A friend’s iPhone was stolen while travelling in the UK. The thieves watched him enter his passcode — then used it to take over his Face ID, drain his bank accounts, and destroy his digital identity. This is a wake-up call for every iPhone and Android user.
When we think about phone security, we imagine hackers, malware, and sophisticated cyberattacks. But the most dangerous threat to your digital life might be much simpler: someone watching you tap in your passcode.
My friend learned this the hard way during a trip to the United Kingdom. His iPhone was pickpocketed on the London Underground. Within minutes, the thieves had everything they needed — because they had watched him enter his passcode before stealing the phone.
This could easily happen to any one of us.
The Passcode Problem: Why Face ID Isn’t Enough
Face ID revolutionized smartphone security. It feels magical — just glance at your phone and it’s unlocked. But this convenience comes with a critical vulnerability that Apple has quietly acknowledged.
When someone steals your iPhone and knows your passcode, they can:
- Change your Face ID to their face
- Access all your passwords stored in iCloud Keychain
- Drain your bank accounts through banking apps
- Change your Apple Account password and lock you out completely
- Access your credit cards saved in Apple Pay
The passcode becomes the master key to everything — and if someone watched you enter it, they have complete control.
Apple’s Solution: Stolen Device Protection
Apple introduced Stolen Device Protection in iOS 17.3 as a direct response to this type of attack. This feature adds critical security measures that prevent thieves from making destructive changes to your device, even if they know your passcode.
Key Protections Include:
1. Biometric-Only Authentication for Critical Actions
Some actions require Face ID or Touch ID — with no passcode fallback. This means:
- Accessing saved passwords in Keychain
- Using payment methods saved in Safari AutoFill
- Opening locked apps
- Turning off Lost Mode
2. Security Delay for Account Changes
If your iPhone is away from familiar locations, certain changes require you to:
- Wait one hour
- Then authenticate again with Face ID or Touch ID
This gives you time to locate your device and protect your account before critical settings can be changed.
What Actions Require the Security Delay?
When your iPhone is not in a familiar location, you must wait and re-authenticate to:
- Change your Apple Account password
- Sign out of your Apple Account
- Add or remove Face ID or Touch ID
- Change your passcode
- Reset All Settings
- Turn off Stolen Device Protection
Enable Stolen Device Protection today: Apple’s official Stolen Device Protection documentation
Extra Protection: Lock Face ID with Screen Time
Here’s an additional layer of security that many iPhone users don’t know about: you can lock your Face ID & Passcode settings behind a separate Screen Time passcode.
This means even if someone steals your phone and learns your device passcode, they cannot change your Face ID or passcode without also knowing your Screen Time passcode.
How to Set Up Screen Time Protection for Face ID:
- Open Settings on your iPhone
- Tap Screen Time
- Tap Content & Privacy Restrictions
- Enter a Screen Time passcode (choose a DIFFERENT passcode from your device passcode)
- Turn on Content & Privacy Restrictions
- Scroll down to “Allow Changes to”
- Tap “Passcode & Face ID”
- Select “Don’t Allow”
Once enabled, anyone trying to add, remove, or change Face ID or your passcode will be blocked — they must enter the Screen Time passcode first.
Important:
- Choose a Screen Time passcode that’s DIFFERENT from your device passcode
- Write down your Screen Time passcode and store it somewhere safe (like a password manager)
- This passcode is SEPARATE from your device passcode — it’s an extra layer of protection
This additional protection is documented in Apple’s Screen Time and Content & Privacy Restrictions settings.
Why This Matters
With Stolen Device Protection and Screen Time restrictions enabled together:
- A thief needs your device passcode AND your Screen Time passcode to change biometrics
- Even with your passcode, they can’t add their own Face ID to your phone
- Your Apple Account remains protected from unauthorized changes
- Your saved passwords and payment methods stay locked behind Face ID
What About Android Users?
Android has its own answer: Theft Protection. Introduced in Android 15, this suite of features addresses similar vulnerabilities.
Android Theft Protection Features:
1. Theft Detection Lock
Uses AI and motion sensors to detect if someone unexpectedly takes your phone and runs away. The screen automatically locks to protect your data.
2. Offline Device Lock
If your phone goes offline, it automatically locks the screen after a short period — preventing thieves from using it without your credentials.
3. Failed Authentication Lock
After repeated failed unlock attempts, your device automatically locks.
How to Enable Android Theft Protection:
- Open Settings
- Tap Google → All services
- Under “Personal & device safety,” tap Theft protection
- Toggle on Theft Detection Lock, Offline Device Lock, and Failed Authentication Lock
Important: For critical actions like changing biometrics or turning off theft protection, Android requires you to enter your PIN, pattern, or password. This prevents thieves from removing security features even with physical access to your device.
Additional Security Measures Everyone Should Take
1. Use a Strong, Unique Passcode
Avoid obvious combinations like 123456 or your birthday. Use a six-digit minimum, or better yet, an alphanumeric passcode.
2. Enable Find My iPhone
This allows you to locate, lock, or erase your device remotely. It also prevents thieves from turning off Find My without your Apple Account credentials.
3. Regularly Check Your Apple Account
Review trusted devices and recent activity in your Apple Account settings. If you see unfamiliar devices, remove them immediately.
4. Use a Privacy Screen Protector
Especially when travelling, a privacy screen makes it harder for someone to observe your passcode entry or read sensitive information on your phone in public places.
5. Never Share Your Passcode
Be mindful of who can see you enter your passcode. Thieves often work in pairs — one distracts while another watches.
The Bottom Line
Face ID and fingerprint sensors make our lives easier, but they aren’t foolproof against physical theft. The moment someone steals your phone and watches you enter your passcode, they have everything they need to take over your digital identity.
Apple’s Stolen Device Protection and Android’s Theft Protection are essential tools — but they only work if you enable them before something happens.
Don’t wait until it’s too late. Take five minutes today to check your security settings:
- Enable Stolen Device Protection (Settings → Face ID & Passcode → Stolen Device Protection)
- Set up Screen Time restrictions to lock Face ID changes behind a separate passcode
- Your bank accounts, photos, passwords, and entire digital life depend on it
The thief who stole my friend’s phone was able to access sensitive information within seconds of access. They didn’t need sophisticated hacking skills. They just needed eyes — and a phone full of your personal data.
Don’t become the next victim.
Stay vigilant, stay secure, and share this article with someone who might need this warning. Also consider browsing the available privacy screens you can find on Amazon to prevent prying eyes.
