The Nightmare of a Stolen Device

What can we do in 2024 to lock down our digital identity?

Closeup shot of a custom Enter key on a 75% keyboard. Instead of reading “Enter”, the key reads “Good Game”, which is what the cool hackers say once they ruin your digital identity. The keyboard is backlit in red, and the Enter key is surrounded by other multicolored keys with both English and Japanese (Katakana) symbols. — What most hackers say when they're done ruining your digital identity.

I had a dream (well, really a nightmare) that someone stole my iPhone about a week ago. (This was a couple nights after a peaceful mountain trip dream, but before the dream where my neighborhood flooded…brain’s been cooking lately.)

It seemed like as good a time as any to do a self-checkup on security. If this nightmare really happened tomorrow, would I be able to respond effectively and preserve my digital identity, which (for most of us) is growing in surface area by the day?

Password Managers

I’m using a password manager, and you should be too. Life’s complicated enough without wasting a few minutes a day clicking the Reset Password button on every site where you pay bills.

It’s important to realize that this solution only works when you commit to it and use it correctly. A few years ago, I got an email out of the blue saying someone had cashed out 4,000 points in a rewards program I barely used. But the password for this website was in my password manager — what gives? Well, turns out it was a repeat password that I hadn’t gotten around to changing yet since I joined the password manager train, and shocker: this repeat password was indeed being used by me on a different site where a data breach had occurred in the past. I congratulated myself on joining the “Credentials Stuffed” club.

If you’re using even a single duplicate password in 2024, it’s time to stop.

2FA

Two-factor authentication would have successfully stopped the attack above, but in 2018 that particular site didn’t have it yet (and I let them know as much in my “please help me, I got owned” email to them). Six years later, it feels like we’ve virtually reached 2FA ubiquity, which is a good thing.

But we’re talking about a worse attack here: one that’s physical in nature. Our phone was stolen…and let’s assume that it was still in an unlocked state when it was snatched (or worse: the thief knows our passcode). Suddenly, our “two factors” are both usable in the hands of the thief.

Stolen Device Protection

Luckily, Apple was also sympathetic toward my nightmare, because they saw what happened to dream-me (and apparently many others lately) and released iOS 17.3 just a couple days later, with a new feature called Stolen Device Protection! Let’s take a look at what it does:

With Stolen Device Protection, if your iPhone is not in a familiar location, you must authenticate with Face ID or Touch ID before you can take certain actions, including the following:

Use passwords or passkeys saved in Keychain

Use payment methods saved in Safari (autofill)

Turn off Lost Mode

Erase all content and settings

Apply for a new Apple Card

View Apple Card virtual card number

Take certain Apple Cash and Savings actions in Wallet (for example, Apple Cash or Savings transfers)

Use your iPhone to set up a new device (for example, Quick Start)

With Stolen Device Protection, you may also be required to wait an hour before using your iPhone to make changes to critical security settings or your Apple ID. If your iPhone is not in a familiar location, you must authenticate with Face ID or Touch ID, wait for the security delay to end, then authenticate with Face ID or Touch ID again to update settings such as the following:

Change your Apple ID password

Sign out of your Apple ID

Update Apple ID account security settings (such as adding or removing a trusted device, Recovery Key, or Recovery Contact)

Add or remove Face ID or Touch ID

Change your iPhone passcode

Reset All Settings

Turn off Find My

Turn off Stolen Device Protection

This is incredibly useful! iPhone updated and settings changed. Now we’ve got a solid window of time to get to a safe, secure location and start locking down accounts from another device in our possession. (It looks like Android users might not have similar functionality yet, but there may be a 3rd party app out there you can lean on.)

Other Levers

We can also make some tweaks in our apps of choice to ensure our accounts are as protected as possible:

Passwords

Make sure your password manager app is set to re-ask you for your “holy grail” master password in frequent enough intervals, so it doesn’t sit around unlocked for too long. It’s admittedly annoying to type it in more often…so pick an interval of time that best balances convenience and peace-of-mind for you personally.

While you’re in your password manager or other critical apps, double-check that you’ve removed any strange-looking devices from your list of trusted devices. (I get why you signed into your password manager on Grandma’s ancient laptop over the holidays so you could save her Peacock credentials, but that laptop probably doesn’t need to be a trusted device again for a while.)

2FA

There’s a ton of options to choose from these days depending on what service you’re logging into, and to me the choice is again about finding your comfy place in the spectrum of convenience vs. security. Back to the time I got credential stuffed: it’s possible the site doesn’t offer 2FA at all, but these days it’s more likely they just offer a less-secure 2FA, so you should definitely still turn it on.

I’ve seen all of these options a lot, and there’s probably others. They range from most convenient to most secure (roughly in order):

Email
Phone
Push notification
Authenticator app¹
Passkey (the Death of a Password)
Hardware key (e.g. Yubikey)

Given all of these options, it’s not a bad idea to take a harder look at your most critical services, like your bank login or your 10M follower social media account, and lock those down as tightly as possible…the right security posture for you really depends on how much you value each account + what each site offers!

Bonus Tips

Here are two bonus security checkup tips that aren’t really related to the nightmare, but that I strongly endorse:

Use a quality VPN like NordVPN or ProtonVPN — there are many benefits!
Keep your credit frozen by default, and unlock it only when you need it for opening a new credit card, mortgage etc. It takes like two minutes per credit bureau, and it’s free.

If you have any other tips or thoughts, please share. Here’s to keeping our digital identities secure in 2024, so we can focus more on the things that we love to do.

[1] Note that your password manager might also be able to generate OTP codes for you, but so can dedicated apps like 2FAS. This is a finer point, but you may or may not want to keep passwords and OTP codes in the same place. There’s some good discussion on this here and here…again, peace-of-mind vs. convenience, but either is better than nothing!