Apple released iOS 17.3 this week, and one of the new security features is Stolen Device Protection. This feature, when enabled, prevents potential thieves from changing your Apple ID and critical security features on your iPhone. Here’s how Stolen Device Protection works, and how to enable it.
Why is a feature like Stolen Device Protection needed?
Criminals often try to look over someone’s shoulder as they enter their passcode on a device. This action, called shoulder surfing, is common at ATMs, where criminals try to see the PINs that people enter. Shoulder surfing is becoming an increasingly worrisome threat for smartphone users.
Using a device with biometric identification (such as Apple’s Touch ID or Face ID) means that normally you don’t need to enter your iPhone passcode. However, there are still situations where you may need to do so. For example, Touch ID may not work for you, such as when your hands are sweaty, or your iPhone may require that you enter the passcode for other reasons, such as after restarting the phone. In addition, as Apple says, if “You haven’t unlocked your iPhone with the passcode in the last 6.5 days, and you haven’t unlocked it with Face ID or Touch ID in the last 4 hours,” then you’ll be required to enter your passcode. In practice, I see these requests occasionally, even if I’ve recently been using my iPhone, so there is another timer that kicks in as well.
One scenario that thieves use is to pick up an iPhone and press and hold the power button and one of the volume buttons for a few seconds to trigger Emergency SOS mode. Pressing the power button again dismisses the Emergency SOS screen, and the next time the user wants to access the phone, they are met with a passcode request. The thief watches over the person’s shoulder, and then later steals the phone.
What does Stolen Device Protection do?
As seen in this article, once someone can access your iPhone, they can change your Apple ID password, locking you out of your account entirely. You won’t even be able to use Find My to put the device in lost mode. Stolen Device Protection prevents this by limiting the locations where certain actions can be taken on the phone. If your iPhone is not in a familiar location, the following actions require biometric authentication and cannot be performed with just a passcode:
- Use passwords or passkeys saved in Keychain
- Auto-fill payment methods in Safari
- Turn off Lost Mode
- Erase all content and settings
- Apply for a new Apple Card
- View Apple Card virtual card number
- Take certain Apple Cash and Savings actions in Wallet
- Use your iPhone to set up a new device (using Quick Start)
For other actions, Stolen Device Protection adds a security delay, if your iPhone is not in a familiar location. You authenticate using Touch ID or Face ID, then you must wait one hour before you can:
- Change your Apple ID password
- Sign out of your Apple ID
- Update Apple ID account security settings (such as adding or removing a trusted device, Recovery Key or Recovery Contact)
- Add or remove Face ID or Touch ID
- Change your iPhone passcode
- Reset All Settings
- Turn off Find My
- Turn off Stolen Device Protection
This one-hour delay should be enough for you to mark your iPhone as lost if it is physically stolen from you. You can use the Find My app on another device you own, or on someone else’s device to do this; see this article for more on using the Find My app.
How to enable Stolen Device Protection
To enable Stolen Device Protection, you must have two-factor authentication enabled for your Apple ID, your iPhone must have a passcode, Face ID or Touch ID, and Find My must be turned on. You must also turn on Significant Locations, and this setting is hard to find. Go to Settings > Locations > Location Services. Scroll down to the bottom of the list and tap System Services, then scroll down and tap Significant Locations. Toggle this on, if it isn’t already. You’ll see some familiar locations listed, such as your home or your work, and perhaps other locations you visit often.
To enable Stolen Device Protection, go to Settings > Face ID / Touch ID & Passcode, then scroll down to the Stolen Device Protection section and tap Turn On Protection.
Stolen Device Protection has its caveats
The only weakness of Stolen Device Protection is the fact that it is not active in familiar locations. If someone gets your passcode and tries to make changes to your iPhone at your home, at work, or at other locations you visit often, they won’t be prevented from doing so. You should always be careful to not enter your iPhone’s passcode when anyone can see you do so, and use some of the tips at the end of this article to create a more secure passcode, in case someone manages to see some parts of the passcode but not all of it.
If someone gets access to your iPhone with your passcode, they may not be able to make changes to your Apple account, but they may be able to access other accounts. They could go to some of your online accounts and say that they forgot the password. The sites will send the new password to your email address, which the thieves could access on your iPhone. They could then potentially access the accounts, make purchases, access your social media history, and more.
There’s one scenario where the security delay could pose a problem. I’ve traded in old iPhones at Apple Stores, and they have you turn off Find My and then erase the phone. If you need to do this, you will have to turn off Stolen Device Protection before proceeding. But if the Apple Store is not a familiar location, you’ll have to wait one hour after your first attempt to do so. It would be advisable, if you plan to trade in or sell your iPhone, to turn off Stolen Device Protection at home or at work before you leave to go to an Apple Store or another location. (Unless Apple treats their retail stores as familiar locations.)
So, should you turn on Stolen Device Protection? Yes, it’s probably a good idea. It’s easy to do so, and there are few downsides.
How can I learn more?
Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, including security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.
You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: