New iPhone tweak solves shoulder surfing nightmare

  • If a thief knows your iPhone password, they can't use your Apple ID.
  • You'll lose access to Find My, your photo library, and everything else.
  • Stolen Device Protection in iOS 17.3 solves all the problems with some clever design tweaks.

Stolen Device Protection closes one of the iPhone's biggest security holes - over-the-shoulder access to people's passwords.

We might think of our iPhone unlock codes as nothing more than a roadblock to stop people from seeing our photos and messages, but the reality is that once someone has this simple code, they can wreak havoc on your life, empty your bank account, Access your account. your email, and change your Apple ID password, which will prevent you from using all Apple services. But with some clever tweaks, Apple is about to solve this problem for good.

"Stolen Device Protection is a great initiative designed to protect access to sensitive features like Apple ID, Wallet, and iCloud Keychain. Repeating the extra step of biometric authentication before performing security operations can deter thieves who know your iPhone passcode Performing most critical actions that completely compromise a user's iPhone and Apple ID account would also not be overly intrusive, as the user may not need to perform these actions on a regular basis," security consultant Stephen Bondurich told Lifewire via email.

Last year, The Wall Street Journal's Joanna Stern and Nicole Nguyen investigated a huge security flaw in iOS devices. Here's the problem: If a thief has your iPhone's unlock code (also known as your device passcode), they can use it to reset your Apple ID password. Because your iPhone is considered a trusted device, Apple assumes you are using it.

However, once your Apple ID password is changed, a thief can turn off Find My, which will prevent you from remotely finding or wiping your phone.

After that, they're actually you. Thieves have access to your iCloud Keychain, and they have access to your email, which means they can change the passwords for your bank accounts and just about anything else. You'll also be locked out of your iCloud account, so you won't be able to access everything from purchased apps to anything saved in iCloud and your entire photo library.

The answer is already available in iOS 17.3 Beta and coming to your iPhone soon: Stolen Device Protection. This is a neat fix that tweaks how some settings work and fixes everything. Here's how it works:

If you want to change your Apple ID password, you now have to use biometric authentication, either Face ID or Touch ID. This means only you can change it. But what if a thief forces you to show your face to your iPhone? This is where the second adjustment comes in. Even after biometric authentication, there's an hour's delay before the password is actually changed, and even then, a second Face ID (or Touch ID) scan is required after that hour to confirm the change.

"This solution is very innovative. It effectively addresses a critical vulnerability - shoulder surfing," Eugene Klimaszewski, president of security installation company Mammoth Security, told Lifewire via email. "It greatly reduces the chance of unwanted access by limiting password changes to reliable places and including a time delay. An additional level of protection is added through biometric authentication, which guarantees that only authorized owners can make important modifications."

This completely eliminates the possibility of a thief resetting your Apple ID while minimizing the inconvenience to you, the user. You can even choose a trusted location where you can change your password instantly.

Stolen Device Protection also requires your Face ID to unlock your saved passwords.

This looks like a fantastic advancement in device security, and typically, Apple does this in a very clever yet deceptively simple way. But you should still make sure you have a good, long device passcode, because thieves can still do a lot with an unlocked phone, including access your email, make purchases with Apple Pay, and more.

"Even with Stolen Device Protection turned on, a thief who knows the passcode can access the iPhone's Messages, Notes, Photos and social media apps, which all contain private information," Bondurich said.

Of course, there's much more to phone and computer security in general than that.

"Mobile security is about more than just passwords. Regular software updates, cautious app downloads, and being wary of phishing attempts are all basic practices. Additionally, users should consider using two-factor authentication whenever possible, as it provides an extra layer of security. "Krimazewski said

But for almost anyone, this eliminates a very annoying security flaw and could mean the difference between losing your entire digital life and just losing your phone.