This is a great step, but I really hope Apple also change their position on no longer allowing users to provide a high-entropy passphrase to unlock all of this end-to-end encrypted data.
As it is, my iPhone unlock PIN is everything that's needed to decrypt the data server-side [1], and I'm not changing to an alphanumeric password on my phone only because of that.
[1] https://support.apple.com/en-us/HT204915 ("You might also be asked to enter the passcode of one of your devices to access any end-to-end encrypted content stored in iCloud.")
You are not limited by 6-digit passcodes only, you can also
“…Or tap Passcode Options to switch to a four-digit numeric code, a custom numeric code or a custom alphanumeric code.” which is on their support web site[1]
Yes, but then I need to enter a custom alphanumeric password every time I unlock my phone or tablet.
I want to be asked for it if and only if I grant a new device access to my end-to-end encrypted iCloud data.
I don't think this is an absurd demand. WhatsApp supports this security model, for example. Evem Apple used to, before they forced every iCloud keychain user to switch to their HSM-based model!
Do you not use FaceID or TouchID or unlock with the Watch?
I switched my pin to alphanumeric because I’m not putting it in every time I pickup my phone. I can live with the inconvenience of putting the passcode in every couple of days or so.
I just want to second this. I use a long alphanumeric password to unlock my iPhone plus FaceID.
I enter the password at most a few times a week after reboots and if someone plays with the phone and gets FaceID to fail too many times. It’s not annoying at all to unlock with the keyboard rarely.
Lately I've found FaceID can't handle my 'first thing in the morning and haven't had my coffee' face. I'm not sure if it's me or if Apple updated the algorithm.
If you haven’t already, I would nuke and pave the facial recognition. Haven’t faced anything like that since TouchID but that would be a red flag to me that the recognition data set is betraying me.
I see what you're asking for, but I don't think Apple would ever do it. A passphrase that is only used once every few years is a recipe for endless support calls.
Then hide it behind an option deep in the settings, and label it "only for advanced users, and if you lose it, all your data will forever be gone".
Apple even had this exact setting in the past! And they still have a similar thing for Mac disk encryption (the default is iCloud escrow, but a local-only recovery passphrase is also an option).
I’ve been using an alphanumeric passcode for about 7 years now. I’ve gotten used to it. It’s not too long to be annoying but better than a numerical pin.
Even if you used 4 numbers for an alphanumeric password, it’s still much more secure than a 6 digit pin.
> Even if you used 4 numbers for an alphanumeric password, it’s still much more secure than a 6 digit pin.
Unfortunately, that's not the case:
If you trust the secure enclave (for the device unlock scenario) or Apple's HSMs (for the key escrow scenario), a 6-digit PIN is just as secure as a 4-character alphanumeric password. In both cases, you get 10 invalid attempts before your data is wiped, and the odds are negligibly small in either case (10/10*6 vs. 10/62*4).
If you don't, i.e. you are concerned your adversary can somehow perform a brute-force attack, you need way more than four alphanumeric characters.
It's not exactly what you want, but one mitigating factor is if you're using FaceID, TouchID, or Apple Watch -- Those things will dramatically reduce the frequency that you're prompted for your password.
I want to use a low-entropy PIN on my phone, because I enter it dozens of times per day, shoulder-surfing is a concern as big as hacking in many scenarios, and because I trust Apple's hardware to be capable of efficiently limiting local PIN attempts and wiping high-entropy keys if required.
At the same time, I log in to new iOS devices with my Apple ID about once per year. I would love to be able to use a high-entropy key in that scenario. (As a point of reference, WhatsApp allows exactly that for encrypted backups!)
If that's still baffling to you, I'm glad I could introduce you to a very different viewpoint :)
There's still too many situations in which I do end up having to enter my passcode.
Mask unlock isn't perfect, wet hands can throw off Touch ID, and once per day I believe they will just reset and as for the passcode anyway. It's also required for software updates and reboots.
I'm not asking for this to become the default, or even an option given in any setup wizard. Just allow me to set up my own end-to-end encryption recovery passphrase and let me remove all of my device passcodes, i.e. allow me to opt out of HSM-mediated key escrow.
