Turn On Stolen Device Protection in iOS 17.3
As promised, Apple built the new Stolen Device Protection technology into the just-released iOS 17.3. It offers optional protection against a particularly troubling form of attack brought to light by reporters Joanna Stern and Nicole Nguyen of the Wall Street Journal in a handful of articles and videos (see our “iPhone Passcode Thefts” series).
In short, a thief would discover the victim’s iPhone passcode by shoulder surfing, surreptitious filming, or social engineering, then grab the iPhone and run. In some cases, criminals drugged, threatened, or attacked people to extract the passcode. Soon after, the thief would use the passcode to change the victim’s Apple ID password, lock them out of their account, and use apps and data on the iPhone to steal money, order goods, and generally wreak havoc.
The attacks worked because Apple had made resetting an Apple ID password easy for those who could only remember their passcodes. Many people forget their Apple ID passwords, so Apple decided it was worth trading some security for allowing people to recover from a forgotten password easily. It also undoubtedly reduced Apple’s customer service overhead by providing a self-service option for resetting Apple ID passwords. Unfortunately, whenever there’s a loophole or backdoor, criminals will eventually find it.
Happily, Apple now lets us eliminate that security hole with Stolen Device Protection for iPhone. It’s not available for the iPad or the Mac. Apple hasn’t explained why, of course, but there are two possibilities for the iPad. Apple may be planning to add the feature to the iPad in a future update—the iPad often lags behind the iPhone—or the company may feel that iPad users are unlikely to be targeted similarly. (Many of the reported iPhone passcode thefts took place in bars where victims weren’t paying close attention and may have been impaired by alcohol.) Macs seem even less likely to be targeted, given the additional difficulty of discovering a login password.
Stolen Device Protection Details
Here’s what happens when you turn on Stolen Device Protection. Everything works as before when you’re in a familiar location—home, work, or anywhere your iPhone has determined you use it frequently using the device-based Significant Locations system. You can change your Apple ID password, turn off Find My, access passwords in Keychain, and much more with no new requirements.
However, whenever you’re somewhere deemed unfamiliar, critical changes to your account or device require Face ID or Touch ID authentication, with no passcode alternative or fallback. The most important security actions also require a delay of an hour—shown with a countdown timer—before you perform a second biometric authentication. This delay reduces the chances of an attacker forcing you to authenticate with the threat of violence.
Apple says you must employ Face ID or Touch ID authentication in unfamiliar locations to:
- Use passwords or passkeys saved in Keychain
- Use payment methods saved in Safari (autofill)
- Turn off Lost Mode
- Erase all content and settings
- Apply for a new Apple Card
- View an Apple Card virtual card number
- Take certain Apple Cash and Savings actions in Wallet (for example, Apple Cash or Savings transfers)
- Use your iPhone to set up a new device (for example, Quick Start)
Notably, you can still use the iPhone passcode for in-person purchases made with Apple Pay, which remains a slight vulnerability. Apple likely felt that it would be too annoying to have a Face ID or Touch ID failure while attempting to pay for something at a store and not be able to fall back on the passcode.
You can also turn off Significant Locations with a passcode fallback after a biometric authentication failure, but all that does is eliminate familiar locations as a way of sidestepping biometrics. (Apple claims you must have Significant Locations enabled to use Stolen Device Protection, but that doesn’t seem to be true, and deactivating it doesn’t turn off the theft protection feature.)
Apple lays out which actions require the hour-long security delay and a second biometric authentication. These include when you want to:
- Change your Apple ID password (Apple notes this may prevent the location of your devices from appearing on iCloud.com for a while)
- Sign out of your Apple ID
- Update Apple ID account security settings (such as adding or removing a trusted device, Recovery Key, or Recovery Contact)
- Add or remove Face ID or Touch ID
- Change your iPhone passcode
- Reset All Settings
- Turn off Find My
- Turn off Stolen Device Protection
The security delay may end before the hour elapses if your iPhone detects that you’ve moved to a familiar location. In other words, you can short-circuit it by going home.
The fact that turning off Stolen Device Protection requires a security delay and biometric authentication means that you should be careful to turn it off before selling, giving away, or trading in your iPhone. Once it’s out of your physical control, it won’t be possible for anyone else to reset it.
