One of the key features added in the iOS 17.3 beta is Stolen Device Protection. This is a thoughtful and creative solution to balancing out the need for protecting iPhone users without stopping them do the things they want to do with their devices.
What I love about Apple’s solution here is that someone has clearly put a lot of thought into that balancing act …
The problem Apple needed to solve
Apple has long been at the cutting edge of security and privacy features designed to protect both our devices and our data. To me, it’s one of the key strengths of iPhone over Android.
But there are occasions in which Apple’s security measures can backfire. One of those was when a thief used a tactic to obtain your passcode before stealing your phone.
Some of the headlines on this were rather hyperbolic, but the problem was real. A thief would find some pretext to borrow your phone – like offering to take a photo of you and your friends in a bar – and would switch off Face ID afterwards. (Thanks to another Apple security feature, that’s as easy as holding the power and volume-up buttons for a couple of seconds, to bring up the power-off and emergency screen, and then tapping cancel.) They or an accomplice would then observe you entering your passcode when you went to view the photo, and later steal your phone.
Once this was done, they could completely lock you out of your Apple account.
Apple offers two ways back into your Apple account if you’ve lost your password. The first is some rather impenetrable way of persuading the company you are who you say you are. All reports point to this being a painful, time-consuming, lottery process – where you might get lucky, and you might not.
The Recovery Key is the second method. Using this, you can reliably get back in straight away – but that is then the only proof the company will accept. No recovery key, no access, period.
So, if a thief watches you enter your passcode, then steals your phone, they can flick the Recovery Key option on (Settings > Your name > Password & Security > Account Recovery > Recovery Key), and you are then completely locked out of your own Apple account.
How Stolen Device Protection works
What Stolen Device Protection does is apply additional protections when you are vulnerable to this tactic – that is, when you are in a public place, rather than in a location iOS knows to be your home or workplace.
You have to choose to enable the feature. When enabled, two things happen.
First, Apple no longer lets you use the device passcode to do sensitive things, like accessing saved passwords. Instead, you must use Face ID or Touch ID for this.
Second, the most sensitive actions require biometric unlock and apply a one-hour delay.
For actions like changing your Apple ID password, updating Apple ID security settings, changing passcode or Touch/Face ID settings, and turning off Find My or Stolen Device protection, the one-hour security delay will come into play away from familiar locations. That means a second biometric authentication will be required after that delay.
So if you want to change your Apple ID password on your iPhone 15 while away from your known locations, first you have to use Face ID to make the request. Second, your iPhone will wait an hour and then ask you to use Face ID again to confirm it.
This is a thoughtful, creative solution
What I love about this is that it effectively completely solves the problem, with minimum inconvenience to iPhone owners.
It solves the problem because the combination of forcing biometrics and a one-hour delay makes the bar theft tactic essentially impossible.
But at the same time, it’s unlikely to affect genuine iPhone owners. It’s never a good idea to do something uber-sensitive like changing your Apple ID password in a public place. We’d almost always do that at home. And if for some reason we do want to do it in a bar, waiting an hour isn’t too burdensome.
Maximum protection, minimum hassle.
Activation Lock next, please
Now that Apple has demonstrated its ability to apply some creative thinking to this type of problem, I’d love to see it do the same thing for Activation Lock.
That’s another great security feature on Apple’s part. Overnight, the company made Apple devices significantly less appealing to thieves by denying them the ability to sell a stolen device as a working unit. With Activation Lock enabled, a device can only be sold for parts – a much smaller market.
But, as with other security features, there can be unintended consequences. One of those is consigning many used Apple devices to landfill, and even preventing the re-use of parts.
Top comment by skatsbrayt
Activation Lock works fine and as intended. Leave it alone!
As an owner, if I send in my device for the sole purpose of part recycling/proper disposal, then that’s exactly what I want to happen. If I want to resell it, then I’ll remove my activation lock before I pass it on. These recycling companies are ALREADY PAID to scrub data and recycle/dispose parts of the devices they get. Why should Apple fix something that’s not broken just because they want to earn off these disposed units???
One Apple reseller came up with a potential solution to this:
“When we come upon a locked machine that was legally acquired, we should be able to log into our Apple account, enter the serial and any given information, then click a button and submit the machine to Apple for unlocking,” he said. “Then Apple could explore its records, query the original owner if it wants, but then at the end of the day if there are no red flags and the original owner does not protest within 30 days, the device should be auto-unlocked.”
We proposed an enhanced version of this, which would actually improve theft protection.
Apple would need to be able to submit the serial numbers to law enforcement and insurance companies, to ensure they are not registered as stolen. But those database checks could easily be automated, and there would be an audit trail by requiring resellers to register for access to the service.
This could even assist law enforcement, in that the exchange of serial numbers could be two-way. If the devices are not listed as stolen at the time the check is carried out, the serial numbers could be added to a separate database that would enable them to be tracked down if subsequently reported stolen.
Some 80% of you supported this at the time – but if Apple doesn’t like that solution, the company has proven it can come up with creative ideas of its own. Tim, please put this one on the desk of the Stolen Device Protection team.
Photo: Jaime Marrero/Unsplash
FTC: We use income earning auto affiliate links. More.
Comments