I’ve often written the following sentiment: “The Apple ID is the pivot point around which Apple’s services and systems rotate.” Apple created a single, unified ID—with an unfortunate amount of legacy baggage from previous systems—to identify you uniquely across your devices and services, provide authentication, and manage delivery of data, including via iCloud.

Apple offers layers of protection for your ID. At one point, you could protect it with a password. For several years, however, Apple has more or less required all accounts to use two-factor authentication (2FA), where a code is sent to a device registered to the same Apple ID account or a phone number verified for that account to ensure that a login is really you. In January, Apple upgraded Apple ID security to allow the use of hardware security keys, another significant improvement. (You can read about how to use these keys in two recently updated books by yours truly: Take Control of Your Apple ID and Take Control of iOS & iPadOS Privacy and Security.)

But Apple has done a Monty Burns with Apple ID, something explored in a slightly sensationalized article in the Wall Street Journal (Apple News link) a couple of weeks ago which nonetheless has great takeaways.

If an unwanted party gets ahold of your iPhone passcode and your iPhone, they can already wreak havoc on your life. They can request password changes for financial accounts, receive text-based second-factor login confirmations, and potentially use it to purge iCloud data. But the reporters of that article, Joanna Stern and Nicole Nguyen, exposed a further problem: Apple relies on mobile passcodes as a shortcut to gaining full access to an Apple ID account. That provides even more exposure and risk, allowing a thief to cut you off completely from your digital life on all your devices, delete your data, and quite effectively take over your digital identity and beyond.   With your Apple ID account password reset, they can also disable Find My, preventing remote erasure or locking and disabling Activation Lock, allowing them to easily resell it.

If you’ve ever taken a picture of an ID card and it’s in your iCloud Photos library, criminals can perform text-based searches with Live Text and find matches to ID-based data. You’re not alone in taking these pictures for convenience or for record-keeping. Even Chinese government spies can forget about it:

Like so many of us, he had taken pictures of important documents using his iPhone — his national ID card, pay stubs, his health insurance card, an application for vacation — which is how they ended up in his iCloud account…

The reporters also noted—something I found as well in testing—that if you add hardware security keys to your Apple ID account, you can simply remove hardware security key authentication entirely without using a hardware key registered with the account. If you want to add or remove a key, you do have to have another key to confirm that action. But removing all keys and reverting to code-based two-factor verification doesn’t require a hardware key at all. Bizarre.

The sensationalized part of the article is that the authors focus on theft and assaults, even though the statistics they present make it seem as though passcode extraction is perhaps a small percentage of all iPhone thefts or criminal assault or battery involving stealing an iPhone. (A former NYPD detective said these “sorts of crimes” happened “hundreds of times” over two years. “Sorts” implies that they don’t all involve passcode theft, and 100 or so every year in America’s biggest city doesn’t seem like an epidemic.)

Thieves may work in pairs, one shoulder surfing to watch you tap in your passcode, then another snatching your iPhone; or a thief might use a camera to record you entering your code from a distance and then pickpocket or grab your phone later. The story also notes that iPhone passcode or biometric access has been an issue in bar-related druggings and in violent thefts. (An iPad can also be stolen and used to crack your Apple ID account open, but iPads typically don’t receive SMSes directly and aren’t typically used in bars, one of the main theft vectors discussed.)

It’s possible the above happens a few thousand times a year in the United States, but passcode theft is clearly a subset of the hundreds of thousands of smartphones stolen each year, only some of which are iPhones. I don’t want to either downplay the impact of the above. The likelihood is the real issue—if you don’t go out to bars and nobody assaults you, this kind of theft is extraordinarily unlikely to occur. However, contrariwise, if you do go out to bars or are mugged, the criminal is the party responsible, not you!

Apple needs to change its Apple ID access pathway to remove this vector of physical theft or attack. Putting a little more friction in wouldn’t be a terrible thing and wouldn’t be that painful for the vast majority of its users, who rarely need to access an Apple ID account except when setting up a device or using iCloud.com.

You can improve your security profile by setting a longer passcode (an alphanumeric one is better) that can’t be easily spotted over your shoulder; taking care when entering your passcode in public; using Face ID and Touch ID whenever possible; and removing any identity cards from your iCloud Photos library—a good security move in any case, even if you’re not a spy.