There’s a new feature heading to iOS 17.3 after the New Year that will make it harder for someone to shoulder-surf your passcode and change your Apple ID on you. This is directly aimed at the vulnerability Joanna Stern wrote about in the Wall Street Journal. The new feature will require Face ID to get to saved passwords, and changing your Apple ID password will be subject to a security delay unless you do it from a familiar location, like home or work.
You’ll need to turn it on when it ships, but my initial take is that it seems like the right balance of security and convenience. I doubt we’ll see 17.3 before February.
Several MacSparky Labs members have asked about my thoughts on Apple devices and the risks of shoulder surfing, where someone looks over your shoulder and steals your passcode. I do, indeed, have thoughts. Here you go…
Malicious email is not comically dumb any more. One malicious strain, called Emotet, appears to come from a known contact and looks as if it is replying to an existing thread. If you click on the links or attachments, you are done for. Dan Goodin at Ars Technica breaks it down.
For me, if it has an embedded link or an attachment, I assume it is malicious until proven otherwise. This is particularly true from financial institution-related or account-related email. I’ve managed to avoid trouble because of constant vigilance. I wonder how many people out there have been compromised and don’t even realize it.
1Password announced on their blog that they’ll be incorporating passkeys into their app by summer. Passkey is a great technology and will help many folks be more secure on the Internet. I love that 1Password is early to the game. My question is about the app name. If you start using it, will you call it “NoPassword” instead of “1Password”?
End-to-end encryption means your data can’t be viewed on the server in these categories (if you opt in). Put simply, Apple will no longer be able to see the above categories of data. If Apple gets hacked in the future, the bad guys can’t see your data either.
Apple has very publicly stated an interest in protecting user privacy. I believe them. What is impressive about this is how they’ve added the encryption at Apple’s user-base scale. That can’t be easy.
At this point, it’s opt-in. You must go into the iCloud settings and click on Advance Data Protection. I will be opting in. Advanced Data Protection is in the latest iOS 16.2 beta. It will be available to all U.S. customers by the end of the year and rolling out to the world in early 2023.
One note of caution, however, is that this means if you ever lose passwords, the data is gone. Apple can’t help you. So get your password security sorted out before you push the button.
Craig Federighi did an interview with Joanna Stern on these updates. She did a great job explaining end-to-end encryption in the process.
With Apple’s latest round of updates, we’ve got a new password feature that lets your computer manage passwords for you in the background. There are a lot of advantages to this new “Passkey” system. (Here’s Apple’s explainer.) It isn’t dependent on user-generated passwords. It’ll guarantee people use different passwords for different sites. It will also help you avoid phishing attacks because it won’t work on spoofed websites. This comes at the cost of some loss of control, but third parties are already working on that (like 1Password in this video).
I’m curious, however, as to when Passkey websites will start showing up. So far, I’ve seen none. For this to work, websites must adopt some new backend technologies, and everyone is now waiting for that to happen. Are website developers untrusting of the new technology? Do they want to see others figure it out first? Do they need the budget for these changes? I expect it is all of the above. I’ve been asking about it for MacSparky.com with some of my platform providers, and I’m told to cool my jets. I sure hope this all gets sorted out. It will help web security for a lot of people once it gets rolling.
Hackers managed to grab names, account details, and telephone numbers from 553 million Facebook users, and now they’ve published all that data on the web. Yikes. I’m shocked at the scope but not the source.
If you have a Facebook account, now is the time to be on alert for scammy phone calls from people who will try and social engineer their way into your credit card numbers and bank accounts. There is already a scam where they call and claim to be the IRS and need “immediate payment to avoid criminal prosecution”. I’m sure they’ll come up with even more dreadful ways to abuse this treasure trove of data.
I continue to dig my Eufy security cameras. However, one issue I have is the camera that looks down at my driveway and the front of my house. It’s a battery camera, and I have to get out a ladder to pull it down and charge every so often.
It was getting just tedious enough for me to consider running a dedicated electric line through the garage when I saw that Eufy now makes a solar charger for their cameras. I ordered one, and it has been running for six weeks. The camera is now always fully charged, and my ladder has not moved.
We’re getting closer to the release of iOS 14.5, and it’s adding a feature that Apple Watch owners are going to dig. Specifically, if you are wearing a face mask and an Apple Watch, you’ll still be able to unlock your iPhone without using a passcode.
Once you turn the feature on, the iPhone has some new unlock logic:
Is the user wearing a face mask? No – Go to the usual Face ID unlock. Yes – Go to step 2.
Does the user have a connected, unlocked Apple Watch very close to the phone? Yes – Unlock. No – Go to the passcode unlock.
So, if you are wearing a face mask and you have an unlocked Apple Watch in very close proximity (less than 1 meter) to your phone, you get an unlock. In that event, you also get a prompt on your wrist letting you lock the phone back up. Interestingly, that step 1 looks for any person with a face mask. It doesn’t try to figure out if it is specifically you wearing a face mask. John Gruber did all the research on the beta build and reports in further detail.
I plan on turning this feature on once the update ships. I am so tired of tapping in my passcode when using my phone while masked.