How to use Stolen Device Protection

AppleInsider

Stolen Device Protection is a feature Apple hopes will prevent the total loss of an Apple ID if an iPhone and passcode are stolen. Here's how to get it set up.

How to use Stolen Device Protection

Previously, a thief could learn a person's passcode through social engineering or spying, steal the person's iPhone, and quickly lock the person out of their Apple ID. After reports of such problems got out, Apple worked on a feature to help mitigate the risk of total loss after an iPhone was stolen.

As of iOS 17.3, Apple has provided users with a way to mitigate the threat of total loss of an Apple ID. A thief can no longer access critical information or change passwords without biometric authentication by enabling Stolen Device Protection.

Subscribe to AppleInsider on YouTube

How to enable Stolen Device Protection

There are some caveats to Stolen Device Protection, but we'll get into that in a moment. For now, here's how to enable the feature.

• Open the Settings app and tap on "Face ID & Passcode"


• The toggle for Stolen Device Protection is about midway down the page


• Toggle the feature on and read through Apple's prompts about the feature

That's it -- Stolen Device Protection is on. However, what that toggle changed across iOS is much more complicated.

From our use of the feature, users shouldn't notice any difference in how their iPhone operates day to day. This is especially true when in significant locations like work or home where the feature isn't active.

What Stolen Device Protection does

Stolen Device Protection removes passcode fallback when accessing critical portions of Apple ID or device settings. It also implements a security delay when a user attempts to alter especially sensitive information like an Apple ID password.

Normally, certain actions will prompt the user for Face ID or Touch ID. If those biometrics fail to authenticate, the user is then prompted for a passcode.

When Stolen Device Protection is enabled, the following requires biometric authentication with no passcode fallback:

• Using passwords or passkeys saved in Apple Passwords


• Applying for a new Apple Card


• Viewing the Apple Card virtual card


• Turning off Lost Mode
  
• Erasing all content and settings


• Take certain Apple Cash and Savings actions in Wallet


• Using payment methods saved in Safari


• Using your iPhone to set up a new device

That means a thief with your iPhone and passcode could not access these settings. Any one of these settings could lead to significant financial loss or compromise of the user's Apple ID.

Features not mentioned in the above list will still have a passcode fallback option, like authenticating Apple Pay. However, FDIC insurance will cover fraudulent charges if a thief uses Apple Pay.

Stolen Device Protection one-hour delay

Apple adds another layer of protection for especially sensitive settings and controls -- a one-hour delay. If the user is outside of a trusted location and attempts to alter the following settings, a biometric scan followed by an hour delay and another biometric scan occurs.

• Changing your Apple ID password


• Updating Apple ID account security settings, like removing a trusted device, trusted phone number, Recovery Key, or Recovery Contact


• Changing your iPhone passcode


• Adding or removing Face ID or Touch ID


• Turning off Find My


• Turning off Stolen Device Protection

Trusted locations are learned by the iPhone and are not user-addressable. Significant locations like home and work are used as exemptions for Stolen Device Protection.

The one-hour delay ensures that even if a thief can trick the user into the initial biometric scan, it would be incredibly unlikely the user would still be available for a second scan an hour later. Alternatively, if a thief learned the user's home address and attempted to drive there to make changes without a delay, the user would have enough time to activate Lost Mode.

Stolen Device Protection won't prevent your iPhone from being stolen, but it might keep your Apple ID, passwords, and finances safe from thieves. AppleInsider highly recommends activating the feature.



Read on AppleInsider

whodiini

I just updated my ipad 11 pro to ios 17.3.  Went to face ID and passcode, and there was not any Stolen Device Protection setting anywhere.  Must be just for iphones, so I updated my iphone 13 pro to ios 17.3.  Went to settings and there is no face ID and passcode.  I do have a screen time passcode to lock settings.  This is not as easy as the article suggests.

whodiini

With a screen time passcode to lock settings, one needs to remove the screen time passcode, then go to content and privacy restrictions to allow for passcode changes. Then the face ID and passcode will show up in settings and you can now turn on Stolen Device Protection.  Then if you want the added security, turn back off passcode changes and set your screen time passcode.  I have yet to figure out if having the screen time passcode and the Stolen Device Protection is redundant now.

Wesley Hilliard

whodiini said:

With a screen time passcode to lock settings, one needs to remove the screen time passcode, then go to content and privacy restrictions to allow for passcode changes. Then the face ID and passcode will show up in settings and you can now turn on Stolen Device Protection.  Then if you want the added security, turn back off passcode changes and set your screen time passcode.  I have yet to figure out if having the screen time passcode and the Stolen Device Protection is redundant now.

