The iPhone Setting Thieves Use to Lock You Out of Your Apple Account

IMHO, the crazy part is that it is possible to create a new Recovery Key with just the iPhone passcode (and the iPhone). So basically, the iPhone passcode is mightier than the Recovery Key. The only purpose of the Recovery Key is to protect against SIM swapping attacks. I didn&#x27;t know this.<p>So an attacker with the iPhone passcode can lock you out of your Apple account on all devices, even if they don&#x27;t have your Apple ID password or your Recovery Key. Basically, the iPhone passcode is your only defense if you lose your iPhone. I had always assumed the Apple account password would be needed, and that the passcode is not as important as it is so common for it to be only four or six digits.<p>I&#x27;m going to go setup a stronger passcode now.

I recently reevaluated my approach to identity &amp; recovery across all the services I rely on and it’s a mess.<p>Apple and Google both provide sensible security settings but you can only guess how recovery might work if you are locked out of your account from their docs. Even with their advanced security programs (requiring a hardware token) I’m not entirely sure that I’m not defeating the whole purpose of these measures by putting a mobile number in my account that can be sim swapped. On the other hand I’m also not entirely sure if I could recover access from what I <i>think</i> I’d need to provide to prove my identity (recovery codes, trusted contacts, …)<p>I get why they might not want to lay out the whole process and every heuristic they use, but it’s not really reassuring.

Dear Apple, to avoid passcode leakage to human observers and cameras, can we please have an option to disable keypress highlights and transient display of passcode characters? This lock screen behavior could be dropped when &quot;Lockdown&quot; mode has been enabled.<p><a href="https:&#x2F;&#x2F;apple.stackexchange.com&#x2F;questions&#x2F;217704&#x2F;disable-display-of-passwords-on-an-iphone" rel="nofollow">https:&#x2F;&#x2F;apple.stackexchange.com&#x2F;questions&#x2F;217704&#x2F;disable-dis...</a><p><i>&gt; This transient display lasts 3 seconds to avoid too big a security problem. But this is still largely sufficient for anyone behind you to read it really easily. Moreover this transient display can be easily captured by any camera</i>

The WSJ wrote an article on this two months ago as well, discussed at [0], seems like they&#x27;ve run out of new topics so they&#x27;re just rehashing content they&#x27;ve already released. You can protect yourself against this type of attack by using Screen Time restrictions [1].<p>[0] <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=34936015" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=34936015</a><p>[1] <a href="https:&#x2F;&#x2F;www.karltarvas.com&#x2F;2023&#x2F;02&#x2F;25&#x2F;protecting-your-iphone-against-shoulder-surfing-password-theft.html" rel="nofollow">https:&#x2F;&#x2F;www.karltarvas.com&#x2F;2023&#x2F;02&#x2F;25&#x2F;protecting-your-iphone...</a>

Using phones as all-powerful fallbacks is great when you&#x27;re at home or the office, and wondering if your computer or online accounts are being compromised. Not when the phone itself could be compromised (physically). This sounds stupid to say because it is - stupid-ly obvious.<p>Major phone OS makers (all, what, 2 of them?) need to allow you to have at least 2 authentication paths - one when you are in a physically secure location, and one when your phone could be snooped or stolen. It&#x27;s a fundamental need for phones.<p>To mitigate the problem of muggers demanding both codes, they should also allow location-based locking, where you could tell the phone to only allow the trusted functions to be accessed at certain GPS coordinates.

&gt; <i>After months of calls to Apple customer support and letters to the company (...), he said he finally reached a representative who was willing to do more. Once Mr. Allen answered additional verification questions, Apple disabled the recovery key, he said. (...). Mr. Allen said he uses some Apple business services, which might explain why he was able to recover his account.</i><p>As someone whose brother lost years of his children&#x27;s videos when thieves locked him out of his iCloud account [1] this part confirms two things. First, it gives me hope that we might one day recover the account, seeing as the data is not cryptographically locked. And second, it confirms that the reason we couldn&#x27;t get the access back is not because Apple can&#x27;t do it, but rather because they don&#x27;t care.<p>If you have an iPhone, user gkiely shared this tip on how to further protect your account: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=33602627" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=33602627</a><p>[1] <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=34406619" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=34406619</a>

&quot;iPhone thieves with your passcode&quot;<p>That&#x27;s the article.

Obligatory: <a href="https:&#x2F;&#x2F;archive.is&#x2F;Y8eCV" rel="nofollow">https:&#x2F;&#x2F;archive.is&#x2F;Y8eCV</a>

Isn&#x27;t it a good idea to just set your passcode to be the same as your Apple ID password?

To recover photos and notes from a locked account, would it work in EU to file a GDPR request for a copy of personal data?