Apple believes that needing both the iPhone and its passcode makes it harder for thieves to steal users' information, but having both stolen is common enough, that you need to know how to protect yourself.
It has always been the case that the weakest part of security on iPhones is the passcode, but the Wall Street Journal is again highlighting the problem. The publication has accounts from users who had their iPhone snatched after thieves watched them enter a code, and ones who were forced or even drugged into sharing the code.
In some of these reports, the situation was greatly exacerbated because of a feature Apple intended would give extra protection. Apple's Recovery Key is a randomly-generated 28-character code that you can set up in order to later regain access to your Apple ID.
"While it's not required, using a recovery key improves the security of your account by putting you in control of resetting your password," says Apple in a support document. "Creating a recovery key turns off account recovery... a process that would otherwise help you get back into your Apple ID account when you don't have enough information to reset your password."
The problem is that if users have not set up a Recovery Key like this, the thieves can. They can set up the Recovery Key for themselves and effectively lock the user out forever.
How to protect yourself
Nearly everything you need to do to protect yourself from this, needs to happen in advance of the theft.
The easiest and most obvious first step for prevention of the issue for any user is to always be careful about entering a passcode when it might be seen. Biometrics like Touch ID or Face ID are nearly always better to use when in public.
A thief could snatch the iPhone, hold it in front of the owner's face to unlock with Face ID. But, of course, this takes time and the user would be aware of the theft immediately.
That can be made harder for a thief to pull off, though. Users can go to Settings, Face ID & Passcode on their iPhone and turn on Attention Detection for Face ID. This means the user has to be very specifically looking at the iPhone for it to unlock.
It's possible that a user could still be coerced into unlocking with Face ID, either by threat or manipulation. It's also possible that a user could be drugged first.
Then there is the Apple ID Recovery Key, though this must be set up and protected before.
Screen Time can be configured to prevent account changes as well. Amongst other options, changes to the account can be prevented with another passcode, similar to how you'd stop a child from changing settings on an iPhone.
How to set up the Apple ID Recovery Key
- On an iPhone or Mac, go to Settings > Your Name > Password & Security.
- Tap Recovery Key, then slide to enable it. On a Mac, click Manage next to Account Recovery.
- Tap Use Recovery Key and enter the device passcode.
- Write it down and store it in a safe place, then confirm it on the next screen.
"Using a recovery key is more secure, but it means that you're responsible for maintaining access to your trusted devices and your recovery key," says Apple. "If you lose both of these items, you could be locked out of your account permanently."
This isn't a theoretical problem, but it is rare with the inclusion of biometrics. Of course, that doesn't help the users it happens to.
We all keep so much information on our iPhone that losing it is a boon for thieves but potentially a tragedy for us, so everyone should take extra care to protect themselves and their phone.