Joanna Stern’s recent WSJ report showed how thieves can change a user’s iCloud password with the phone and passcode only. In most cases, this permanently locks the user out of the account, meaning they lose access to years/decades of photos, notes and other irreplaceables.
One of the tips to arise immediately is to use an alphanumeric passcode rather than a short numbers-only code. But if a thief shoulder surfs your alphanumeric passcode - or records it on a phone to playback later - that doesn’t help.
It turns out the steps below don’t prevent account changes – thieves can still go through a password reset flow even if you follow step 5.
I’m leaving these instructions because these steps may thwart thieves who don’t understand why the account is greyed out.
It turns out you can use the Screen Time feature in iOS to
prevent account changes make it seem that account changes aren’t possible. Here’s how:
- Settings > Screen Time > Content & Privacy Restrictions
- Enable the Content & Privacy Restrictions at the top of this page, and change the Account Changes option to Don’t Allow
- Go back to Screen Time and select Use Screen Time Passcode
- Enter a different code to your phone’s main passcode
- When you’re presented with the Screen Time Passcode Recovery screen, select Cancel then Skip
- When you return to the Settings page, your account section (with profile picture) should be greyed out and not selectable.
To change these settings in future, enable Account Changes in Screen Time (same steps as above). Don’t forget to disallow Account Changes again when you’re finished.
Following these steps should stop a thief changing your iCloud password. Even if they have your phone and passcode, they won’t be able to make account changes unless they also have your Screen Time Passcode (which they won’t).