Turn on Stolen Device Protection
Turning Stolen Device Protection on is easy, and I recommend that everyone using Face ID or Touch ID do so. Go to Settings > Face ID/Touch ID & Passcode, enter your passcode, and tap Turn On Protection. (If it’s enabled, tap Turn Off Protection to remove its additional safeguards.)
Stolen Device Protection does have a handful of requirements. Apple says you must:
- Be using two-factor authentication for your Apple ID (at this point, nearly everyone is)
- Have a passcode set up for your iPhone
- Turn on Face ID or Touch ID
- Enable Find My
- Turn on Significant Locations (Settings > Privacy & Security > Location Services > System Services > Significant Locations), although this doesn’t seem to be required
Put bluntly, I can think of no good reason to avoid having all these required features enabled, anyway! With one exception, all increase your security with no privacy downside due to Apple’s careful design and end-to-end encryption. In particular, anyone who believes Apple’s biometric systems are less secure or private than a passcode is wrong and is putting themselves at risk.
The exception is Significant Locations because it displays the most recent significant location to anyone with the passcode. That makes possible—if not necessarily easy—the scenario of a thief learning your passcode, stealing your iPhone, and then going to the most recent significant location to turn off Stolen Device Protection. You would likely have more time to lock the iPhone remotely, however.
Some individuals have trouble with biometric authentication, Touch ID more so than Face ID. The inability of every iPhone user to rely on biometric authentication is one big reason why Apple made Stolen Device Protection optional. If you’re in that group, Stolen Device Protection would be problematic because it will require biometric authentication in unfamiliar locations. If you were on a trip, for instance, Stolen Device Protection and the inability to authenticate with Face ID or Touch ID would prevent you from using passwords in Keychain.
I turned on Stolen Device Protection and triggered it by turning off Significant Locations and trying to turn off various security settings. Each time, I was met with a warning dialog and a security delay. Turning the iPhone off and back on merely stopped the security delay, forcing me to restart it. When it finally expires—an hour is a long time when you’re testing!—iOS alerts you to that fact. You can then authenticate again and perform any of the previously restricted actions.
Let me leave you with one final piece of advice. It may take the criminal underworld some time before it’s common knowledge that iPhone passcode theft may no longer work, and of course, it will continue to work against those who don’t upgrade to iOS 17.3 and turn on Stolen Device Protection. So the best thing you can do to discourage possible iPhone thefts—even if they can’t ruin your digital life—is what I’ve been saying all along: Never enter your iPhone passcode in public.
I haven’t installed 17.3 yet but I did check to see if my Significant Locations was enabled, and it was. I then saw that it had accumulated 84 locations in the last two months, with only the last one (one of our favorite restaurants where we had dinner two nights ago) showing on a map. I could find no way to see the 84 locations, thus no way for me to decide if I want each of those locations to qualify as a ‘familiar location’ where Stolen Device Protection (SDP) would allow changes.
Although I think SDP is an excellent idea, there’s a possibility that it might think a location would be ‘familiar’ but where in my judgement I would want SDP to block changes. As with everything else in life, there are trade-offs. SDP goes a long way toward fixing the problem with only this minor trade-off – much better than no protection at all which is what we had before SDP.
Apple doesn’t say how significant locations are determined by the iPhone, and apart from the most recent one, there’s no way to know what locations are included. My guess, though I don’t know this, is that the number of records doesn’t equate to the number of significant locations.
I’ve been paying a bit more attention since this feature shipped, and I did get a significant location for Cornell’s Barton Hall, where I go every Tuesday to direct track workouts, and have been to twice in the last two weekends to direct track meets. That seems fair—it’s a regular stop. My house is, of course, a significant location, and I’ll bet that the Ithaca College weight room, where I go twice a week for workouts, will also qualify.
My gut feeling is that the iPhone’s significant locations will match pretty well with what we would think of as significant locations. As to whether those locations are places you’d be comfortable allowing more important security changes, there’s no way to say.
