Here’s Why You Should Avoid Using your iPhone Passcode in Public

It’s been nearly a decade since Apple first unveiled the iPhone 5s with its Touch ID sensor — and over five years since the iPhone X bought us Face ID. Yet, many folks still rely on old-fashioned four- and six-digit passcodes to unlock their iPhones, keying them in several times per day.

According to the Wall Street Journal (Apple News+), this has created a massive opportunity for information and identity thieves, who keep their eyes open for these passcodes and then snatch iPhones right out of people’s hands. This not only gives thieves full access to all of the data stored directly on the target’s iPhone but can also offer a portal into financial accounts and other personal information.

It’s a remarkably low-tech trick, highlighting the irony that many folks feel safer using a passcode than relying on more sophisticated technologies like Touch ID and Face ID. Part of that is a certain mistrust of technology, but for many folks, it’s just a matter of convenience. For instance, Touch ID doesn’t work through gloves, and even with recent advances in Face ID’s algorithms, it can still be tricky to use, especially if you’re wearing a mask and don’t have an iPhone 12 or newer — the only models that support the latest mask-aware Face ID features.

A Key to Your Kingdom

To be clear, Touch ID and Face ID were never expected to replace passcodes. Apple’s stated goal for Touch ID was to provide better security through convenience; according to Apple’s research, a large percentage of iPhone users had been using NO passcode at all on their devices, preferring to simply swipe to unlock and be ready to go. Touch ID was introduced to encourage more iPhone users to secure their devices by making it easier to unlock them with nothing more than a fingerprint.

As Touch ID, and later Face ID, became ubiquitous across all Apple devices, the company expanded this convenience through the entire iOS ecosystem. Today, your face or fingerprint can unlock third-party apps, make payments via Apple Pay, and autofill passwords on websites.

Unfortunately, since your device passcode acts as a fallback for those times when biometric authentication doesn’t work, it unlocks the same privileges as your face or fingerprint would. If Face ID fails while trying to make a purchase via Apple Pay, for instance, you can enter your four- or six-digit passcode to complete the transaction.

This means that a thief who sees you enter your passcode can grab your iPhone and do everything with it that you could — including accessing your confidential information, using your credit cards to pay for things, and logging into your bank accounts.

This is precisely what at least some thieves have figured out. As the WSJ notes, in one case, a 31-year-old economist in midtown Manhattan found $10,000 snatched from her bank account after a man she had just met in a bar grabbed her iPhone 13 Pro Max.

Once you get into the phone, it’s like a treasure box.Alex Argiro, retired NYPD detective

While some iPhone features still require the user to enter the password associated with their Apple ID, many folks don’t realize this can easily be changed with a “trusted” iPhone in your hand since Apple’s method for password resets involves sending confirmation codes to devices associated with the user’s account via its own push notifications or SMS text messages.

This also applies to many other online accounts, which often use SMS or email for password resets. However, if someone is storing their passwords in an app or note on their iPhone or has an online banking app installed, thieves may not even have to go that far; many third-party apps that generally rely on Face ID will fall back to passcode authentication when Face ID fails. In such cases, all a thief has to do is open that app and enter the same passcode you use to unlock your device.

In many cases, it’s the banking apps that crooks are after. As Alex Argiro, a retired NYPD detective told the WSJ, it’s an “opportunistic crime” since “everyone has financial apps” — and most of those apps encourage customers to use Face ID or Touch ID to secure them.

How to Protect Yourself

The iPhone is one of the most secure smartphone platforms out there, if not the most secure. However, even the best lock in the world can’t protect you against somebody with a key.

Even the high-profile 2016 FBI case of the San Bernardino shooter’s iPhone didn’t involve any specialized or sophisticated attack. The FBI knew it wasn’t getting into the device without the proper passcode; it was simply asking Apple to make it easier to guess the passcode by providing a custom version of iOS that wouldn’t lock them out after too many wrong attempts.

Part of the problem is that the average iPhone user unlocks their device at least 80 times per day. When you’re doing that with a passcode, it becomes second nature, so you don’t always think of who may be looking over your shoulder — and it’s also easy to forget how many other things that passcode can unlock.

In addition to being aware of your surroundings and avoiding the use of a passcode as much as possible — many of the victims interviewed by the WSJ were targeted by people they had just met while out socializing — there are a few other things you can do to protect yourself against this kind of theft.

1. If you have an iPhone 12 or newer, set up Face ID to work with a mask. This will reduce the number of scenarios where you have to use your passcode. This feature isn’t just for surgical masks; it also works with scarves or anything else that covers your nose and the lower part of your face.
2. Use a longer passcode or, better yet, an alphanumeric password. A longer password will be harder for somebody to read over your shoulder, and it’s also much more difficult to guess or attack by brute force. On average, a four-digit iPhone passcode can be cracked in about seven minutes by entering every possible combination. However, this increases exponentially with each additional digit; an eight-digit code would take about 46 days, and ten digits ups that to 12.5 years.
3. Be careful about storing extremely sensitive information, such as passwords, on your iPhone. Built-in apps like Apple’s iCloud Keychain and secure notes in Apple Notes can be unlocked with your regular passcode. If you need to store this info, look to apps such as 1Password, which use separate encryption and different passwords — and of course, ensure that you use a different password.
4. If your iPhone is stolen, take action to secure your accounts immediately. Remote wipe your device using Find My, call your carrier to deactivate your cellular plan, and change your most important passwords, including your email account, Apple ID, and all online banking passwords. A remote wipe will deactivate Apple Pay on your iPhone, but you may still be able to locate it using Find My as long as it’s running iOS 15 or later.
   

This last step is an important precaution, even if you’re not sure your iPhone has been stolen or your passcode has been compromised. If you recover your iPhone later — or find out where you misplaced it — you can simply restore it from a backup, and you’ll be up and running again in no time. However, if a thief has managed to get their hands on your iPhone, it’s better to act as quickly as possible and take action before they have a chance to disable your Apple ID.