If my iPhone and passcode is compromised can an attacker get into my iCloud account without my security key simply because they have a trusted device?
If so what additional steps might help prefer that? Sending two factor codes to a different phone number not accessible from my iPhone?
iPhone 14 Pro
Hello,
If this occurred and you took no steps to prevent further intrusions it would be very easy for someone with your stolen iPhone and its passcode to access your iCloud data. This is especially true if you already had your Apple ID authenticated in the iPhone and iCloud features enabled.
Since this sounds hypothetical I want to start with a prevention link.
Security and your Apple ID - Apple Support
If your iPhone, iPad, or iPod touch is lost or stolen - Apple Support
Step Two: "Mark as Lost
When you mark your device as lost, you remotely lock it with a passcode, keeping your information secure. This also disables Apple Pay on the missing device. And you can display a custom message with your contact information on the missing device.
If you did not have Find My set up this link is more helpful.
If Find My iPhone or Find My iPad isn't enabled on your missing device - Apple Support
Step One: "Change your Apple ID password
If you use more than one Apple ID, you should change the password for each Apple ID that you have.
Change your Apple ID password."
Step Five: "Remove your missing device from your list of trusted devices
Go to appleid.apple.com to remove the missing device from your list of trusted devices"
If you think your Apple ID has been compromised - Apple Support
I hope this is helpful.
Agreed. Not using a passcode is ideal. But sometimes it is necessary when doing some activities, when I’ve got a mask on etc.
I was hopeful that the introduction of yubikey would mean that I could prevent the passcode from being the key to the kingdom and or prevent the iPhone from being the key to entering my iCloud account with authentication codes being sent to my iPhone.
I guess the only way to add a layer of security in the iPhone on top of the passcode is to use the screen time restriction functionality with an additional passcode for screen time that is different from the phone passcode and locking out account change access via the screen time restriction feature.
Exactly. I want to prevent my iphone from being a trusted device for my iCloud account, ie, I want to require key like a Yubi key to prevent this: https://www.wsj.com/articles/apple-iphone-security-theft-passcode-data-privacya-basic-iphone-feature-helps-criminals-steal-your-digital-life-cbf14b1a summarized here: Apple's iPhone Passcode Problem: Thieves Can Ruin Your Entire Digital Life in Minutes | WSJ
I can't read the first article because of a paywall but after watching the video I believe the information is being presented in a way to instill anxiety to keep people watching.
For instance, when I'm in a bar I don't do anything on my iPhone that would require my device passcode. I use FaceID to unlock it if I am going to use it. To me what the woman at the beginning described would be like saying a phone-banking password outloud in a crowded elevator. Being shoulder-to-shoulder with people then typing in an important password or passcode on any device is a huge vulnerability.
I believe this would be a good article to start with. Many articles linked into it have prevention tips and best practices to prevent intrusions.
If my iPhone with passcode is compromised can an attacker get into my iCloud account without my security key simply because they have a trusted device?
