It's madness to me that all it takes to completely own an iCloud account (including one with yubikeys, advanced data protection, etc set up) is an iPhone passcode.
It should be possible for security conscious users to disable the "change iCloud password with only an iPhone passcode" feature. That would largely fix all these concerns. I think that it should be disabled by default if you set a recovery key or enable ADP, especially if you have FIDO2 tokens.
No idea, I still use a regular password b/c that was the fastest thing to type in on a BlackBerry. Never figured how people could memorize numbers more easily than words/phrases.
I don't know a single person outside of tech (and a handful of other fields like government and journalism) who uses anything besides the shortest possible pincode allowed. I believe most people would use no passcode if possible.
Really? I don’t spy on other people so I don’t know. But I know 6-digits passcode is the default and Apple makes it intentionally harder for people to switch to a shorter, I think it’s the norm. And if people are so lazy and lax with their security, what is the chance of changing 4-dits to a much more inconvenient password? Yes, old people cannot even use the soft keyboard without glasses!
In general, I don’t get the meaning of the article. Face-Id is so convenient and secure, 6-digits code is the norm. If people just follow the Apple instruction, they won’t need to worry about anything.
No passcode is possible. I have it configured that way for a device I have mounted on the wall at home. But apple makes it difficult to do so, as in a lot of extra steps, warnings and reminders, not just initially but every single update too. They've made it inconvenient intentionally, which is good.
Readit News
IMO the password reset procedure should start a waiting period during which you can’t remove the activation lock.
It should be possible for security conscious users to disable the "change iCloud password with only an iPhone passcode" feature. That would largely fix all these concerns. I think that it should be disabled by default if you set a recovery key or enable ADP, especially if you have FIDO2 tokens.
Who on earth uses a 4-digits passcode?
Maybe if Apple wants to be proactive over this, offer a "scramble pad" option for the lockscreen?
In general, I don’t get the meaning of the article. Face-Id is so convenient and secure, 6-digits code is the norm. If people just follow the Apple instruction, they won’t need to worry about anything.