Earlier this week, it was revealed that Apple is rolling out extra protections against iPhone thieves in the next update to iOS 17. It’s a direct, if slightly belated, response to a spate of iPhone thefts that rely on knowing a user’s passcode, which made headlines back in February.
You may be scratching your head and wondering how it’s different from Find My — Apple’s system for tracking down missing devices.
The short answer is that Stolen Device Protection closes a loophole that thieves were exploiting to get around systems like Find My. But to fully understand the difference, you need to know about the loophole Apple is attempting to close…
How iPhone thieves block Find My
Apple’s Find My network is a useful way of tracking down lost or stolen devices. Once enrolled, you can log in with your Apple ID in any web browser and track down a real-time location for your AWOL iPhone, because it’s registered to you.
That sounds foolproof, but the passcode theft scam found a weak point in Apple’s security: namely that if you have an iPhone’s passcode — obtained via shoulder surfing, say — you can change the Apple ID password.
And if a thief changes the Apple ID password, then they can quickly change the associated email address and lock the original owner out of their account. That not only means losing access to your iPhone, but your cloud storage and — crucially — the Find My iPhone system. After all, as far as Apple is concerned, if you don’t know the password to an account then you can’t be the true owner.
The problem is that Apple doesn’t just want to just block people being able to change their Apple ID password on the iPhone with their passcode. After all, the main reason anyone would want to change a password is because they’ve forgotten it, so being able to prove ownership via a device and its passcode feels like a good compromise. But obviously it’s an imperfect one if your passcode has been stolen.
The changes with iOS 17.3 are an attempt for Apple to square this circle.
How Stolen Device Protection works
Stolen Device Protection, once opted in, doesn’t block your ability to change your Apple ID password, but it does make it significantly harder for an opportunistic thief to do so.
It kicks in when you’re not in a familiar location — your home or workplace — and essentially makes the iPhone a bit more skeptical about attempts to change the password or do anything that a thief might attempt.
So if somebody tries to change your Apple ID password when not in your home or office, the iPhone will first require Face ID or Touch ID to begin the process rather than just a passcode. It will then make you wait an hour before you can actually make the password change, and you’ll need to confirm it with another biometric check. Even if a thief can somehow get past the biometrics, you’ll have a 60-minute head start to access the Find My network and remotely lock your iPhone.
Other risky activities — adding a new Face ID, disabling Find My, enabling a recovery key, etc. — have the same protections in place, while less suspect but still risky activities (e.g: accessing Keychain) require biometrics without the wait.
It’s certainly a better system than what’s available now, so we strongly advise readers opt into it when it becomes available with iOS 17.3.
