Secure your iPhone or iPad against passcode hijacking

How to secure your iPhone or iPad against “passcode hijacking”

The iPhone and iPad are probably the most secure portable devices available, but if a thief or miscreant knows your iPhone or iPad passcode (like by looking over your shoulder) then, if they can steal your device, they have access to the entire content of your device that requires passcode to read.

• Can read keychain with all your passwords that you choose to have in there
• Can change Apple ID password without knowing the old one (that is the new feature!)
• Can read your contacts and mail.
• Can set a recovery key and lock you out of your account and photos for ever.

There are precautions you can take before any theft takes place.

First Tier of protection. The most powerful tier!

• Do not store your Apple ID password in keychain, choose a complex but memorable one like "ItrustApple100%"
• Similarly for important passwords like banking, PayPal, and third party email accounts.
• Most importantly use face ID or Touch ID instead of passcode to unlock the device. This will mitigate the risk of unauthorised access to passcode by observation.
• If you have a physical SIM card, then set up a SIM PIN in Cellular/Mobile settings.
• Consider setting an account Recovery Key

Second tier: -Stolen Device Protection (or SDP)

(iOS17.3 and later in iphone XR and newer with Face/Touch ID enabled, currently not iPad).

Stolen Device Protection can be turned off or on in Settings, FaceID & Passcode (or Settings, TouchID & Passcode for iphone SE 2 or 3)

When Stolen Device Protection is on, either Face or Touch ID are needed to make many security changes away from your familiar places that might compromise your account.

When at a familiar place (home, work) then only passcode is required with no delay.

In iOS17.4 onwards the feature for Stolen Device Protection to be relaxed in “familiar locations” can be overridden in settings to enforce SDP “Always”.

However you will need biometrics and 1 hour delay to turn it back again, failur ein either would require the ohone to be restored in recovery mode!!

The iphone learns your familiar locations from Significant Locations, and you may find that, for recently reset or newly set up phones, you may be restricted in familiar locations too until it has established your significant locations for that device.

NB Turning off or clearing Significant Locations in Privacy and Security, Location Services, System Services, will erase learned Familiar Locations.

In unfamiliar places:

BIOMETRICS ARE REQUIRED TO:

Access iCloud Keychain passwords

Apply for a new Apple Card

Erase all content and settings

Reset all settings

Turn off Lost Mode

Sending people money with Apple Cash

Use your iPhone to set up a new device

Use payment methods saved in Safari

BIOMETRICS + AN HOUR WAIT ARE REQUIRED TO:

Change your Apple ID password

Enable recovery key

Change trusted phone number or contact

Add Face ID or Touch ID

Remove Face ID or Touch ID

Disable Find My

Turn off Stolen Device Protection

You will need to act very soon after the hour is up as time slot is limited. Set a timer for 61 minutes!

If you have another device, such as an iPad (where the Stolen Device Protection is not - at least yet - available), you can still perform AppleID account-related functions without hindrance.

If you don’t or can’t use biometrics you can’t use Stolen Device Protection.

Before restoring your phone to factory settings you are advised to

1. Turn off Stolen Device Protection
2. Turn off Find My

About Stolen Device Protection for iPhone - Apple Support

If you don't use biometrics, or you have an iPad you carry around, or an older iPhone, you can still Restrict account and passcode changes.

In order to limit what a thief can do inside your phone if they know your passcode, you can utilise Screen Time to frustrate access to account and passcode changes in the same way that you may restrict a child, and the key is to use a different passcode than that of your device itself and assign someone else’s Apple ID to it.

1. Go to Settings, Screen Time
2. Turn it on
3. Go to Use Screen Time Passcode
4. Select a passcode that is not the same as your phone passcode. Remember it!!!
5. When asked for your apple ID and password, use someone else's Apple ID like your partner’s
6. Go to Content & privacy restrictions and turn that on.
7. Go to Passcode changes and enter your Screen Time Passcode
8. Change to Don't Allow
9. Go to Account Changes
10. Change to Don't allow.
11. Go back to the first screen in Settings and after a moment or two your account name at the top should now be greyed out (wait a moment)

Without that Screen Time passcode nobody can see your Apple ID and cannot make any changes to password, or set a Recovery key which is the ultimate lock-out.

NB This level of protection does not protect your passwords in Settings, but you can use it in addition to SDP in newer phones.

The above protections give you time to put your phone into Lost mode.

Learn about how use the Find My App and safeguard the phone while you have time

Find My - Official Apple Support 

Then look at this article.

If your iPhone, iPad or iPod touch is llost or stolen – Apple Support

Footnote: Selling or giving away your protected iPhone

If you want to prepare your iphone for sale or return to lease company you should remove Stolen Device Protection and any Screen Time restrictions before turning off Find My. This may entail the delay period.

Using any other method to remove the iphone from your account may lead to a 28 day delay before the iphone can be used by the recipient.