Screen Time passcode can be reset if you know the iPhone passcode, so it doesn't really do anything except obfuscate the setting by one step. I think you're making things harder for yourself.

whodiini

Wesley Hilliard said:

whodiini said:

With a screen time passcode to lock settings, one needs to remove the screen time passcode, then go to content and privacy restrictions to allow for passcode changes. Then the face ID and passcode will show up in settings and you can now turn on Stolen Device Protection.  Then if you want the added security, turn back off passcode changes and set your screen time passcode.  I have yet to figure out if having the screen time passcode and the Stolen Device Protection is redundant now.

Screen Time passcode can be reset if you know the iPhone passcode, so it doesn't really do anything except obfuscate the setting by one step. I think you're making things harder for yourself.

No it cannot.  There is a separate passcode to reset screen time which makes it more secure.  That is the whole purpose - one passcode to enter into your phone, another separate passcode to reset important settings such as the phone passcode, turn off find my iphone, ....

StrangeDays

whodiini said:

I just updated my ipad 11 pro to ios 17.3.  Went to face ID and passcode, and there was not any Stolen Device Protection setting anywhere.  Must be just for iphones, so I updated my iphone 13 pro to ios 17.3.  Went to settings and there is no face ID and passcode.  I do have a screen time passcode to lock settings.  This is not as easy as the article suggests.

Mine does. Dunno why your copy would be different. 

Wesley Hilliard

whodiini said:

No it cannot.  There is a separate passcode to reset screen time which makes it more secure.  That is the whole purpose - one passcode to enter into your phone, another separate passcode to reset important settings such as the phone passcode, turn off find my iphone, ....

Ok, so it's a little convoluted. But Screen Time doesn't prevent someone from accessing your iCloud Passwords. That means all they have to do is get your Apple ID and password from keychain, then use that to disable the screen time passcode, then they can do whatever they want.

Stolen Device Protection prevents people from accessing your passwords without biometrics. You don't need to have Screen Time passcode active at that point unless it just makes you feel better, but it is an unnecessary pain.

commentzilla

This feature should have been included on the iPad.

commentzilla

Home and work locations don't work right. It appears to do it solely based on frequency, which then includes any place you repeatedly go, like friend's house or even a gas station. We should be able to set those locations manually.

commentzilla

I hear you can turn off "device location" so that the full device protection will apply everywhere with no exceptions.

neilm

commentzilla said:

This feature should have been included on the iPad.

Yes it should. In fact it's downright weird that iPadOS doesn't include it — like locking the front door and leaving the back door wide open. WTF??

appleinsideruser

So, from the screenshot, why is the location of the iPhone hidden for one hour during the lockout phase?

Surely that’s exactly when you want to know where it is to track who has stolen it?

CheeseFreeze

Just curious, but wouldn’t a thief be able to turn off the phone and reinstall it from a connected computer? 

It’s probably different with AirPods; someone stole mine and simply turned it off on the highway and it never popped up on the radar again.

uphill

Wesley Hilliard said:

whodiini said:

No it cannot.  There is a separate passcode to reset screen time which makes it more secure.  That is the whole purpose - one passcode to enter into your phone, another separate passcode to reset important settings such as the phone passcode, turn off find my iphone, ....

Ok, so it's a little convoluted. But Screen Time doesn't prevent someone from accessing your iCloud Passwords. That means all they have to do is get your Apple ID and password from keychain, then use that to disable the screen time passcode, then they can do whatever they want.

Stolen Device Protection prevents people from accessing your passwords without biometrics. You don't need to have Screen Time passcode active at that point unless it just makes you feel better, but it is an unnecessary pain.

I think Screen Time passcode does in fact prevent access to one's keychain. On my iPhone, access to my iCloud at the top of Settings is greyed out with Screen Time passcode set. I think that's where on needs to go to access Keychain.

I have yet to see a clear explanation by someone who really understands both of these security measures, how they actually function and how they compare.

Wesley Hilliard

uphill said:

I have yet to see a clear explanation by someone who really understands both of these security measures, how they actually function and how they compare.

It's no longer referred to as Keychain on iOS. It's iCloud Passwords, which is located later down the Settings list below "Wallet and Apple Pay." There is a setting in Screen Time that lets you shut off access to altering Apple ID settings, which includes changing passwords. BUT, passwords are still visible.

