Apple security features confuse me - If my iphone is stolen, 2FA prevents me from logging into nearest available browser to lock it!

My iPhone was stolen recently and the experience was horrendous.


  • Findmy was enabled
  • 2FA was enabled
  • Passcode was enabled
  • FaceID was enabled


The thief snatched the phone whilst it was in my hand and unlocked - not ideal. I gave chase but could not retrieve it (within this time I would assume it would have locked itself). Within an hour they had managed to buy a new iphone on apple store using apple pay (surely faceid should have stopped this?!). There is no way they could have known my apple id pwd or passcode as it was a completely random theft on the street.


First thing i did was try to log in to findmy on nearest web browser to lock/erase the phone but i couldnt because 2FA was demanding a code that was being sent to my stolen iPhone! I had to find a phone shop to get a new sim card with same number and a burner phone to get the 2FA SMS sent to it to finally be able to log in. By this time, somehow they had removed my iphone from findmy so i could not lock/erase it. Given the iphone could no longer be trusted i removed as a trusted device but then i found out this removes the passcode?!


Maybe i misunderstand the setup, but none of this seems sensible to me, especially 2FA when your phone is stolen. How likely are you to have a 2nd trusted device/number nearby to be able to provide a code and log into findmy on a browser to lock the phone? i.e. if im abroad somewhere and all i have with me is my phone - if it is stolen all i will be able to use is a web browser with apple id/pwd.


It seems to me for device protection im better off without 2FA. Marking a device as untrusted should also completely erase it instead of removing the passcode - maybe this is the case and i misunderstand..


I am currently stuck with my new iphone trying to understand the best way to set it up so i dont have to go through the chaos i experienced last time.


All suggestions welcome!


Posted on May 24, 2024 3:06 AM

Reply
2 replies

May 24, 2024 4:20 AM in response to x____1_6_7

x____1_6_7 wrote:

Given the iphone could no longer be trusted i removed as a trusted device but then i found out this removes the passcode?!


By removing the phone from the list of devices associated with your Apple ID, you cleared any Activation Lock that you would have set by marking the phone as Lost.


This means that the thieves can reset your phone and "make your phone their own." You have lost this method of turning the stolen phone into a "brick".


You can still report the phone as stolen to the police and to your phone company (carrier). If the carrier blacklists it, no carrier who honors the blacklist will ever provide cellular phone / text / data service to that phone ever again.

May 24, 2024 6:20 AM in response to Servant of Cats

Thanks for the reply. Yes I only understood afterwards that by removing from 'trusted devices' it would essentially give them my phone - a warning would have been useful here! I was just trying to prevent them from receiving the 2FA messages that were being sent out when I was deseparately trying to log in to findmy on a browser. How would I be able to stop a stolen device from receiving 2FA in such situations without essentially giving them my phone? I cant see how to stop a device from being trusted without handing over full access? Seems a bit counterintuitive. I also wasn't able to mark the phone as lost as it did not appear in the list on findmy for some reason (how did they manage this?!).


It seems that despite all the layers of security they were still able to bypass all of it and essentially have my phone within an hour of stealing it, and some of the reason for that is the apple security design itself!

Apple security features confuse me - If my iphone is stolen, 2FA prevents me from logging into nearest available browser to lock it!

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.