The Wall Street Journal has the scoop on a new unannounced iPhone security feature debuting in iOS 17.3. Called Stolen Device Protection, it’s a new setting that makes it more difficult to make major changes to your Apple ID and digital life using only your iPhone’s passcode. The feature comes after a WSJ report earlier this year highlighted how thieves would watch users enter their six-digit iPhone passcode before stealing the phone and then use that passcode to lock the users out of their Apple ID, view their passwords, apply for an Apple Card, send money, and more.
The basic idea is simple: with Stolen Device Protection activated, your iPhone will require biometric identification (Face ID or Touch ID) to perform many actions—your iPhone passcode will no longer serve as a fallback for most of them. In addition, some of the most sensitive operations (like changing your Apple ID password) will require a one-hour wait followed by additional biometric authentication. That delay won’t apply when the phone is at a familiar location, like your home or work.
How to enable Stolen Device Protection
Enabling or disabling this feature is easy. It first appeared in the iOS 17.3 beta, so the procedure may change before release. Just open Settings, tap Face ID & Passcode (it might say Touch ID & Passcode) and scroll down to find Stolen Device Protection.
How Stolen Device Protection Works
When you have Stolen Device Protection disabled, your iPhone’s six-digit passkey can be used to do all sorts of things, like change your Apple ID password, create a recovery key, turn off lost mode, transfer settings to a new device, disable Find My, access your saved Keychain passwords, and more.
This is a big problem. If a would-be thief watches you enter your passcode, they can steal your iPhone and effectively lock you out of it. With your passcode they can turn off Find My so you can’t find them, lock you out of your Apple ID so you can’t use iCloud to disable your phone, and log into all sorts of accounts for which you have your password saved.
When you enable the feature, your iPhone passcode will no longer work as a fallback for biometric authentication for some features. You’ll have to use Face ID or Touch ID to perform the following actions:
- Access iCloud Keychain passwords
- Apply for a new Apple Card
- Erase all content and settings
- Turn off Lost Mode
- Sending people money with Apple Cash
- Use your iPhone to set up a new device
- Use payment methods saved in Safari
That’s not all. Some of the most sensitive and important operations will require Face ID or Touch ID authentication, followed by a one-hour delay, then another Face ID or Touch ID authentication. The one-hour delay and re-authentication would not apply if your iPhone is at a trusted location like your home or work, but you still need more than your passcode to perform the following actions:
- Change your Apple ID password
- Enable recovery key
- Change your trusted phone number or contact
- Add Face ID or Touch ID
- Remove Face ID or Touch ID
- Disable Find My
- Turn off Stolen Device Protection
Bear in mind that this new feature does not prevent a thief from unlocking your iPhone, and it could still access any app that isn’t protected by its own password. The thief could also open your email, which means that any account whose password could be reset with just a confirmation email is vulnerable.
It’s not a foolproof way to stop iPhone thieves from messing with your life. But it makes it a lot harder to get away with it, especially since it prevents them from locking you out of your Apple ID or disabling Find My–it will be much easier to locate or at least remotely erase.