You might not have ever had your iPhone stolen, but you can likely imagine how disruptive it would be, especially if the thieves could break into the phone. That’s what Nicole Nguyen and Joanna Stern explore in their latest piece for The Wall Street Journal, which reveals how one security setting on your iPhone can be a thief’s best friend.
This iPhone setting is trouble
Earlier this year, WSJ published a report about thieves who watch iPhone owners type in their passcodes before stealing the target’s phone. With just an iPhone and a passcode, a thief can cause all kinds of havoc, including using Apple Pay to make purchases.
While many victims are eventually able to get all their money back, retrieving the files, photos, videos, and contacts is far more difficult, especially when the thief is able to lock the owner out of their Apple account by generating a recovery key.
As Nguyen and Stern note, Apple introduced recovery keys in 2020 to improve the security of Apple accounts. If you generate a recovery key, which is a randomly generated 28-character code, it automatically turns off account recovery. If you need to recover your Apple account, you have to provide to code. It’s more secure, but it’s also riskier.
Apple says on its support site that account recovery “is a process that would otherwise help you get back into your Apple ID account when you don’t have enough information to reset your password.” Here’s the problem: If a thief has your iPhone and your passcode, they can unlock your phone and generate a recovery key to lock you out. Even if you already have a recovery key, they can just generate a new one, which has the same effect.
“We sympathize with people who have had this experience and we take all attacks on our users very seriously, no matter how rare,” an Apple spokesman said. “We work tirelessly every day to protect our users’ accounts and data, and are always investigating additional protections against emerging threats like this one.”
Unfortunately, there’s no clear solution to this problem. If a thief gains access to your phone along with your passcode, there’s nothing you can do to ensure they don’t generate a recovery key. According to WSJ, your best bet is to use Face ID as often as possible. If you do use a passcode, make it more complex. Go to Settings > Face ID & Passcode > Change Passcode > Passcode Options and choose Custom Alphanumeric Code. At the very least, it won’t be nearly as easy for someone to memorize your passcode from across the room.