Stolen Device Protection: How to Safeguard Your iPhone From Thieves
Apple's iOS 17.3 adds a security feature that requires Face ID or Touch ID to perform certain actions on your phone as a way to thwart thieves who know your passcode.
Imagine this scenario. Your iPhone has been stolen, and the thief knows your passcode. They now have access to confidential information and can make unwanted changes on your phone, even if you’ve protected your phone with Face ID or Touch ID.
This type of scam made headlines last year after The Wall Street Journal reported on thieves targeting inebriated bar patrons. After watching someone enter their passcode, the thief would steal the iPhone, log in with the passcode, change the iCloud password, and loot the banking apps on the phone. Without iCloud access, a victim couldn't remotely brick or reset their phone from afar; many lost thousands of dollars in a matter of minutes.
In response to that reporting, Apple introduced a new security feature called Stolen Device Protection. Available with iOS 17.3, this feature prevents someone from accessing key data or making changes on your iPhone by requiring authentication solely through Face ID or Touch ID.
Stolen Device Protection consists of two components: Biometric authentication and Security Delay. Here's how the feature works and how you can implement it on your device.
What Is Apple's Stolen Device Protection?
Under normal circumstances, your passcode serves as a fallback option behind Face ID and Touch ID. But this means if someone has the passcode, they can get around the biometric authentication on your device. With Stolen Device Protection enabled, Face ID or Touch ID are required and a passcode is no longer an option. The feature kicks when you attempt any of the following actions:
-
Use passwords or passkeys saved in Keychain.
-
Use AutoFill payment methods saved in Safari.
-
Turn off Lost Mode.
-
Erase all content and settings.
-
Apply for a new Apple Card.
-
View the virtual card number of your Apple Card.
-
Take certain Apple Cash and Savings actions in Wallet, such as transfers.
-
Use your iPhone to set up a new device (for example, Quick Start).
Now, if someone obtains your passcode but fails the biometric authentication, they can't perform any of these actions. To ease this process for the actual owner, the protection feature only goes into effect if your iPhone is in an unfamiliar area, meaning you’re not at home, work, or another registered location.
What Is Security Delay?
To further protect your phone, the Security Delay component forces you to wait before you can make critical changes on your phone. Here, you must authenticate the action you wish to perform with Face ID or Touch ID, wait an hour for the delay to end, and then authenticate with Face ID or Touch ID again. Security Delay activates if you try to perform any of the following actions:
-
Change your Apple ID password.
-
Sign out of your Apple ID.
-
Update account security settings, including trusted devices, Recovery Key, or Recovery Contact.
-
Add or remove Face ID or Touch ID.
-
Change your iPhone passcode.
-
Reset All Settings.
-
Turn off Find My.
-
Turn off Stolen Device Protection.
Security Delay goes into effect only if your iPhone is in an unfamiliar location. The idea here is to prevent a thief from making key changes to your account by giving you enough time to log in from another device and mark your phone as lost or stolen.
How to Enable Stolen Device Protection
To use Stolen Device Protection, your iPhone must be running iOS 17.3 or higher. To check, go to Settings > General > Software Update. You’ll be told that your device is up to date or see a prompt to install the latest update.
To turn on the new security feature, go to Settings > Face ID & Passcode or Touch ID & Passcode, and then enter your passcode. Swipe down the screen to the section for Stolen Device Protection and tap the Turn on Protection link.
Set Up Your Home or Work Addresses
To ensure that Stolen Device Protection goes into effect only in unfamiliar locations, your phone relies on the Home and Work locations set up in your own contact card in the Contacts app. Those locations are then linked to the Maps app, which relies on GPS to determine when you’re at home, work, or somewhere else.
If you haven’t already set this up, open the Contacts app, tap your contact card at the top of the screen, and then tap the Edit button in the upper right. Tap Add address. By default, the address points to Home, but you can change this. Tap Home and then choose a different label, such as Work, School, or Other. You can also add a custom label.
Ideally, you’ll want to set up locations for Home and Work or Home and School. Enter your street address, city, state, and ZIP code. When you’re finished, tap Done at the top.
How Stolen Device Protection Works
After setting up Stolen Device Protection and your addresses, test it to see how and where it works. For example, if you have an Apple Card, try to view your virtual card number. Don’t respond to the Face ID or Touch ID authentication prompt. After a couple of attempts, your phone should fall back to the passcode prompt. If that pops up, you know that Stolen Device Protection is excluding your registered location.
To test Security Delay, you might try to sign out of your Apple ID, remove Face ID or Touch ID, change your passcode, or turn off Stolen Device Protection itself. Again, ignore the prompts for Face ID or Touch ID, and your phone should fall back to the passcode verification.
Next, travel to an unfamiliar location. First, try the same actions for Stolen Device Protection that you attempted when you were at home, work, or school. Don’t authenticate with Face ID or Touch ID. This time, the passcode fallback should not appear. Instead, a message will pop up that Stolen Device Protection is turned on. Tap OK. Your device will request authentication with Face ID or Touch ID. Unless you can provide the biometric authentication, you won’t be able to perform the specified action.
Finally, try one of the actions that triggered Security Delay. Ignore the Face ID or Touch ID prompt. Security Delay will activate, preventing you from making the specified change for one hour.
Try performing the action once more and you should see a screen telling you that Security Delay is required to change Stolen Device Protection. Tap the button for Start Security Delay. After the hour is up, you can try again with the biometric authentication, but the passcode prompt should never appear.