Just how vulnerable are you if you use an iPhone. Spoiler Alert, More vulnerable than you think!

I was listening to John Gruber’s podcast yesterday with Marco Arment as his guest and they were discussing this issue. They were quite concerned that knowing a phone passcode is sufficient to change the FaceID/TouchID for the phone and that would then grant access to apps that use that method for identify verification, which is a very valid concern.

I just tried this on my “spare” phone and every app on that phone (including 1Password and my banking app) that can use FaceID required me to re-authenticate with my actual credentials before allowing FaceID again. I suspect that this is a system-wide thing that iOS imposes, but haven’t researched it yet.

Yikes - might be time to shut this thread down.

FWIW - the only thing that worried me about this news cycle is that in theory you could be held at gunpoint and forced to give up your pin or password which would give someone unlimited access to most of your life, banking, etc… The likelihood is very low, but it would be hard to guard against.

I can’t remember my source but, if they were correct, requiring a user to re-authenticate after FaceID is changed is an option that a developer can choose.

That’s been a bit of a red herring that has come up in various discussions around this topic. It’s a natural thing to think about, but I think that it’s not directly related.

If you’re held at gunpoint, you can be comptelled to do pretty much anything that you’d do in order to save your life (you can extend this to thinking about having a loved on held ransom for a possibly more extreme version). As you implied, the mitigations for any attack in which you can be compelled to act in accordance with your attackers direction fall way, way beyond a device authentication mechanism.

I’m not saying that it’s silly to bring this up, btw. It’s worth thinking about and pertains to situations beyond robbery.

Honestly, I’ve found this topic to be really useful. People get a little uncomfortable when they find out that they may not be as safe as they thought, but I think it’s getting a lot of people, myself included, to stop and think about the implications of our device security mechanisms

I suppose you’re right, I just always assumed in that case I could quickly get home and lock the device. Not so…

How do you set up more than 6

You could use the Alphanumeric Lock there, and I found until now no limit in the length there.
But you have to keep in mind, that it is pretty inconvenient, if you have to dial in a too long code, and maybe even make a typo in between, so you have to redo it.

Thank you for sharing this. My phone was recently stolen and thankfully they couldn’t get any data. Glad to know my 8 character passcode and face recognition set up helped. I also use 1Password and never Keychain. Never would have imagined another layer of security would be in the screen time settings and will definitely check that out.

I’m sorry that my post generated so much social commentary.

What I was basically looking for was actions that I can take to mitigate this security hole.

My thanks to Webwalrus for answering the original question posed. See below.

My father-in-law was recently scammed out of $95,000 via the geek squad refund check scam.

(OBTW, call your parents and grandparents today and tell them not to allow anyone to log on to their computer without first calling you)

It has caused me too rethink how I interface with my bank.

I went to talk to them about what my liability would be if my computer was hacked, and someone wired out a bunch of money. They assured me that it would not be a problem and they would make me whole, but when I asked to see that in writing, there was a lot of stammering going on.

If someone steals your phone and gets access to your bank account and wires out $100,000 what is your recourse?

“* Don’t store highly-sensitive data in your phone’s photos or notes app.“

I was under the impression that if you used to separate password on a note that it was pretty secure. Is that not the case?

I must admit that I do like the ability to use Face ID to open the note, but I have some that I am now going to require a separate password.

If your notes are protected by Face ID and someone changes your Apple ID, and passcode and then uses their face for face ID will they be able to open your notes?

Thank you Webwalrus for your recommendations, does anyone else have any other recommendations to add?

Anyone using Google or Microsoft authenticator?

From earlier posts I think there’s two things:

1. don’t use keychain to store passwords
2. use the screen time setting with a different pin and disable account changes.

Do those two things and you are pretty well protected.

This is what I’ve done/am doing, broken down by what I’d recommend for others:

All:

1. Lock your phone when you put it down
2. Long password with letters (always good, but does not help if someone videos your screen)
3. Hide device when unlocking (some might like a privacy screen protector)
4. Make sure banking apps have passcodes that are not your phone PIN (including Notes if you store sensitive data there)
5. Enable 2FA or MFA for those apps, ideally using 1Password NOT SMS

Most:

1. Keep passwords in 1Password (I’d be surprised if Apple don’t allow the keychain to be locked better this year, so could ride this out…?)
2. Enable iCloud account recovery (prevents others locking you out of iCloud)

Some:

1. Change bank email addresses to a separate account. I chose Proton.me since it is free and has an app with a passcode
2. Enable Screen Time and disable password changes, account changes. Add a PIN.
3. Write an app to block access to other apps on demand

No need to apologize. Asking and answering each others questions is a big part of this place.

Asking and answering questions is great, but I think this one has run its course.