Summary: if a thief can observe your passcode and thus get into your phone, or even force you to unlock it with your face, your digital life can be stolen.
And if you are foolish enough to rely on auto-fill for passwords and/or to tie Apple Card/Cash and your credit cards into the mix as well (which millions do), you’re going to have a very bad day. Well, a very bad year or two trying to repair all the damage. And maybe all your money gone, unless you get lucky with your financial institution.
Problem #1: unfettered access to iCloud account, changes, etc.
Open question: when/how often does Apple require the existing iCloud passcode in order to change it?
I tried this. I had not entered my iCloud password for months, so in my case it required that. But once I entered it, it “sticks” and no further prompting is done. And that’s the problem. I tried it on my daughter’s phone—no prompt. I don’t know how long it “sticks” but at first it required no prompt, then later it did. Is it tied to the passcode somehow?
There should NEVER be a case where the iCloud password is not required. And of course it is moronic if you make the iCloud password the same as your phone passcode.
Assume you have the passcode for the phone; the thief steals it as per the article above.
1. Go to
The phone will not require entering the iCloud password unless it has not been entered recently. How long? That’s not clear.
2. Malefactor changes the password, changes the email, changes the recovery key, turns off Find my iPhone.
At this point, you are screwed. None of your devices can get your stuff back, not even the recovery key, since the thief has changed it. Everything is lost, forever, and Apple will not and cannot help you*. Unless your stuff is on your local computer and assuming you are not foolish enough to let things be stored (only) in iCloud (but most people do!).
Two-factor authentication (2FA) via your phone does not help you here, since the thief has the phone and simply allows the change. I did this myself—it is beyond stupid to see a “stolen” phone approve the theft of itself. What is Apple thinking to allow a phone being used to change the iCloud password to itself approve the change?
* This is why you make local backups that have nothing to do with Apple or iCloud!
Problem #2: saved passwords, Apple Cash, et
The malefactor has your phone and its passcode, has changed your iCloud everything and you are LOCKED OUT of all your stuff on all your devices and computers, as per above.
If you were foolish enough to use auto-fill passwords, the malefactor will happily login to your bank account, Venmo, etc, etc. Bye-bye balances. Rent and car payment due? Oh well.
Maybe you were foolish enough to have pictures of things like your driver’s license or passport, social security number, etc... suddenly you have 3 new credit cards, all maxed-out.
Or... some nude selfies headed for your Twitter or Facebook accounts or your boss, if the malefactor is feeling bored and especially malicious. Have fun!
Bonus: the thief is caught in one of our wonderful shithole progressive cities, the local DA will almost certainly release that turd without bail and probably never prosecute.