User profile for user: we135b
we135b Author
User level: Level 1
9 points

Passwords app security

I’m concerned that if someone were to get ahold of my phone and passcode, they would have access to all of my passwords via the Passwords app and all my 2FA capabilities. While the phone first tries facial recognition, it gives the option of passcode if that fails. I feel like this makes the Apple Password Manager app unusable for sensitive websites. I might add that, with the phone and passcode, the Apple ID and biometrics can be changed which is a whole ‘nother level of damage.


Does anyone know if there is a way to remove the passcode option and require a password input on all or specific websites?


Is there a way to require password input to change my Apple ID?


I hope missing something because this sounds like weak security.


Lastly, If my phone and passcode were taken, what is the best and quickest way to lock out the phone?

iPhone 15 Pro, iOS 18

Posted on Jan 7, 2025 8:25 AM

Reply

Similar questions

13 replies
User profile for user: Lawrence Finch
Lawrence Finch
Community+ 2025
User level: Level 10
228,528 points

Jan 7, 2025 8:56 AM in response to we135b

we135b wrote:

I’m concerned that if someone were to get ahold of my phone and passcode, they would have access to all of my passwords via the Passwords app and all my 2FA capabilities. While the phone first tries facial recognition, it gives the option of passcode if that fails. I feel like this makes the Apple Password Manager app unusable for sensitive websites. I might add that, with the phone and passcode, the Apple ID and biometrics can be changed which is a whole ‘nother level of damage.


No, Passwords can ONLY be opened with Face ID, there is no option to use a passcode if Face ID fails. The same is true on devices with Touch ID.



Does anyone know if there is a way to remove the passcode option and require a password input on all or specific websites?

Is there a way to require password input to change my Apple ID?

Yes. Go to Settings/Privacy & Security and turn on Stolen Device Protection. This will require Face ID or Touch ID (as appropriate) to change any Apple Account or phone security settings, including changing the passcode OR the Apple ID passcode. The downside is if your biometric identification fails the only option is to erase the phone and set it up as new. And you will still need to disable Activation Lock.


I hope missing something because this sounds like weak security.

No, it is extremely strong security


Lastly, If my phone and passcode were taken, what is the best and quickest way to lock out the phone?

Log in to https://icloud/find and put the phone in Lost Mode. If you use the full URL with the “find” appended as shown, this does not require 2FA, to cover the case where you don’t have another device to receive authentication messages.


Here’s more detail→If your iPhone or iPad was stolen - Apple Support

Reply
User profile for user: Lawrence Finch
Lawrence Finch
Community+ 2025
User level: Level 10
228,528 points

Jan 7, 2025 9:38 AM in response to we135b

we135b wrote:

Sorry. I didn’t finish reading your response and changed the Stolen Device Protection and that did it. However, if someone has your phone and passcode can’t they just change the setting?

Try and see. ONLY Face ID can change or disable Stolen Device Protection. And, if you aren’t in a “familiar location” you have to wait an hour to access it.

Reply
User profile for user: MrHoffman
MrHoffman
Community+ 2025
User level: Level 10
144,857 points

Jan 7, 2025 10:10 AM in response to we135b

There can absolutely be better security than you have now, though that increases your effort involved. Security always involves trade-offs, and usually (always?) increases the difficulties of routine use.


Consider whether somebody is going to acquire your twelve- or fifteen character passcode, and that passcode you enter only infrequently at best due to your use of Face ID. If that access is a likely case here, there are options including stolen device protection mentioned above, and migrating your two-factor to (USB, Lightning, or NFC) security keys.


And yes, that then leads to the “what if” of getting your phone, your fifteen character passcode, and your security key all stolen.


If that level of security is insufficient, you’re probably headed for an even larger “what if?” and a complete reappraisal of your entire information security requirements and of better isolating and compartmenting of your most sensitive data, and/or migrating to feature phone with ~no contact info, which still has its own issues.


And the passwords access is not even remotely new. The only difference is a better UI with Passwords app in iOS 18. Passwords have ~always been available.


Better Securing Your Data, and Apple Acco… - Apple Community


Reply
User profile for user: IdrisSeabright
IdrisSeabright
User level: Level 10
185,843 points

Jan 7, 2025 10:32 AM in response to Chattanoogan

Chattanoogan wrote:

From a “non-technical” — risk mitigation — standpoint …

… you might also evaluate NOT placing sensitive info on your mobile devices.

Just because you CAN put info on a mobile device doesn’t mean that you should, or have to do so.

Simply NOT having sensitive info on the device is arguably the best way to counter the “under duress” risk.

I have often seen the recommendation that, when traveling to countries with questionable privacy laws, to wipe the phone before going and put only essential information on it. Restore from a backup when returning home.

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Passwords app security

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up