The iPhone automatically goes into BFU (Before First Unlock) after 72 hours of inactivity (it actually reboots the phone). This can’t be disabled.
In addition, there are additional restrictions where your passcode will be required. For example, if the passcode has not been used to unlock the device in the last six days and Face ID has not unlocked the device in the last eight hours, then you must use a passcode to access the device (in other words, biometric unlock is automatically disabled).
If you've ever wondered why you've had to enter your passcode after a good night's sleep and haven't entered your passcode recently, that's probably why!
Given these built-in precautions, a click-bait headline like this is a bit excessive for most people.
>The iPhone automatically goes into BFU (Before First Unlock) after 72 hours of inactivity (it actually reboots the phone). This can’t be disabled.
But if the threat is from law enforcement, as the beginning of the article implies, how does that help? They just have to scan your face with your phone when they seize it, and slurp up all the data they want.
>In addition, there are additional restrictions where your passcode will be required. For example, if the passcode has not been used to unlock the device in the last six days and Face ID has not unlocked the device in the last eight hours, then you must use a passcode to access the device (in other words, biometric unlock is automatically disabled).
The conditions for triggering this is so unreliable that it probably exists more to prevent people from forgetting their pins, than meaningfully increase security.
If you have Face ID enabled, you can put your iPhone in hard-lock mode and require a passcode by pressing and holding the side (aka power) button and either of the volume buttons for a couple seconds.
It will pop up an emergency screen, but just tap the power button once more to cancel it.
I'm fortunate to be in a position where I don't attract negative attention from law enforcement, but this is still muscle memory to me.
Edit: You can also do the same thing by quickly pressing the side button alone five times.
Both of these methods have an undesirable side effect for me, which is that it immediately pops up the passcode dialog saying that a passcode is required to activate Face ID. Depending on the situation, that could be construed as an attempt to actively interfere with a police investigation, which could bring consequences of its own. It would be better if it silently dropped you to the normal lock screen, and only showed the passcode dialog when you attempt to unlock the phone normally.
Another thing I've often wished for with kids is a mode that removes all notifications and widgets from the lock screen - the only things you should be able to do is to unlock the phone and emergency calls. You can remove most notifications with the right Focus, but not notifications to control playing music/video apps, for example, nor any other widgets you happen to put on your lock screen.
Note: do not try the "click the side buttons a few times" on pixels. It starts an emergency alarm and you have 5 seconds to cancel before it starts reaching out to your emergency contacts. I almost pissed myself in bed.
How many times do you unlock your phone a day? For some people it’s over 100+ times a day Face ID is convenient, useful and secure. The alternative? People will use short numeric passcodes that are easy to bypass with devices like Cellulite.
Instead, we should push for laws and protections around our private devices. The 4th Amendment actually protects our personal effects and imo this biometric loophole is illegal.
As the other commenter pointed out, in the meantime, practice how to quickly lock your phone - and better yet, when in dangerous situations, leave it behind or turn it off.
Does anyone know how devices like Cellebrite work? Like high level I assume it taps the numbers and has some algorithm that prioritizes common passcode patterns.
But how does it not get locked out the same way we do when we fail our passcode 5+ times in a row? Is it just super easy to get around that exponential lock-out for iOS?
This is the advice I give to everyone who comes to me for digital security advice. I let them know that building habits of using lengthy PINs (my own personal PIN is far more than four or six digits) takes some time to get used to but makes them immune to device seizure followed by law enforcement-compelled or court-ordered biometric unlock (this is specific to US law).
No, because for most people, the alternative to "no biometrics" isn't "secure password/pin", it's a weak password (eg. 1234 or the S pattern that half the people with a pattern lock uses) because the ergonomics of a secure password are terrible.
I don't understand why Apple and Google don't just use biometrics as a second factor, like GrapheneOS does. When you first start up, you have to enter your real long and complicated password, and then every time you unlock it after that, a short PIN + your fingerprint is enough. If you enter the PIN incorrectly too many times or hold your finger on it at the wrong angle, it locks and you have to use the real password. There is also a duress password. If you enter this instead of the real PIN, all data is deleted. This means that even if someone threatens you and tries to force you to cooperate, you can prevent the device from being unlocked.
I've been thinking about this recently and I disagree. Keep biometrics and know how to disable them quickly (usually 5x power button)
I think the most likely case where you'll be compelled to hand over your device is an airport immigration desk / room. And what do airports have? Lots and lots of CCTV. From the moment you step off the plane or jetway into the terminal there are cameras everywhere. Enter your PIN once in view of those cameras and it's on record for forensics to pick up.
I actually hate when my phone requires me to enter my PIN on public because I have to angle it away from cameras and eyes like I'm looking at smut.
The worst for me is when I am prompted to re-enter my password manager's master password. Trying to keep that out of view while entering all those characters is difficult and nerve wracking.
Nobody should use biometric ID systems. Resetting my password requires plastic surgery? No thanks.
Involuntary compliance [1], false positives and false negatives are all big, unsolvable problems with biometrics.
[1] To some extent, all authentication systems are vulnerable to legitimate users acting under coercion. https://xkcd.com/538/
Biometric systems take the choice of compliance away from the user, they can physically force you to unlock your phone. With a password you have a choice not to comply even in coercive scenarios; you have the option to say "I'm willing to die from getting hit with the wrench before I'll give up the password."
