Secure Apple ID Against iPhone Theft

After acquiring my first iPhone, I stumbled across a video on YouTube by the WSJ^[1] about how thieves are steeling peoples iPhones and, with just the victim's passcode, completely and permanently locking victims out of their Apple account (also detailed in another video^[2] by the WSJ)

Both videos^[1][2], as well as a video by Techlore^[3] made (at least seemingly) in response to the WSJ's reporting, provide some guidance on what you can do to help protect yourself against something like his happening

In this blog post of mine, I'm really just gonna be outlining in a readable format, what was suggested by both the WSJ^[1][2] and Techlore ^[3] on what can be done to help protect against something like this happening to you if your iPhone does get stolen

Use a Privacy Screen Protector

This one's kind of a low hanging fruit, but something as simple as using a privacy screen protector can help, simply because one won't be able to see what is on your screen if viewing your device from the side

I got myself this one off of Amazon, which seems to be a somewhat popular brand of screen protectors for iPhone (they have both normal and privacy screen protectors for iPhone form at least the XR up to the 15 series)

Use Longer, More Complex Passcodes

Using a complex passcode goes a long way, especially if it's an alpha-numeric passcode (where both numbers and letters are used)

Something like [111111] or [123456] is pretty easy to guess, but having a passcode like [727873], or even better, something like [I 4m 7h3 m057 1337 h4x0r 3v3r!] will improve the security of your device

And if typing out something like the alpha-numeric passcode I made up above every time you want to unlock your phone seems like a gigantic pain in the rear, you always have the option to

Use Biometric Unlock Options

Setting up either Face ID (on iPhone X and newer) or Touch ID (on iPhone 5-8, and iPhone SE (up to at least Gen II)), in combination with a strong passcode, will secure your device even further

With biometric unlocking, i.e. via Face ID, you won't need to enter your passcode every time you want to unlock your device, so you won't be inconvenienced by having a strong passcode, and the more you use it, the less likely a potential thief will be able to discover your iPhone's passcode

Create a Recovery Key

One of the things the aforementioned videos ^[1][2] thieves do is they create a recovery key for your Apple ID, which prevents you from using other account recovery options, and Apple from being able to do anything to help you per their own guidelines

So with that in mind, I STRONGLY recommend creating one yourself as soon as possible, even without concern for this type of thing happening, and storing it in someplace safe THAT IS NOT ON YOUR IPHONE

Plus, as explained in the Techlore video ^[3], this is a required step for enabling iCloud Advance Data Protection anyways, so if that's something that you have an interest in doing at some point, you'll already be ahead of the game there

To do this:

Open [Settings]
Tap on your Apple ID at the top of the Settings app
Tap [Sign-In & Security]
Tap [Account Recovery]
Tap [Recovery Key]
Enable [Recovery Key]

It will then display a recovery key, which you'll want to jot down, as the next screen will have you input it

Remember to store it somewhere safe, and off of your iPhone, lest you may be screwed in the future

Here's the link to Apple's support page regarding setting up a recovery key, should you wish to view it

Use Screen Time to Prevent Changing Your Passcode or Apple ID Password

As outlined in Techlore's video ^[3], and mentioned in one of WSJ's videos about this attack ^[2], you can make use of the Screen Time feature of the iPhone to lockdown the ability to change the device's passcode, as well as your Apple ID's password

To do this:

Open [Settings]
Tap [Screen Time]
Tap [Content & Privacy Restrictions]
Enable [Content & Privacy Restrictions]
Tap [Passcode Changes]
Tap [Don't Allow]
Tap [< Back]
Tap [Account Changes]
Tap [Don't Allow]
Go back to the [Screen Time] section
Tap [Change Screen Time Passcode]

From there, it will have you set a four (4) digit passcode which will be required to make any changes to anything under [Content & Privacy Restrictions]

When you are creating this passcode, be sure that you DO NOT MAKE IT THE SAME OR SIMILAR TO YOUR DEVICE'S PASSCODE

Use a Password Manager Other than iCloud Keychain

First off, if you're using a password manager, congratulations!

However, if you're using one properly, and that one is the one built into iCloud Keychain, then if you are locked out of your Apple ID, you're kinda screwed

What I would suggest, as well as what Techlore suggested ^[3], is to use a separate password manager

My personal recommendation would be Bitwarden

The Bitwarden app in iPhone can be used as your default autofill service, and can be unlocked via biometric, so you won't have to type in you (STRONG) master password every time you wish to access it

As a plus, if you have Face ID unlock for Bitwarden turned on, it will mandate the vault's master password to unlock it if Face ID can't unlock it (y'know, like, if someone steals your iPhone)

Wrapping Up

That's about all I've got for this one folks

Some other things that were mentioned between the three videos ^[1][2][3] were things like

Using separate passcodes for sensitive apps (i.e. banking apps) when able, that are different and unrelated to your device's
Not storing photos of sensitive documents (i.e. driver's license, tax documents) on your mobile device
Not storing banking passwords a password manager (I do see this as a major plus for overall security, however I personally find it to be too big of a hit to convenience, so you do you on this one)

Sources

CC BY-SA 4.0

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License