Back

@multigreg @atpfm @siracusa I also did this, choosing to disable passcode changes as well as account changes. It disables the whole account section in Settings — your name next to your Memoji/photo at the top of Settings becomes greyed out. I assumed it would stay active but prompt for the Screen Time code when tapped. Instead, to change account settings I now have to go to Settings > Screen Time and temporarily toggle off the restriction.

@AndrewPerth That’s because the feature is meant to prevent access by another user, like a child, entirely. I’m fine with that because I can access most of the iCloud account settings on a Mac.

@5ean5ullivan @atpfm @siracusa Not just shoulder surfing, but being mugged and told to provide your passcode. I fear that word of all this will get round, it won’t be just criminal gangs to worry about but also isolated violent thiefs.

You should be able to harden the settings of iPhone so that you can’t change control of accounts with only that device in hand.

@multigreg @atpfm @siracusa Aha, I just realized, I've been using Screen Time on my own phone for too long. The "default" use case is a child's device and a prompt to tie the parent's ID to the Screen Time Passcode.

So, to lock down one's own Screen Time, you need a "parent" (admin/back up) Apple account that is only used to manage the Screen Time passcode. I just tied my ST passcode to my Finnish Apple ID (my iPhone uses my US-based ID).

The forgotten password option can still be used to reset the trusted device's account password though. The trusted device has too much power if the phone's passcode is known.

Other issue: If a parent cancels the ID prompt, then, the child can turn off Screen Time with their Apple ID and Password, right? (Seems like something kids could exploit.)

I enable Screen Time and disallow account changes in the hope that if somebody grabs my phone from my hand while it's unlocked, they won't be prepared to deal with the extra steps. A professional phone thief is going to know what to do. (So I don't use the default mail app and have a separate passcode for the one that I do use, as well as a password safe.)

A violent demand for unlock codes? I don't think software can be designed to prevent loss in that case.

@5ean5ullivan @atpfm @siracusa
“a "parent" (admin/back up) Apple account that is only used to manage the Screen Time passcode.”

This is an interesting idea! Is it possible to circumvent that with the device passcode?

@multigreg @atpfm @siracusa Yeah, I think circumvention is possible.

There's a Catch-22. If you enable the Screen Time and setup a passcode, it in turn enables an option to turn it off which links to a "forgot ST passcode" option, which links to a "forgot Apple ID password" option, and that link isn't limited to the "parent" account. You can submit any account ID.

And even if that link were removed, or restricted to just the parent account, there's nothing preventing a thief from just opening Safari to https://iforgot.apple.com – unless you block that URL in Screen Time?

Basically, all the info needed to reset an Apple account password: ID and trusted phone number, are easily discoverable on an unlocked iPhone. With a known passcode, there's plenty of damage that can done with a "trusted" device.

It's why I preferred using the old system of password questions, the answers to which were random strings that I kept in my password safe. I really needed to consider things when I enabled the 2FA for the Airtags.

@multigreg @atpfm @siracusa Perhaps a reasonable mitigation measure would be to allow a trusted device to update/reset an account password, but to still allow the old password for 24/48 hours in case it wasn't actually forgotten. The new password should be limited in its ability to make configurations changes to iCloud, Find My, et cetera.

@5ean5ullivan @atpfm @siracusa What annoys me is the way Apple treats 'trusted devices’. Using my iPhone at home is a very different situation to when it’s just been snatched out of my hands unlocked when in public.

@5ean5ullivan @atpfm @siracusa I've just tested this again: an attacker who knows my iPhone passcode *and* Apple ID *email address* can trivially bypass the Screen Time passcode:

1) set up a ST passcode
2) when prompted to use Apple ID as a recovery method if you forget the passcode, tap ‘Cancel’ & then 'Skip' to confirm
3) Try to turn off the ST passcode
4) Tap 'Forgot Passwode?’
4) Enter your Apple ID email
5) Tap ‘Forgot Apple ID password’…
6) …you're prompted to enter your iPhone passcode!

@5ean5ullivan @atpfm @siracusa …and if the attacker can unlock the phone, he usually just has to go into your emails to find one from Apple to your Apple ID address

@5ean5ullivan @atpfm @siracusa Therefore your idea to use a different Apple ID for Screen Time is interesting; that address must be kept secret to prevent to prevent the above bypass method

@multigreg @atpfm @siracusa Well, I think it's easier to update your Apple ID to an email alias that you only use to administer important accounts with. I have a separate aliases for retailer accounts, games, friends, etc. And then I passcode require my email app. Then there's no good way to discover my Apple ID (that I know of) once I've used Screen Time to disallow account changes, even if somebody has access to the open content on my phone. (I don't use Apple to login to third-party apps. Maybe those would display the ID. In Overcast, for example, I use my vendor alias, so, it can't be used to infer my Apple ID.)

So, instead of a "parent" account, I'd try to make your Apple ID as private as you can.

@5ean5ullivan @atpfm @siracusa that’s good advice. I too use separate email aliases for different services.

I’d find it inconvenient to enter a passcode for my email app, so I’m thinking of creating a dedicated Google account to use as the secret Apple ID, and never connect to it from the iPhone, so that it can’t be searched

@5ean5ullivan @atpfm @siracusa I’ve just tried using an alternate Apple ID I had for Screen Time recovery, and sadly it doesn’t prevent the bypass of entering the Apple ID that the iPhone is logged into. Just enter that address and you can use the phone passcode to reset it, right inside the Screen Time UI.

This is maddening. It’s a much higher difficulty to remove any trace/access to your main Apple ID address on your phone. If you don’t, the Screen Time method is useless.

@5ean5ullivan @atpfm @siracusa there are several places where you can see the logged-in Apple ID address in plain text: Fitness app, Game Center settings, TestFlight, …

What happens when you reset the Apple ID password from within the Screen Time UI — can you then access the Apple ID screen and take control?

@multigreg @atpfm @siracusa Ah, I've disabled Game Center. The Health app only shows my name/initials. Fitness displays your ID?? I don't have it installed. My iOS devices are largely used to connect me to third-party services. I imagine if you use even a bit of iCould and Apple services it'll be more challenging to obscure your ID.

Testing a bit. I think there's no need to do anything from within Screen Time. If account changes are disabled via Screen Time but you know the device's passcode, and you can discover the Apple ID, then I think the quickest vector of attack would be to open: https://iforgot.apple.com – and enter the Apple ID. Testing, I'm prompted to provide my phone number, which is pretty easy to look up from the phone's Contacts. Entering that from my phone's Safari prompted all my devices logged into iCloud to ask if I wanted to use the Allow the device to reset my password. I didn't answer and it either timed out, or it was dismissed when my son clicked "don't allow" on the iPad he was then using.

The whole 2FA process is designed to protect people from having their accounts hacked remotely or when the phone is at rest. The reset account password from 2FA trusted devices is designed to take care to a _very_ common support problem. The combination of those two things equals a real problem when shoulder surfing and professional thief are involved.

@5ean5ullivan @atpfm @siracusa The Fitness app, installed by default, has an avatar in the top right corner, using which you can see the AppleID. I think there are similar things in other apps.

You’re right about resetting the AppleID once you know its address. Apple will use the ‘trusted devices’ and ‘trusted phone n°s’ associated with it. I also tried with an Apple ID that isn’t used on any device: it sent confirmation codes to my phone number and email address, and that was enough.

@5ean5ullivan @atpfm @siracusa So everything is futile except protecting your device passcode/password like you do for your Apple ID password. Unlock the phone and you have the keys to the AppleID kingdom.