I was a bit surprised that it was possible to see the most recent significant location with just the passcode. (Face ID is required to look at it, but you can fall back on the passcode.) That feels like a small vulnerability, since a thief could steal the passcode, steal the iPhone, and then go to the last location to avoid the need for biometric authentication. It’s a much higher bar, of course, and likely provides enough time to lock the iPhone remotely, but still…
Of course, if you never enter your passcode in public, you’re still largely safe from such attacks.
Is there any way to see the whole Significant Location list? It appears to show every location where you spent more than 15 minutes or so in the last few days. For example, when I checked yesterday, it showed a restaurant that I had never been to before the previous evening. When I checked today, it showed the grocery store I shopped at yesterday. From the descriptions of how shoulder surfing theft works, I would bet that in many cases, they occur in a place listed in Significant Locations.
So, I don’t think the Significant Locations list is the right thing to use for the Stolen Device Protection. Also, in general, I’d like the ability to edit the list rather than just trash it.
It’s always been my understanding that Apple Pay does not require Internet connectivity. The phone does its part of the processing on-device (much like a contactless credit card) and the connection to the bank is via the merchant’s payment terminal.
I completely agree. If I’m a regular barfly (someone likely to be taken in my one of these criminals), then the phone may well identify my local pub as a significant location. Which undermines the entire point.
I would like to be able to manually select trusted locations (and of course, protect access to that list with the same security as your biometric IDs). For myself, this would be my home and maybe my parents’ home and my wife’s parents’ home and nowhere else, no matter how often I may go there. (I work from home full time, so no office for me).
But instead, my phone has 76 locations, of which I can only see one (my home). I have no way to review or remove individual locations. I had that ability in prior versions of iOS, but no longer.
Not any more. It used to be available, but Apple removed access for some reason known only to them. I think they got spooked when some people were reviewing the list and blogging about how Apple is tracking their whereabouts.
Which also means that you can’t edit the list. You can only clear it, which will remove actual significant locations, like home and work, making SDP really inconvenient until those locations get eventually put back on that list.
Hmm! @glennf added that in editing, so let’s see what he says.
I just had a thought, which is that despite what Apple claims, you can use Stolen Device Protection without Significant Locations enabled. In that case, as my testing implied, you always have to go through the extra authentication no matter where you are. That eliminates the vulnerability of a thief being able to go to the most recent significant location to sidestep the extra authentication.
I don’t have a sense of what other features would be hurt by the loss of Significant Locations.
That’s my mistake: you can’t get updates on transactions, of course, but using only stored information, a transaction can take place.
Weird omission for Apple, then!
Interesting. Apple doesn’t seem to document in technical support notes that Apple Pay works without an Internet connection. Other sites claim this and I’m sure it’s true. But how odd the company doesn’t mention it. I wonder if they reserve the right to change that.
Now, if you mark you phone as lost before a thief can use Apple Pay with a passcode, I wonder what happens if the phone is offline: in lost mode, “For applicable devices, payment cards and other services are suspended.” Does that mean Apple disables them over the credit/debit-card network, too?
I immediately activated SDP, but left Significant Locations off, since I find them obscure. I rarely, if ever, have to change the settings protected by SDP, and would in case take into account the hassle of the waiting period.
Do we actually know what the exact connection is between Signifiicant Locations and SDP? Has Apple anywhere mentioned anything explicit in terms of excluded locations other than home? Is this just an example (and they perhaps refrain from offering others such as work*), or is perhaps hoem the only exempted location?
*) I tested work after home. Made sure my iPhone saw me at work and then tried shutting SDP off with FaceID obscured. That triggered the 1-hr delay leading me to wonder if work is actually an exempted location.
I’ve seen no solid documentation of Significant Locations other than what we linked in the article, which is nearly content-free.
Nothing much seems to hit in the Apple Platform Security site.
https://support.apple.com/kb/index?page=search&src=support_book_welcome&locale=en_US&bookid=6eaad3fac75b6647a53c556fae333fa7&rurl=https://support.apple.com/guide/security/welcome/web&title=Apple+Platform+Security&query=Significant+Locations
This page says this:
And that’s as much detail as I have seen.
I too find the “Significant Locations” ambiguity troubling. I looked at my settings after I saw this article, and it listed my most recent trip, to my dentist office—a place I visit exactly twice a year (and only once since I purchased my present phone).
