Someone mentioned that if someone can get into your phone with just the pass code, then it might be possible to change your iOS password without remembering the previous password? Is that true? If so, that is not very Secure…
inspired from this closed thread
It’s true, and it’s very bad. The following helps:
This will disable those functions and someone without the Screen Time pin can’t change them. To change these items you need to reverse the Screen Time settings for these items to Allow.
It’s not the best but at least someone with “just” your Passcode can’t directly change your iCloud password or FaceID (TouchID).
this is interesting, I did not know there is such a thing for screentime passcode. But does this prevents an unauthorized user to change the iPhone log in password once the person gets the current password
Thanks for documenting this procedure again. I enabled this protection on my iPhone. When I went to see if it applied to my Mac, a recommendation popped up saying I should convert my user to a standard user. Anybody know why for sure?
I used to run as a standard user with an admin user around for elevated permissions stuff. When I last bought a new Mac, I decided not to do that anymore, with some support given in arguments made on this forum. Hmm …
Yes, you can’t access it.
Thanks for this helpful info
I have done it, set up as per instruction. However, I found that I cannot go to my icon profile in the setting screen and access iCloud , media and purchase. I guess that is the price I have to pay for locking down the phone, and I have reverse the lockdown process if I had to access the above
Thank you for pointing this out. I had not noticed it yet and wonder how long it would have to taken me to figure out the cause! 
I’m all for security but I also don’t want to make my phone unusable. It’s all about trade-offs, isn’t it?
This is the point where risk analysis becomes a useful tool. How much risk vs. inconvenience are you willing to tolerate? Everyone’s answer tends to be different depending on their use cases and personal or professional circumstances.
When it comes to cybersecurity, the advantage is generally with the attackers. Even more so if they can gain physical access.
You’re speaking my language 
That’s correct. I don’t mind the little inconvenience, because I don’t use that section on a daily basis.
For me, the chance (albeit small) of someone gaining access to my iCloud account far outweighs this inconvenience. With access to iCloud someone can also lock your Mac and iPad.
Even if someone used your passcode to open your iPhone, they could not access or change your iCloud password if you had two factor authentication activated (strongly recommended).
Are you sure?
I have 2FA and can get to this screen for changing my iCloud password.
I didn’t go on because I don’t want to change it.
the most seured way to lock down the Apple ID is to use hardware security keys like Yubikeys
Apple support doc here
That’s the whole issue, you can. You only need the passcode of your phone.
Yes, you can change the password because you know the current password ( which an intruder would not). To change it if you didn’t know it you would need to authenticate yourself with a one time passcode sent by Apple.
Isn’t that largely moot - since the thief/attacker has access to your phone and can receive a two-factor authentication code by text message on that very phone?
Sure, you could register a different number for two-factor authentication with Apple than the one that your phone uses - but few people do that in practice.
I also doubt that many people will immediately think of, let alone manage to have their SIM card disabled in time by their cellular carrier - again, without having access to the stolen phone.
You are right. I will beef up my passcode.
I was looking to enable security keys on my Apple account, however I have an old iPod Touch and my wife’s Macbook nothing, both of these will not support the latest software. Does this mean I cannot activate security key 2FA or does it mean that for these devices it will still use the old method for 2FA?
