Well more of a product/security matter here. The amount of access that an unlocked device gets you is nuts. I didn't expect to be able to reset an apple id password with a device pin code.
I'm not sure it matters - it's not a technical-heavy flaw in Apple's security. He either recorded people putting in their unlock codes, or straight up asked them what it was. The reporter doesn't have to be very technically-minded to follow.
Ah well where’s the hack then? I assumed it was going to be their typical click bait and was right. Accessing someone’s data with an unlocked phone isn’t hacking at all.
Changing the biometrics should automatically invalidate all FaceID tokens and block falling back to device PIN. It should effectively log the device out of all services, perhaps even delete browser cookies etc. since it should mean the person holding the phone is not the one who logged on to those.
Of course, this could have other implications so a lot of care has to be taken when designing and implementing this.
Android appears to do something like this with fingerprints (or at least enable it). Whenever I add a new one, apps stop accepting fingerprints until I enter my password/passcode/whatever in each one.
If each app has its own password/passcode that you can bypass with your fingerprint, and fingerprints suddenly stop working, it absolutely does shut down the thief, unless you also use the phone's passcode for all your accounts.
Oh I see. On the iPhone though, FaceID / TouchID are the same as the passcode - at least in the sense that if the biometrics fail, they fall back to the passcode.
This means that if you enable log in with biometrics, you’re essentially enabling the fallback along even if the app has a separate PIN/passcode.
I just tried it on my iPhone with a banking app and it shows me the default login screen for the bank and then logs me in if my face is there, but without the face it just stays on the login screen waiting for me to enter the bank password, never asks for a PIN.
Therein lies the problem, I guess. How is it left to the application developer to implement this properly? As a user of the device, I expect biometrics (a feature of my platform of choice) to behave consistently.
Not all threats scenarios are the same. The problem is that there's very little in the way of forcing the app developers to accept liability if they misjudge the threat scenario (a notable exception are banking apps in the US)
I have never enabled FaceID (or even TouchID) on my phone, primarily because I feel like a password should be something you know and biometric data is something you have (or something you are?)
I always wondered if I should do it for convenience every time I open one of my banking apps, which always requires me to login again.
This has convinced me never to use such a thing, and I'm glad I've stood my ground.
I mean, how Apple is letting someone change my Apple ID password just by knowing my iPhone pass code, that's insane.
What's the point of having an Apple ID password if you can change it with the phone pass code ? It just bother the regular users to have 2 passwords to remember, but adds no security whatsoever...
Did you try this to confirm it’s even true? It takes 5 seconds, just try it.
Because I did. My iPhone prompted me for my password in addition to the PIN.
Maybe we shouldn’t take this article at face value.
38 comments
[ 3.0 ms ] story [ 82.4 ms ] thread> "I'm here [in prison] because I got too carried away"
Arrested for getting passcodes through trickery and violence.
That said, this report makes a good point:
* Johnson would quickly replace the passcode and then replace FaceID with his face
* He could then get into PayPal, Venmo, etc via (his) FaceID
* He could make ApplePay transactions at physical stores, again using FaceID
So, device PIN = all you need to get into all finance apps (if FaceID was enabled for them)
> "Johnson made $20,000 per weekend from selling the stolen phones"
> "I wish I had not been so greedy and just got what I got and changed my life"
> "When you get out, will you forget about this trick?"
> "There's gonna be new tricks out"
> "...and I don't want nothing to do with it"
Changing the biometrics should automatically invalidate all FaceID tokens and block falling back to device PIN. It should effectively log the device out of all services, perhaps even delete browser cookies etc. since it should mean the person holding the phone is not the one who logged on to those.
Of course, this could have other implications so a lot of care has to be taken when designing and implementing this.
This means that if you enable log in with biometrics, you’re essentially enabling the fallback along even if the app has a separate PIN/passcode.
Wallet is still accessible with the device passcode as a fallback though, which means quite a lot of damage can still be done.
I always wondered if I should do it for convenience every time I open one of my banking apps, which always requires me to login again.
This has convinced me never to use such a thing, and I'm glad I've stood my ground.
if they can get the code from you, that is as good as having your face id and they can access everything..
I also don't use Apple's password manager so they would have to know another master password to access the passwords for my apps
1. When advanced data protection is turned on, it should not be possible to change the Apple ID password without the associated hardware tokens.
2. Again when advanced data protection is on, it should require the hardware tokens to add a Face ID appearance or change the device passcode.
What's the point of having an Apple ID password if you can change it with the phone pass code ? It just bother the regular users to have 2 passwords to remember, but adds no security whatsoever...
Maybe we shouldn’t take this article at face value.
1. you have a passcode set
2. you are logged into iCloud.
1 & 2 are true for nearly everyone so sounds like yes this is still a problem.