I understand both of these features completely and can break down any aspect if you're still confused. Do not rely on Screen Time to protect your Apple ID, it will fail.

uphill

It's no longer referred to as Keychain on iOS. It's iCloud Passwords, which is located later down the Settings list below "Wallet and Apple Pay." There is a setting in Screen Time that lets you shut off access to altering Apple ID settings, which includes changing passwords. BUT, passwords are still visible.

I understand both of these features completely and can break down any aspect if you're still confused. Do not rely on Screen Time to protect your Apple ID, it will fail. Thank-you. This makes it clear. I think it would be very helpful if a comprehensive explanation were published separately detailing exactly how each security measure works, how they compare, and why the new one is preferable. Such an explanation does not seem to be available anywhere online, even on the Apple website, and would help at least a few people to make an informed decision about the issue.

appleinsideruser

So, from the screenshot, why is the location of the iPhone hidden for one hour during the lockout phase? Surely that’s exactly when you want to know where it is to track who has stolen it?

From https://support.apple.com/en-gb/HT212510
If you use your iPhone to change your Apple ID password, the location of your devices may not be visible at iCloud.com for a period of time.

Is this related? Perhaps Apple don't want a stalker to follow you home and unlock at a significant location?

uphill

There seems to be one glaringly fatal weakness in Stolen Device Protection: The fact that apparently Apple trusts people that I have no reason to trust.

If a frequently visited location, like for example a post-secondary classroom is recognized as a significant location, then the phone is as defenceless as it would be without the protection. Do I implicitly trust everyone in my Social Studies classroom? Is everyone there even a registered student?

I don't speak for myself, but for my nephew who is in a post-secondary studies programme.

Or is it possible, for example for the metro station I use almost every day to become a significant location? I certainly don't automatically trust anyone there.

Perhaps there is a way to "turn off" some frequently visited locations, but I don't see it. The intent of Stolen Device Protection is good, but I don't think it has been appropriately thought out but has kind of been rushed to market in order for Apple to look good, but not necessarily to give truly reliable protection.

appleinsideruser

uphill said:

There seems to be one glaringly fatal weakness in Stolen Device Protection: The fact that apparently Apple trusts people that I have no reason to trust.

If a frequently visited location, like for example a post-secondary classroom is recognized as a significant location, then the phone is as defenceless as it would be without the protection. Do I implicitly trust everyone in my Social Studies classroom? Is everyone there even a registered student?

I don't speak for myself, but for my nephew who is in a post-secondary studies programme.

Or is it possible, for example for the metro station I use almost every day to become a significant location? I certainly don't automatically trust anyone there.

Perhaps there is a way to "turn off" some frequently visited locations, but I don't see it. The intent of Stolen Device Protection is good, but I don't think it has been appropriately thought out but has kind of been rushed to market in order for Apple to look good, but not necessarily to give truly reliable protection.

So check your Significant Locations (in Settings, Privacy) to see what's included. If you don't like one, click Clear History.

uphill

appleinsideruser said:

uphill said:

There seems to be one glaringly fatal weakness in Stolen Device Protection: The fact that apparently Apple trusts people that I have no reason to trust.

If a frequently visited location, like for example a post-secondary classroom is recognized as a significant location, then the phone is as defenceless as it would be without the protection. Do I implicitly trust everyone in my Social Studies classroom? Is everyone there even a registered student?

I don't speak for myself, but for my nephew who is in a post-secondary studies programme.

Or is it possible, for example for the metro station I use almost every day to become a significant location? I certainly don't automatically trust anyone there.

Perhaps there is a way to "turn off" some frequently visited locations, but I don't see it. The intent of Stolen Device Protection is good, but I don't think it has been appropriately thought out but has kind of been rushed to market in order for Apple to look good, but not necessarily to give truly reliable protection.

So check your Significant Locations (in Settings, Privacy) to see what's included. If you don't like one, click Clear History.

I checked, and there is no "Privacy" in my Settings. Just "Privacy and Security" which has no listing for "Significant Locations". Searching for "Significant Locations" in Settings shows nothing. Why is this feature so poorly thought out?  It seems to me to be not much mre than window dressing. And no, I don't currently have Screen Time lock enabled.

uphill

OK, I found it, but it's under System Services. And it looks like clearing history will remove everything, including my home location, not just an individual location. Once again, totally unnecessarily arcane. 

The more I look at this feature, the worse it seems to get!