Better Securing Your Data, and Apple Account
This user tip describes how to increase the security of your data stored at Apple, and how to increase the security of your Apple Account (Apple ID).
🗝️ First, establish baseline security:
- Enable two-factor authentication on your Apple Account. Go enable this now. Two-factor authentication makes it more difficult for miscreants to gain access to your Apple Account. Depending on the Apple Account security questions is Not Sufficient.
- Do not re-use passwords. Server breaches are a thing. (Here is a list of exposed passwords.) This re-use is approximately time-released doom. Sooner or later, one password use will be exposed, and the ubiquitous and automated credential-stuffing attacks become effective. If you are re-using passwords, go fix that right now.
- Review security issues shown by Apple Security Recommendations too, and resolve as needed.
- Use a longer device passcode or switch to a password. Eight or ten characters, or longer. To ease the use of a longer passcode or password, enable biometrics; Face ID or Touch ID. This means entering that longer and more secure passcode or password as often. Physical access and watching a passcode being entered is enough to allow take-over of an Apple Account, if Stolen Device Protection is not enabled.
Enable Stolen Device Protection on iPhone:
🔑 Second, establish or verify your account recovery processes.
Ensure your trusted devices are all recognized, and that your trusted telephone numbers are correct and current.
- Check your Apple Account device list to find where you’re signed in - Apple Support
- Add or remove trusted phone numbers on Mac - Apple Support
To verify settings particularly around location sharing, consider running Safety Check:
🛟 Third, to provide a means to recover access after access issues, consider adding a recovery contact, and a legacy contact, and reviewing any existing recovery or legacy contacts are still appropriate:
- Set up an account recovery contact - Apple Support
- How to add a Legacy Contact for your Apple ID - Apple Support
If you (unwisely) do not have two-factor authentication enabled, establish a rescue email address:
🚫 Forth, take steps to reduce exposure to fraud.
Disable automatic reception of Apple Cash payments. This is a fairly common scam, where the sender uses a stolen payment card to send a fraudulent payment to an unsuspecting Apple Cash user, then requests (or demands) its (usually partial) return. The fraudulent payment eventually gets clawed back by the payment provider, so you're not going to get that money, and you'll lose whatever of your money you send to the scammer.
In Wallet app, tap your Apple Cash card. Tap the More button, then tap Card Details. Select Manually Accept Payments.
For most folks, you're done! The security you now have is good enough. For those that need more advanced security, including folks with larger risks, what follows are additional steps to consider.
🔐 With the baseline security is established and verified, you can consider upgrading your data security. This can include making access into your data by those with network access and access even by Apple themselves — and that attempted access to your data for whatever reason — far more difficult.
In particular, enabling Advanced Data Protection for iCloud reduces what parts of your data that Apple themselves can access:
To enable Advanced Data Protection, you’ll also need two-factor authentication enabled on your Apple Account. Which you should already have enabled, if you’ve read this far.
While Advanced Data Protection covers many common services, due to the way these specific network services inherently work, end-to-end encryption doesn’t cover iCloud Mail, Contacts, and Calendar services.
Advanced Data Protection requires iOS 16.2, iPadOS 16.2, macOS 13.1, tvOS 16.2, watchOS 9.2, or later, and the latest version of iCloud for Windows.
📲 To prevent a SIM from being swapped from a lost or stolen device and then gaining access to a trusted telephone number, convert your SIM to eSIM:
Adding a SIM PIN is another option if keeping the SIM is necessary, but recognize you’ll need to input that PIN on every power-up:
👀 Enable and then review what data your installed apps are accessing, as well:
☎️ Hardware security can be a factor worth considering for some people. Pragmatically, any Apple devices that can’t run at least iOS 17 or iPadOS 17 can have other issues with device security. In particular, older Apple silicon processors and related hardware can have (or do have) (insurmountable) security vulnerabilities, and these vulnerabilities can allow users with physical access to access the device and its contents.
If unauthorized device physical access is a concern, avoid Apple devices with A13 processor and earlier, when your data security and account security is paramount.
🦟 While remotely-loaded iPhone and iPad exploits and malware are quite rare and targeted and expensive based on available reports, such exploits are possible. For those that might potentially be targeted by these exceedingly rare and expensive security exploits, consider enabling Lockdown Mode:
✉️ Other potential security considerations: if you’re using a mail provider other than Apple¹, that provider will usually have access to their own infrastructure, and thus can potentially have the ability to access and request your Apple Account password be reset. This password reset path — Apple Account takeover path — can be blocked by enabling either a Recovery Key, or the use of hardware Security Keys on the Apple Account.
- Set up a recovery key for your Apple Account - Apple Support
- About Security Keys for Apple Account - Apple Support
🚫 If you enable either Recovery Key or switch to hardware token security keys, you must not lose these keys. Key loss renders the Apple Account inaccessible if the password is ever forgotten. Apple will not (cannot) reset those forgotten passwords.
〰️〰️〰️〰️〰️〰️〰️〰️〰️〰️〰️〰️〰️〰️
¹ While self-hosting of mail services is possible, that path usually entails large deliveries of time, money, focus, patience, and effort.