New iPhone Tweak Cures Shoulder Surfing Nightmare

Our long national iPhone security nightmare is almost over

By
Charlie Sorrel
Charlie Sorrel
Charlie Sorrel
Senior Tech Reporter
    Charlie Sorrel has been writing about technology, and its effects on society and the planet, for 13 years.
    lifewire's editorial guidelines
    Published on January 8, 2024 10:04AM EST
    Phones
    • If a thief learns your iPhone passcode, they can lock you out of your Apple ID. 
    • You will lose access to Find My, your photo library, and everything else. 
    • iOS 17.3's Stolen Device Protection fixes all that with a few clever design tweaks.
    Someone watching over a shoulder as a person uses their cellphone.
    Shoulder-Surfing.

    iryouchin / Getty Images

    Stolen Device Protection closes one of the biggest iPhone security holes—shoulder-surfing people's passcodes. 

    We might think of our iPhone's unlock code as little more than a barrier to stop people looking through our photos and messages, but in truth, once somebody has that simple code, they can wreak utter havoc in your life, emptying your bank accounts, accessing your email, and changing your Apple ID password, which will lock you out of all your Apple services. But with a few clever tweaks, Apple is about to fix that entirely.

    "Stolen Device Protection is a great initiative towards protecting access to sensitive features, such as Apple ID, Wallet, and iCloud Keychain. The extra step of repeating biometric authentication before performing secure actions prevents a thief with knowledge of the iPhone's passcode from performing the most critical actions for fully compromising a user's iPhone and Apple ID account. It is not overly intrusive either, as a user will likely not need to perform these actions on a regular basis," security consultant Stephen Bondurich told Lifewire via email.

    Stolen Device

    Last year, The Wall Street Journals's Joanna Stern and Nicole Nguyen investigated a huge security flaw in iOS devices. Here's the problem: If a thief has your iPhone's unlock code, aka your device passcode, they can use it to reset your Apple ID passcode. Because your iPhone is considered to be a trusted device, Apple assumes that it is you who is using it.

    But once your Apple ID passcode has been changed, a thief can switch off Find My, which will stop you from finding or erasing your phone remotely. 

    After that, they are effectively you. The thief can access your iCloud keychain, and they can access your email, which means that they can change the password for your bank accounts and anything else. You will also be locked out of your own iCloud account, so you will lose access to everything, from your purchased apps to anything saved in iCloud and your entire photo library. 

    Stolen Device Protection

    Already available in the iOS 17.3 beta, and coming to your iPhone very soon, is the answer: Stolen Device Protection. This is an ingenious fix that tweaks the way a few settings work and fixes everything. It works like this:

    If you want to change your Apple ID password, then you now have to use biometric authentication, either Face ID or Touch ID. This means that only you can change it. But what if the thief forces you to show your Face to your iPhone? That's where the second tweak comes in. Even after biometric authentication, there's a one-hour delay before the passcode actually changes, and even then, it requires a second Face ID (or Touch ID) scan, after that hour, to confirm the change. 

    Someone stealing a smartphone out of another person's bag.
    Phone Thief.

    Hispanolistic / Getty Images

    "This solution is quite innovative. It addresses a critical vulnerability—shoulder-surfing—effectively," Eugene Klimaszewski, president of security installation company Mammoth Security, told Lifewire via email. "It considerably lowers the chance of unwanted access by limiting password changes to reliable places and including a time delay. An additional degree of protection is added by biometric authentication, which guarantees that only the authorized owner can make important modifications." 

    This completely eliminates the possibility of a thief resetting your Apple ID, with minimum inconvenience to you, the user. You can even choose trusted locations, where you can change the password without the delay. 

    Stolen Device Protection also requires your Face ID to unlock your saved passwords. 

    This looks like a fantastic step up in device security, and typically, Apple has managed to do it in a very clever, but seemingly-very-simple way. But you should still make sure you have a good, long device passcode, because there's still a lot thieves can do with an unlocked phone, including accessing your email, making purchases with Apple Pay, and more. 

    Someone using biometrics on a smartphone.
    Biometrics.

    Prostock-Studio / Getty Images

    "Even with Stolen Device Protection on, a thief with knowledge of the passcode can access an iPhone's Messages, Notes, Photos, and social media apps, which all contain private and personal information," says Bondurich. 

    And of course, general phone and computer security goes further than that. 

    "Phone safety isn't just about passcodes. Regular software updates, cautious app downloads, and being aware of phishing attempts are essential practices. Additionally, users should consider utilizing two-factor authentication wherever available, as it provides an additional security barrier," says Klimaszewski

    But for pretty much anyone, this shuts down one very nasty security hole and might mean the difference between losing your entire digital life, and just losing your phone.

    Was this page helpful?