Apple to Introduce Stolen Device Protection in the Upcoming iOS 17.3

Remember the stellar reporting by the Wall Street Journal’s Joanna Stern and Nicole Nguyen about how thieves could shoulder-surf someone entering their iPhone passcode, snatch the iPhone, and then use the passcode to reset the victim’s Apple ID password? We covered it in “How a Thief with Your iPhone Passcode Can Ruin Your Digital Life” (26 February 2023) and “How a Passcode Thief Can Lock You Out of Your iCloud Account, Possibly Permanently” (20 April 2023). The much-shared Screen Time passcode is easily bypassed, so the only practical protections were:

• Pay attention to your iPhone’s physical security in public.
• Always use Face ID or Touch ID in public.
• If you must use your passcode in public, conceal it from anyone nearby.
• Never share your passcode beyond highly trusted family members.

Even then, the journalists revealed incidents of drugging and assault for which those four principles wouldn’t have helped at all.

Stern and Nguyen are now reporting that Apple has included a new Stolen Device Protection feature in the current beta release of iOS 17.3, which I expect Apple to release to the public in January or February 2024. Stolen Device Protection tries to minimize the potential of passcode theft by relying more heavily on biometric authentication and familiar locations, like your home and work.

With the feature enabled, when you want to change your Apple ID password or add a recovery key (which thieves used to lock victims out of their iCloud accounts), there are no new requirements as long as you’re at what your iPhone believes to be a familiar location (like home or work).

However, when you’re anywhere else, your iPhone will require two Face ID or Touch ID scans an hour apart before completing those actions. Requiring just one biometric authentication blocks the snatch-and-grab approach because the passcode won’t be sufficient on its own to do anything. Requiring the second scan an hour later ensures that even a forced scan during a mugging or drugging won’t be sufficient unless you’ve been held hostage for that time.

One concern is that viewing Settings > Privacy & Security > Location Services > System Services > Significant Locations must also require biometric authentication, or else the thief could go to one of those locations to complete the takeover. In iOS 17.2, viewing that screen requires Face ID or Touch ID, but failures can be overridden with the passcode.

Additional features that require two biometric scans with an hour gap when initiated from an unfamiliar location include changing a trusted phone number or contact, adding another face to Face ID or fingerprint to Touch ID, turning off Face ID or Touch ID, disabling Find My, and turning off Stolen Device Protection.

Another significant impact of passcode theft was that the thief could access the victim’s passwords in iCloud Keychain. If you turn on Stolen Device Protection, that will no longer be possible: accessing passwords will require Face ID or Touch ID authentication. Other features that will require biometric authentication (but not the hour wait) include applying for a new Apple Card, erasing all content and settings, turning off Lost Mode, sending Apple Cash to a bank account, using the iPhone to set up a new device (which copies all the data), and using payment methods saved in Safari. It’s the first time Apple has required Face ID or Touch ID instead of a device passcode to prove one’s identity or intent.

Apple won’t turn Stolen Device Mode on for you, but iOS 17.3 will alert users to the feature when they update. That seems reasonable for the first release, and I plan to turn it on. I wouldn’t be surprised if a future iOS version were to push it strongly during setup as Apple has increasingly done with other security features, including two-factor authentication for Apple ID accounts (required in nearly all cases now) and Find My (heavily promoted during upgrades if not already enabled).

Why would someone not want to enable Stolen Device Protection? Some people experience poor results with Touch ID—less so with Face ID—so leaving it off needs to be an option for them. I can also imagine it possibly introducing friction while traveling, but that may be a reasonable tradeoff for the increased chance of being robbed while on vacation.

People who avoid biometric authentication because they think biometrics are less secure than passcodes can continue to be wrong. Ironically, they may end up at less risk if the herd immunity of wide adoption of Stolen Device Protection causes thieves to give up on passcode theft as not worth the minimal reward. (It seems like Authentication Lock and Find My had some deterrent effect when introduced years ago.)

I look forward to seeing reports on the impact of Stolen Device Protection on users. Those who spend most of their time in familiar locations probably won’t even notice its additional requirements. The people for whom Stolen Device Protection would be the biggest pain are those who forget their Apple ID password and want to reset it immediately via their device without having to go through a process and an hour wait—although I would wager most people in that scenario are at home or work, thus sidestepping the wait.

Finally, just because you turn on Stolen Device Protection doesn’t prevent a thief from stealing your passcode and your iPhone, and accessing any apps that don’t require an additional PIN or biometric authentication. Make sure to enable such layered authentication in any app that manages money or sensitive information.

And, as I said initially, just don’t use your passcode in public.