Back in February, the Wall Street Journal reported on a spate of iPhone thefts that neatly sidestepped device security and allowed wiley thieves to lock owners out of all their Apple products.
It’s quite complex, but it essentially relied on watching users entering their passcodes rather than using Face ID or Touch ID. Apple periodically requires you to use the key, even with biometrics enabled, but it could also be forced by a restart (something clever thieves can do when befriending people on a night out after looking at photos, say).
With that code, thieves could scurry away with the phone and change the Apple account master password, disabling Find My iPhone and locking the user out of every Apple device they owned.
This is actually by design, as Apple wants people to change their password if they forget it, so the passcode acts as proof it’s you. But as a result it’s overly powerful, with some unlucky users losing years of precious photos and documents as a result.
Anyway, eight short months after the WSJ report, Apple is finally ready to act. The paper has been informed that the iOS 17.3 beta will include something called Stolen Device Protection. It’s a security setting that makes it significantly harder for thieves to change passwords even if they have your passcode.
In short, if you’re not at a familiar location (i.e: home or work), the iPhone will require Face ID or Touch ID for password changes. It’ll also be done in two parts, requiring confirmation with the biometrics an hour after the initial request has been made.
That, in theory, should give owners plenty of time to remotely lock their device, saving their Apple account. Similar changes are also being introduced for changing security settings or accessing your keychain.
This is all positive, but it’s not foolproof. “A thief with your iPhone and its passcode can still unlock your phone, even when Stolen Device Protection is on,” the Journal points out.
“Any app that isn’t protected by an additional password or PIN is vulnerable. So are accounts that can be reset by text or email. And Apple Pay still works with a passcode if Face ID or Touch ID fails.”
More seriously, Stolen Device Protection is an opt-in feature, meaning that most people won’t use it. We strongly recommend you do enable it, once iOS 17.3 rolls out to everyone. After all, how often do you end up needing to change your Apple password outside of home or work, anyway?