able to change critical portions of their Apple ID or device settings without waiting an hour first. Theoretically, a theft victim would notice their device has gone missing within the hour window, allowing them to set the iPhone to Lost Mode and stopping device access or account changes from being possible.

    Since users won't be able to rely on the passcode fallback option, biometrics will be required for various actions with Stolen Device Protection enabled.

    The above actions will prompt the user for biometrics like Face ID or Touch ID to continue. A thief will likely not be able to fake biometric authentication.

    The security delay will appear when attempting to change critical settings like the Apple ID password. If the thief tries to access the following settings, they are met with a pop-up explaining that a one-hour delay will begin before the setting can be changed.

    Security delay occurs when:

    • Changing your Apple ID password
    • Updating Apple ID account security settings, like removing a trusted device, trusted phone number, Recovery Key, or Recovery Contact
    • Changing your iPhone passcode
    • Adding or removing Face ID or Touch ID
    • Turning off Find My
    • Turning off Stolen Device Protection


    Trusted locations learned by the system, like home or work, remove the security delay. The security delay applies even with biometrics present, so it may be inconvenient to wait an hour every time one of the above settings needs to be altered.

    It's good to have some extra security. I think the time delay should be configurable to be longer. There are a lot of scenarios where 1 hour isn't enough like if someone is out for the evening and can't get back home to another device within an hour. Stealing a phone makes it harder to get a taxi. They also might have been assaulted and needing medical attention.

    If they send an email out that someone attempted to reset important information and allow the user to block the change, it's possible they can block it from an Apple Watch.

    They can perhaps require confirmation of changes from a second Apple device. It's unlikely that thieves will get more than one device.
    BirderGuy said:
    I’m not sure why this is necessary if you have two factor authentication set up.  Even if they get into the phone they would need the code sent to a trusted device.  No?  
    Usually the trusted device is the phone that was stolen. Two factor authentication isn't required on an already trusted device.



    What thieves have been doing is looking over people's shoulders for pin codes or passwords, then stealing the phone. Once they can unlock the phone, they can change the Apple ID and add their own biometrics. Then they can access banking apps and drain their accounts, some people have lost their life savings. They can also lock people out of their other Apple devices (Macs/iPads at home), which makes it harder to track them with Find My (which they can also disable).

    Device lock should be prevented from a device that has had its Apple ID changed in suspicious circumstances.

    I'd like to be able to lock banking apps inside a vault in addition to this.

    It's not just for thieves but device repairs. The repair people ask for device passcodes to replace batteries as they need to check it works. Some people have stolen private photos from people this way.

    The more protection on these devices the better.
    killroywilliamlondondewmeDGDMNStrangeDaysavayasAlex1Nwatto_cobra
  • Reply 20 of 55
    nofeernofeer Posts: 2,427member

    Isn’t this solved already by using ScreenTime with a different Code and disable changing accounts?

    I'm not familiar with using ScreenTime's security features. Does it allow you to set a _different_ passcode from your device passcode? Is that to what you are referring?

    I think this Stolen Device Protection is another good step forward, as it considers location proximity into the equation. Our Smartphones are getting smarter.
    yes  just  make  sure you remember it, i use a family members number and they use mine     so i wonder how this new "protection" works compared to screen time passcode here's a link to that article 
    https://lifehacker.com/how-screen-time-can-save-you-when-your-iphone-is-stolen-1850368491

    https://www.macworld.com/article/1920786/how-screen-time-can-keep-your-iphone-and-icloud-accounts-safe-from-thieves.html

    i also set my screen off after 30 seconds and use FaceTime as much as possible especially in crowded places, trains, etc   also don't drink and iPhone    don't let strangers use your phone
    you must be aware of your surroundings
    i and my family did this especially when traveling its a simple thing to do

    i only use my financial apps with face id, and vpn and alone never in a crowd 
    edited December 2023 Alex1Nwatto_cobra
Sign In or Register to comment.