I hope Apple (a) come clean about exactly what it is doing, and (b) allow users to specify the locations they wish to exempt from protection.
Oh, and give us the same protection on iPad and Mac.
Exactly. That is also the extent of my knowledge.
I think at this point we have to conclude there is no publicly disclosed relationship between Significant Locations and SDP’s “familiar” locations. The latter are detailed only in so far as generic “home” or “work”, while the former are specific however only offering limited user-facing display in the Privacy section.
Bar new information being publicized, I feel the two location categories are being unnecessarily conflated (perhaps because so little is known about the residing of the “familiar” locations - quite possibly entirely deliberate). For all we know at this point, these two location categories are entirely separate entities with no known or implied connection.
I concur.
Until now, “significant locations” was simply a set of places where it thinks you frequently visit. I believe it is/was used for the purpose of determining if a device separated from your person (e.g. an AirTag) should be alerted if it is left in such a location. The theory being that if you’re there a lot, then it may not be an accident when you leave something there.
But, of course, the implementation is not nearly as good as the theory. Since you have no way of configuring a set of locations (you’d probably be asked to drop pins on maps to do that or type in addresses), it tries to guess. But people frequently visit places where an object left behind should definitely be considered lost - like in grocery stores and bars.
Using it as a part of a security strategy seems completely nuts to me.
Significant Locations is not used in Find My Devices. If a device is left behind in a place other than Home or Work, Find My will ping you about it. When you respond to the ping, you can mark that place as an OK place for that device or all devices (I checked this out this week when I left my iPad behind at the hotel I was staying at). The list of OK places is listed in Find My and can be edited.
I think that Significant Locations have been used as a base for making suggestions about target locations in Apple Maps. By the way, Joanna Stern’s WSJ article about SDP again refers to using Significant Locations to determine a safe place. If you subscribe to Apple News+, you can read the article here.
According to MacRumors and several other Mac sites, the beta version of iOS 17.4 includes a option to require a SDP delay always or only when away from familiar locations.
Considering nothing to that extent has been noted elsewhere and Apple certainly hasn’t said as much either that, it stands to reason that Joanna Stern might simply have gotten this one wrong and she too is conflating the old Significant Locations with the new “familiar” locations.
With regards to this part:
What does that mean if, for example, you are at an Apple authorized repair shop to get something fixed and they want you to reset your phone or turn off passcode? You have to sit around an hour first before it gets turned off?
Yeah, probably. You’d want to turn Stolen Device Protection off before taking it in. Which would be a good idea anyway if there’s a chance they’ll take the phone away for repair.
Looks like Stolen Device Protection doesn’t play well with MDM at the moment.
https://kb.vmware.com/s/article/96277
After seeing your comment and looking at your link I still don’t know. What’s MDM?
I think MDM refers to mobile device management, which allow enterprises/organisational device owners to set up profiles on and “control” the devices, such as scheduling updates.
One problem with this: if you work with your hands (or play a lot of golf like me) and your fingers are regularly getting roughed up you may not be able to get back in.
You can always get back in. You just disable SDP. At worst this takes 1 hr if you’re remote and the delay kicks in.
17.4 beta apparently has an Always option added, instead of just Significant Locations.
I’ll be using that, given the problem with the latter is social places you may frequent often including pubs, bars, etc, become “Significant Locations”, so if you’re device is stolen from there, the lockout protections won’t work.
As I say, if Touch ID doesn’t work well for you, you probably shouldn’t turn on Stolen Device Protection. But then you need to be really careful not to enter your passcode in public such that other people can see it.
No. Read @ace’s article and this thread. For all we know, there is no relationship between Significant Locations and the “familiar locations” that SDP uses to determine if it shall enforce a 1-hr delay. In fact, I took the liberty of going to one of my listed Significant Locations yesterday and sure enough, 1-hr delay imposed since this significant location was neither home nor work. You have nothing to worry about a bar showing up in your Significant Locations.
There must be some relationship. From the Apple support article entitled ‘About Stolen Device Protection for the iPhone’:
"To turn on Stolen Device Protection you must use two-factor authentication for your Apple ID and set up or enable the following on your iPhone: a device passcode; Face ID or Touch ID; Find My; and Significant Locations (Location Services)*. [emphasis added]
Note: The footnote provides the path to the Significant Location setting.