To me this article is “meta” and tells a very different story: “America is an authoritarian hellhole where trivial matters such as how you lock your phone can put you in real danger. Not from gangs, but from the government.”
I went to the US on holidays recently and several people sat me down before I left to give me a very serious talk warning me about the police being deadly dangerous to anyone that doesn’t behave “just right”. You know: show your hands, don’t reach for things unless prompted, that kind of thing that I just don’t have to worry about over here — where “here” is most of the rest of the Planet.
The last time I felt like this — that I had to worry about the police as a law abiding citizen — was in communist country behind the iron curtain.
You’ve all managed to turn the “land of the free” into a copy of the enemy you made fun of.
I guess Trump is right: the US and Russia should be friends. You’re more similar than different.
[+] [-] eddyg|1 month ago|reply
In addition, there are additional restrictions where your passcode will be required. For example, if the passcode has not been used to unlock the device in the last six days and Face ID has not unlocked the device in the last eight hours, then you must use a passcode to access the device (in other words, biometric unlock is automatically disabled).
If you've ever wondered why you've had to enter your passcode after a good night's sleep and haven't entered your passcode recently, that's probably why!
Given these built-in precautions, a click-bait headline like this is a bit excessive for most people.
[+] [-] gruez|1 month ago|reply
But if the threat is from law enforcement, as the beginning of the article implies, how does that help? They just have to scan your face with your phone when they seize it, and slurp up all the data they want.
>In addition, there are additional restrictions where your passcode will be required. For example, if the passcode has not been used to unlock the device in the last six days and Face ID has not unlocked the device in the last eight hours, then you must use a passcode to access the device (in other words, biometric unlock is automatically disabled).
The conditions for triggering this is so unreliable that it probably exists more to prevent people from forgetting their pins, than meaningfully increase security.
[+] [-] runjake|1 month ago|reply
It will pop up an emergency screen, but just tap the power button once more to cancel it.
I'm fortunate to be in a position where I don't attract negative attention from law enforcement, but this is still muscle memory to me.
Edit: You can also do the same thing by quickly pressing the side button alone five times.
Edit 2: mcc1ane beat me while I was editing!
[+] [-] reflexe|1 month ago|reply
[1] https://discuss.privacyguides.net/t/updated-cellebrite-iphon... : support matrix from 2024, in many cases only AFU (after first unlock) is supported.
[+] [-] telotortium|1 month ago|reply
Another thing I've often wished for with kids is a mode that removes all notifications and widgets from the lock screen - the only things you should be able to do is to unlock the phone and emergency calls. You can remove most notifications with the right Focus, but not notifications to control playing music/video apps, for example, nor any other widgets you happen to put on your lock screen.
[+] [-] mcc1ane|1 month ago|reply
[+] [-] 63stack|29 days ago|reply
[+] [-] samename|1 month ago|reply
Instead, we should push for laws and protections around our private devices. The 4th Amendment actually protects our personal effects and imo this biometric loophole is illegal.
As the other commenter pointed out, in the meantime, practice how to quickly lock your phone - and better yet, when in dangerous situations, leave it behind or turn it off.
[+] [-] willio58|1 month ago|reply
But how does it not get locked out the same way we do when we fail our passcode 5+ times in a row? Is it just super easy to get around that exponential lock-out for iOS?
[+] [-] autoexec|1 month ago|reply
[+] [-] nathanaldensr|1 month ago|reply
[+] [-] MattDamonSpace|1 month ago|reply
[+] [-] gruez|1 month ago|reply
[+] [-] RandomGerm4n|29 days ago|reply
[+] [-] SpecialistK|1 month ago|reply
I think the most likely case where you'll be compelled to hand over your device is an airport immigration desk / room. And what do airports have? Lots and lots of CCTV. From the moment you step off the plane or jetway into the terminal there are cameras everywhere. Enter your PIN once in view of those cameras and it's on record for forensics to pick up.
I actually hate when my phone requires me to enter my PIN on public because I have to angle it away from cameras and eyes like I'm looking at smut.
[+] [-] ziml77|29 days ago|reply
[+] [-] JackGreyhat|29 days ago|reply
[+] [-] csense|1 month ago|reply
Involuntary compliance [1], false positives and false negatives are all big, unsolvable problems with biometrics.
[1] To some extent, all authentication systems are vulnerable to legitimate users acting under coercion. https://xkcd.com/538/
Biometric systems take the choice of compliance away from the user, they can physically force you to unlock your phone. With a password you have a choice not to comply even in coercive scenarios; you have the option to say "I'm willing to die from getting hit with the wrench before I'll give up the password."
[+] [-] jiggawatts|1 month ago|reply
I went to the US on holidays recently and several people sat me down before I left to give me a very serious talk warning me about the police being deadly dangerous to anyone that doesn’t behave “just right”. You know: show your hands, don’t reach for things unless prompted, that kind of thing that I just don’t have to worry about over here — where “here” is most of the rest of the Planet.
The last time I felt like this — that I had to worry about the police as a law abiding citizen — was in communist country behind the iron curtain.
You’ve all managed to turn the “land of the free” into a copy of the enemy you made fun of.
I guess Trump is right: the US and Russia should be friends. You’re more similar than different.