Is your Apple ID password not a sort of "secondary passphrase" as you're wondering? You enter the Apple ID password to download the encrypted data and the low-entropy passcode to decrypt it.
Not really. The Apple ID password is a regular server-verified password and does not contribute to end-to-end encryption in the cryptographic sense. In other words, it gates access to the end-to-end encrypted data, but not the keys used to encrypt them.
If you trust Apple to never get hacked or hand over your data to any third party, that's perfectly fine, but that is not the scenario that end-to-end encryption is designed to address.
Got "1234" as a passcode on a long-forgotten family iPad or test iPhone? Better go change it to something secure, as that's what stands between an advanced attacker (that can compromise your 2FA), or somebody able to compromise/apply sufficient pressure to Apple, getting into your iCloud end-to-end encrypted data.
The iCloud recovery key is a 28-character string, not your iPhone PIN: https://support.apple.com/en-us/HT208072. There is no situation that I can think of where a device PIN is of any use off-device.
Recovery keys were part of iCloud Keychain end-to-end encryption when used without "two-factor authentication", which is now a deprecated setup and can't be used with new iCloud accounts anymore:
Thank you for the links. In my case, I have two-factor _and_ a recovery key set up. The Account Recovery icon on Apple ID says "Your device passcodes can be used to recover end-to-end encrypted data. If you forget your passcodes, you'll need a recovery contact or recovery key."
Are you sure it's either/or? Have you gone through the process, and are you sure the PIN is required off-device, rather than ? If that's the case, I do agree that it's not good.
Also I don't quite understand the threat model where a stronger authentication to iCloud allows for weaker data encryption. Considering Apple is usually pretty spot on with these things, this would definitely stick out.
> Got "1234" as a passcode on a long-forgotten family iPad or test iPhone? Better go change it to something secure...
according to the article, I don't think this will be possible because you won't even be able to turn on Advanced Data Protection in this scenario.
"You must also update all your Apple devices to a software version that supports this feature."
Just to get the feature enabled you're going to have to go and "touch" all of the devices you're signed into and either update their OS (and also update their passcode if you're smart) or sign out of them.
I admit I still use a 6-digit passcode, but if you're actually serious about protecting your data you should be using an alphanumeric password anyway. Even ignoring the server-side stuff, that single password unlocks most of the data on your phone.
It's much easier to securely limit invalid PIN attempts on a device locally than in the cloud, though. This is the bread and butter of embedded security cores like the secure enclave or Google's Titan M.
Users shouldn't be forced to use high-entropy local passwords just because a service provider insists on reusing them for a completely different purpose.
> As it is, my iPhone unlock PIN is everything that's needed to decrypt the data server-side
That's not quite true. They use a HSM on their datacenters, which only allows a limited amount of guesses. They only allow a limited amount of guesses, before your data is wiped forever[1].
Technically, the keys are in the processor's state. You are just trusting that it won't divulge the keys without a correct PIN. You are also trusting the processor is properly secured. And you are trusting that no one would go through the effort to extract the keys physically with scanning probe microscopy or something.
Sure, but I won't, and neither will many other people, realistically.
There is no technical need at all for the same password to gate both local device unlock and remote end-to-end encryption key escrow.
It's a pure security vs. availability (and realistically genius bar support load) tradeoff, and I even think they nailed it for the vast majority of users! I just wish they'd let advanced users participate in that tradeoff more actively.
This. It seems like for the average person, if you go from not using cloud backups to using cloud backups with their pin, then this is a huge step backwards for security.
On the other hand, for the average person already using unencrypted iCloud backups, it is a considerable step forwards, and arguably managing their own high-entropy recovery key could be a significant burden.
I just really wish they'd made PIN-based HSM escrow the default, but optional (with the "off" switch behind several scary-sounding warnings).
As it is, my iPhone unlock PIN is everything that's needed to decrypt the data server-side [1], and I'm not changing to an alphanumeric password on my phone only because of that.
[1] https://support.apple.com/en-us/HT204915 ("You might also be asked to enter the passcode of one of your devices to access any end-to-end encrypted content stored in iCloud.")