Oh heck, the reporting from some sources on this has been confusing to say the least. Never mind Apple’s lack of clarity to boot.
Except we already know that it still works if you disable Significant Locations. Clearly there is some disagreement here between what Apple has published and what is really going on. Not to mention that Apple has been very vague (perhaps intentionally so) about what actually constitutes “familiar locations”.
I’m afraid I agree. It’s about as clear as mud at this point. Considering how long it has been since Joanna Stern first started reporting about this problem, I’m a bit surprised we don’t have more clarity at this point. Granted, Apple only just launched the feature for users, but they certainly must have been thinking about it for much longer.
My guess is that iOS is using a subset of the significant locations - not just locations you go to often, but locations where you spend a high percentage of your time. That’s why home and the office are good examples - we spend a significant amount of time at these places, and most of us use our phones often there, too.
The question, I suppose, is if you are a regular at a restaurant or bar (think Cliff or Norm at Cheers) - is that also a significant location? For me, that is not a concern - I just don’t spend a great deal of time at places like that.
That said, if you go on vacation to a resort and spend a week or two weeks and have your phone stolen at the resort - will that be a significant location?
I hope that Apple clarifies this at some point.
Stolen Device Protection has gone amok. I was debugging an Apple Watch/iPhone integration problem for my wife the other day, and I needed to access her passwords. She had fallen asleep on the couch next to me (so her face wasn’t available for FaceID), and I went into Settings/Passwords expecting to use her passcode to get to the passwords — as I have done many times before (including twice since installing iOS 17.3). But instead of getting the job done, I was met with a “No you can’t, SDP won’t let you” warning (including a link to the SDP page).
We were at home. I waited a few minutes and tried again (no change). I don’t know what constitutes a “familiar” location, but we spend a lot of time at home, so if that doesn’t qualify, I don’t know what does.
I filed a bug report with Apple (assuming that does anything at all).
I am also confused what Apple thinks is a “familiar” location. I have been traveling and the last signification location from over a week ago is an airport I spent an hour in. Most troubling is that now I am at home and Home is not considered a familiar location by SDP. How can I make sure Home is recognized as “familiar” location when my phone spends most of it’s time there (being retired)?
It seems pretty clear that the whole Significant Locations part of Stolen Device Protection is a little wonky. I wouldn’t stress about it for now, and it will be somewhat different in iOS 17.4. In the meantime, you can either turn it off or just deal with a delay if you perform one of the rather uncommon actions that it protects.
ApplePay security works (among other things) by setting up a shared key Time-based code with the bank and your device. Disabling the card in Apple Pay using iCloud.com or the like is disabling that key at the bank end. Your device will learn about it when online, but the network connection is not required and the formerly valid code provided by your offline device will not be accepted by the bank.
You can disable find my through iCloud.com without the delay, is my understanding.
This sounds right but I did read an anecdote on Reddit this week where someone reported going in to an Apple Store for a battery repair but couldn’t disable find my without a one hour delay. The store rescheduled for later that day.
It’s perhaps unsurprising that the store employees hadn’t been told about using iCloud.com to remove the device so soon after the feature was added, if that is a solution.
How do you do that?
The instructions are here; see “Turn off Activation Lock on a device”.
I believe that this would erase the device and then remove it from your list of devices and make it available to be activated by someone else, which I am pretty sure is one of the requirements Apple has when you trade it in or bring it in for repair.
You’d likely need to do this from a device other than the phone, though. A simple log in to iCloud.com on a borrowed device should work. Of course if you have another Mac or iPad or iPhone (without stolen device protection enabled) you’d be able to do so there, in the Apple ID settings in the Settings app. Or, of course, wait an hour on the iPhone with stolen device protection turned on.
It’s now almost April and still I have no luck in switching SDP off or changing the secure code being at home without a one hour delay.
I have checked all setups on the iPhone and in various apps being mentioned in multiple messages to no avail.
Pretty waste of time so far.
Huh! That seems very odd. Might be worth calling Apple Support.